Scam to watch for: Classified ads buyer asks for “code” which is your 2FA code.

by | Personal Technology, Security/Threats

If someone (not a company) asks you to ‘send them a code’ they are probably trying to scam you.

Today we have a new type of scam which is happening quite frequently to friends buying and selling on internet classifieds like Craigslist, FB Marketplace, KSL etc.

Short story: You list something for sale, a scammer ask for you to send them a ‘code’ to prove you are not a scammer. But the scammer is trying to trick you into sending your password reset auth code which lets them into your accounts.

Here is how it works.

  1. You list something for sale, and put your phone number. This scam will only work if this phone number is also linked to your Google or other popular accounts. Which for most people, that is true.
  2. Scammer texts you asking if the item is still for sale.
  3. You reply yes. Scammer knows your number is live, and you are responsive.
  4. Scammer takes your phone number, then goes to Google and tries to reset your password. Google will send a text to you with a 2 factor auth code. (Side note — never share 2 factor auth codes with anyone.)
  5. Then the scammers say ‘We want to send you a code to make sure you are not a scammer / to ensure you are who you say you are. Once you get the code send it to us.’ or something of that nature.
  6. You think the scammer sent you a verification code, but really it was Google. ⚠️You send that code to the scammers. You don’t hear back from them.
  7. Later you notice someone is inside your Gmail account or you get locked out of your Gmail account. This is bad.

From there the scammers will try and reset other accounts passwords using email, and try to get to your money and or information.

So how to protect yourself?

1. For lots of protection, you can use a burner phone number when dealing with online classified. Apps like https://www.burnerapp.com/secondnumber or even Google Voice can be used, since none of your accounts are connected to that number they can’t be used to access your account.

2. Don’t send authentication codes to 3rd parties. Safe companies will send you a code, which you then enter on their website. No 3rd parties. Don’t send them, forward them etc. Ever.

3. When selling something online, you only need a few pieces of information. Where to meet. How they will pay. That is about it. If people ask for extra information like codes, or gift cards, or ‘they will pay you extra that you send back to them’, or money orders, they are probably a scammer.

Original article found here.

IT Security Tips

Did you know?

Did you know?

How important is computer and cyber security? Let’s take a look at some facts to put it in perspective. Did you know...

Two-factor what?

Two-factor what?

Two-factor authentication (2FA for short), sometimes called multi-factor authentication, is a system in which you must...

Lie, lie, lie!

Lie, lie, lie!

Social engineering is big business. What is it? Figuring out who you are and then using that information to make money...

Set up bank alerts – NOW!

Set up bank alerts – NOW!

Here’s a tip that just might save your bacon: Set up withdrawal alerts on your bank accounts. Many banks will send you...