OTP code stealing scam using AI calls appears

Two-factor authentication (2FA) is a standard security feature in cybersecurity. It requires users to verify their identity with a second authentication step, typically a one-time password (OTP) sent via text message, email, or app.

This extra layer of security is meant to protect users’ accounts even if their passwords are stolen. However, hackers are finding ways to bypass this “firewall” using social engineering attacks.

According to Kaspersky, between March 1 and May 31, 2024, the company blocked 653,088 attempts to visit websites created by phishing kits targeting banks. During the same period, Kaspersky detected 4,721 phishing websites created by kits aimed at bypassing two-factor authentication.

When the victim enters their username and password on the fake website, the scammer will automatically collect the information immediately, in real time. They will then log in and trigger the OTP code to be sent to the victim's phone.

Normally, even if the password is revealed, the user's account will be protected by 2-factor authentication or 2-step authentication. However, a new trick has appeared when scammers use OTP bots to trick users into revealing the OTP code.

OTP bots will automatically call the victim, impersonating an employee of a trusted organization. OTP bots use pre-programmed conversation scripts to convince the victim to reveal the OTP code. Through this, the hacker obtains the OTP code and uses it to gain unauthorized access to the account.

Fraudsters prefer voice calls over text messages, as victims tend to respond more quickly to this method. To increase effectiveness, OTP bots will mimic a human voice and urgency during a call to create a sense of trust and increase persuasiveness.

OTP bots are controlled online or through messaging platforms like Telegram. They also come with a variety of features and subscription plans, and attackers can customize the bot's features to impersonate organizations, use multiple languages, and even choose a male or female voice tone.

Advanced options also include spoofing the phone number to appear as if it is from a legitimate organization to trick the victim in a sophisticated way. With the emergence of OTP bots, users are facing new security risks.

To avoid becoming a victim, users should avoid clicking on suspicious links sent via email or text messages. If this is your first time accessing a website, check information about the website's owner using the Whois tool.

When typing in the address of social networking sites or banks, users should avoid typos that can accidentally lead to fake websites. Instead of searching on Google and being lured to bad websites, users should use bookmarks to save frequently visited websites.

Reputable banks and e-wallets never ask for users' OTP codes. In any case, users should never provide OTP codes to others, especially via calls or messages, no matter how convincing the information content seems.