What you should be doing when you receive an unsolicited One Time Passcode


If you receive an unsolicited One Time Passcode (OTP) for a service that you use,  either as an SMS or Email you should be concerned and act immediately!

Why should I be concerned?

This basically means that your credentials have been stolen and someone is trying to gain access to your account.  The only reason they are failing to gain access is that you have MFA enabled and are still receiving the messages.   Once the attackers realise this, they may then attempt to get access to your email or take over your phone by using a SIM Swap attack.  If they achieve this they will have access to the OTP codes being sent and the impact to you could be significant both financially and emotionally.

So what should I do?

If you receive an unsolicited SMS such as the one I received recently as show below then you you should directly login into your account. Although in this example the SMS being sent with the OTP is from the genuine provider sometimes these can be fake and contain malicious links and phone numbers under the attackers control.


Do not use any links that have been sent, instead open your browser and navigate to the site login page directly.  Login as normal and then change your password to a stronger password and ideally store this in a password manager.  If you don't have a password manager I would suggest you use something like 'BitWarden' or '1Password'.  The password manager will also tell you if the old password you were using was in use across any other sites you have and so you will need to change those also at the same time.

If the site or service you are subscribed to has the option to use a Hardware key, Authentication App or Passkeys I would recommend you change to these more secure options instead rather than relying on SMS or email.  The reason why this is more secure is that the attacker would then need to have physical access to your device / token to pass the MFA challenge.

Need any further help?

If you need any further help with anything cyber related then please get in touch with us via our contact page or you can book a no obligation call with me directly at my calendar link below.

Book a call with John

Leave a Comment