ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

Account Recovery Scams: Don’t Share 2FA Codes — A Family 'No‑Share' Plan for Seniors

Close-up of comforting hands touching in a hospital room, symbolizing support and compassion.

Why this matters now: the risk of account‑recovery scams

Scammers regularly trick people — particularly older adults — into handing over one-time verification codes (texted or emailed codes, authenticator codes, or recovery numbers) and then use those codes to take control of accounts or reset passwords. Under no circumstances should you share a 2‑factor authentication (2FA) or verification code with anyone who calls, texts, or messages you out of the blue. Trusted consumer authorities and consumer protection pages warn explicitly: never share verification codes or account access information.

This article explains how account‑recovery scams work, offers practical hardening steps (for seniors and their family members), and supplies short scripts and a repeatable family “no‑share” plan you can use immediately.

How account‑recovery scams and "MFA fatigue" attacks work

Common recovery‑scam playbooks:

  • Impersonation + urgency: A caller claims to be bank/tech support and says an account is at risk — then asks you to read a code they just triggered. Once you give the code the scammer completes the recovery step.
  • Approval fatigue (“push‑bombing”): Attackers trigger many push notifications ("approve sign‑in?") so the victim finally accepts one out of annoyance or confusion. Attackers often follow with a voice call posing as IT/support asking the user to approve to stop the alerts.
  • Number porting / SIM swap: Scammers transfer a phone number to their SIM and intercept SMS codes or calls used for account recovery.

Security teams and government cyber agencies have documented MFA fatigue (also called push‑bombing) as an active threat, and large vendors have taken steps (like number‑matching) and guidance to reduce its effectiveness.

Hardening recovery options: practical steps you (or a family member) can do today

Follow this prioritized checklist when securing accounts and recovery pathways:

  1. Never share codes. If someone who says they're support asks for a code, hang up and call the official support number you find on the company’s website. (Do not call numbers provided by the caller.) For official reporting or recovery steps, use trusted channels.
  2. Avoid SMS when possible — use authenticator apps or passkeys. National guidance recommends deprecating SMS as a primary second factor because of SIM swap and interception risks; prefer time‑based authenticator apps (TOTP), passkeys, or hardware security keys for sensitive accounts.
  3. Use phishing‑resistant methods for high‑risk accounts. For accounts that hold money, identity, or sensitive data (email, banks, crypto, healthcare portals), enable hardware security keys or passkeys. Programs like Google’s Advanced Protection require strong physical keys or passkeys for higher protection.
  4. Set up and protect backup codes—store offline. Generate backup/recovery codes for important accounts, print or write them down, and place them in a locked safe or with a trusted, designated family member — do not store them as plain text in email or cloud notes.
  5. Harden account recovery settings: Remove obsolete recovery email/phone numbers, enable recovery contacts only when you trust them, and review account activity regularly. Apple and other platforms let you add recovery contacts — but these are powerful settings that must be configured carefully.
  6. Use a password manager and set emergency access. Use a reputable password manager to store strong unique passwords; enable its emergency or trusted‑contact feature so a named family member can get access under controlled conditions (and not by reading codes aloud to strangers).
  7. Limit help over the phone or remote access requests. Legitimate support will not ask you to provide account verification codes, full passwords, or allow remote control without a secure process. If a caller asks for a code, treat it as a red flag and verify independently.

Family 'No‑Share' Plan for seniors — a two‑minute setup and scripts to use

Make a short, repeatable family plan so seniors have a simple rule and an action path when someone asks for a code. Keep the plan short, visible, and practiced.

One‑line rule to post near the phone

“I do not give codes to anyone. If someone asks, I hang up and call [Trusted Family Member].”

Quick setup (15–30 minutes)

  • Pick one trusted contact (adult family member or close friend) and store their phone number in the senior’s phone labeled “Trusted‑Contact.”
  • Set up a password manager with emergency access and add one trusted family member as the emergency contact.
  • Generate and print backup/recovery codes for important accounts and keep the paper in a locked place (safe, lockbox). Consider letting one trusted family member keep a sealed copy.
  • Enroll in passkeys or hardware‑security keys where available for banking and primary email accounts; keep an extra key in a safe location.
  • Set an account recovery contact (for Apple, follow official steps) only after talking with the chosen contact and explaining responsibilities.

Simple scripts to practice

  • Script when called: “I don’t share codes. I will call the company at the number on my statement — thank you.”
  • Script when pressured: “Please stop — I only talk to my son/daughter about account issues. Call them at [number].”
  • If asked to approve on your phone: “No. I will deny and call official support.” Then deny/decline the push and call the official number on the back of the card or the company website.

Finally, if you suspect a scam or you (or the senior in your care) already shared a code, change passwords immediately, revoke active sessions, remove unknown recovery contacts, and report the incident to the FTC and your local police. Use the company’s official support channels and retain any scam messages as evidence.

Bottom line: 2FA is a strong layer of defense — but recovery paths are a common backdoor for scammers. Never share verification codes, prefer phishing‑resistant authenticators (passkeys/hardware keys), lock and store backup codes offline, and use a short family “no‑share” plan so seniors always have a clear response when targeted.

Related Articles

Close-up photograph of Go and Stop pedals in a vehicle, highlighting texture.

MFA Fatigue & Push‑Bombing: How Scammers Bypass 2FA and How to Stop It Today

Close-up of a young woman with facial recognition lasers projected, symbolizing future technology.

Voice‑Biometrics Bypass: How Fraudsters Outsmart Bank & Call‑Center Voice ID — Questions to Ask Your Provider

A man in a white shirt thinking, seated at a desk with papers and a plant.

Password Managers vs. Browser Passwords: Which Is Safer for Seniors and Busy People?