Let’s examine an all too common scenario: Your friend Jane is in a hurry to pick up her son from school and drop her daughter off at soccer practice. She still has to run to the grocery store and start making dinner. In the middle of her busy schedule, she receives a text with a verification code from Google. She thinks, “That’s strange. Perhaps I should sign into my email account and see what that’s about.”
Before she can log into her email, she gets another text message. This one reads:
“Google has detected unusual activity on your account. Please reply with the verification code sent to your mobile device to stop unauthorized activity.”
What should Jane do?
It is entirely possible that she could text the number back with the verification code, especially if she’s distracted by the hustle and bustle of daily life. Worried that there will be complications with her account, she replies right away. Unfortunately, she actually just gave the scammer the necessary information to access her account.
Let’s take a look at what actually happened with her account:
- With Jane’s cell phone number and email address handy, the hacker visited the email sign-in page, clicked on “Forgot Password” and had a verification code sent to her mobile device.
- Jane received the verification code on her mobile device.
- Posing as Jane’s email provider, the hacker sent her a follow-up text to ask for the code.
- Jane replied to the hacker with the verification code.
- The hacker now has everything required to login to Jane’s account.
By looking through her email account, the hacker can learn quite a lot about Jane. The hacker could also go into Jane’s personal settings and change them so that the hacker receives all of Jane’s future emails as well. It will likely take Jane a while before she discovers this change.
What should you do?
Never send a verification code to anyone through a text message or email. These codes should be reserved solely for the sign-in screen. If you do receive a verification code that you never requested, contact your provider to let them know. It could be an indication that a hacker is trying to get into your account.