How scammers use one-time passcodes against businesses

Bank impersonation scams have become one of the most effective ways to steal money from small businesses. Instead of breaking into accounts through sophisticated hacking, criminals often rely on something much simpler: convincing business owners to hand over access themselves.

Key takeaways:

• Bank impersonation scams rely on trust, urgency, and social engineering rather than technical hacking.
• One-time passcodes are often the final piece criminals need to access accounts or approve fraudulent transactions.
• Scammers may already know personal or business information gathered from data breaches or public sources.
• Never share a one-time passcode with someone who contacts you unexpectedly.
• Always verify suspicious banking activity using official contact details.
• Strong cybersecurity habits can help prevent scammers from obtaining the information they need to target your business.

What is a bank impersonation scam?

A bank impersonation scam happens when criminals pretend to be your bank to steal money or gain access to your accounts. The scam often starts with a phone call, text message, or email claiming there's a problem with your account. You may be told that a suspicious payment has been detected or that someone is trying to access your online banking. The caller sounds professional and may already know details about you or your business. Criminals often use information gathered from data breaches, phishing attacks, public records, or social media. The more they know about you, the more legitimate they appear.

Then comes the request. You receive a one-time passcode (OTP) and are asked to share it so the bank can "stop" the fraudulent activity.

It sounds convincing, but that code is often the final piece a scammer needs to approve a payment, access your account, or take control of your online banking.

Related: Why smart people approve bad payments

How the bank impersonation scam works

While the details vary, most bank impersonation scams follow the same path:

A problem with your account appears. You receive a call, text message, or email warning about suspicious activity on your account.

The scammer sounds helpful. Rather than asking for money straight away, they position themselves as someone trying to protect your business.

You are encouraged to act quickly. The situation is presented as urgent, leaving little time to think or verify what is happening.

A security code arrives. You receive a one-time passcode (OTP) from your bank and are told to share it to stop fraud, secure your account, or verify your identity.

The scam is completed. Instead of protecting your account, the code is used to approve a payment, reset credentials, or give criminals access to your banking services.

The attack succeeds because it feels like a security procedure rather than a scam. By the time many victims realize something is wrong, the fraud has already been authorized.

Related: What to do if you clicked a phishing link in a business email

6 warning signs a bank caller is a scammer

1. They ask for a one-time passcode. One of the biggest warning signs is being asked to share a one-time passcode (OTP) or verification code. These codes are designed to protect your account and should never be shared with someone who contacts you unexpectedly.

2. They pressure you to act quickly. Another common tactic is creating a sense of urgency. The caller may claim that money is leaving your account right now or that immediate action is required to stop fraud. The goal is to pressure you into acting before you have time to verify the situation.

3.They ask for passwords. You should also be suspicious if anyone asks for your password, PIN, full card details, or security answers. Banks already have access to your account information and do not need these details to help you.

4. They ask you to move your money into a “safe account”. Criminals sometimes tell victims to transfer money to a so-called "safe account." In reality, the account belongs to them.

5. They become defensive when challenged. Be cautious if the caller discourages you from hanging up or becomes frustrated when you suggest contacting the bank yourself. A legitimate bank representative should have no problem with you independently verifying their identity. Scammers often become defensive, repeat the same claims, or increase the pressure when they feel they are losing control of the conversation.

6. They want you to ignore security warnings. If a text message says "Do not share this code with anyone," believe the message, not the caller.

Related: 10 ways to secure your small business before going on holiday

Why do scammers want your one-time passcode?

A one-time passcode is often the final step your bank uses to verify that a payment, login attempt, password reset, or account change is genuinely being made by you. Even if criminals already have your email address, password, card details, or other personal information, they may still need that code to complete the action.

In other words, the OTP isn't there to identify the bank to you. It's there to identify you to the bank.

The moment you share that code with someone else, you may be giving them permission to access your account, approve a transaction, or take control of your online banking.

Related: Recovery scams explained: How fraudsters target businesses after fraud

What to do if someone claims to be your bank

If you receive an unexpected call about suspicious activity on your account, don't focus on proving whether the caller is genuine. Focus on protecting yourself.

The safest approach is to end the conversation and verify the situation independently. Do not share one-time passcodes, passwords, card details, PINs, or any other security information, even if the caller sounds professional and already knows details about your business.

Once you've ended the call, contact your bank using a trusted phone number from the back of your card, your banking app, or the bank's official website. Explain what happened and ask them to confirm whether there is a genuine issue with your account.

It's also a good idea to log in to your online banking and review recent transactions yourself. If there is suspicious activity, you'll be able to discuss it directly with your bank through verified channels.

Protect your business before scammers call

Many bank impersonation scams don't start with the phone call. They start earlier, when criminals gather information through phishing emails, fake websites, malware, data breaches, or stolen credentials.

That's why protecting your business requires more than one security measure. Strong passwords, multi-factor authentication, software updates, secure devices, and employee awareness all work together to reduce risk.

Bitdefender Ultimate Small Business Security can keep your business safe by blocking phishing attacks, scams, malicious links and attachments, and other threats before they can expose sensitive business information. The less information criminals have about you and your business, the harder it becomes for them to create convincing impersonation scams in the first place.

You can try Bitdefender Ultimate Small Business Security free for 30 days.

FAQs

What is a bank impersonation scam?

A bank impersonation scam happens when criminals pretend to be your bank to trick you into sharing security information, approving transactions, or giving them access to your accounts.

What is a one-time passcode scam?

A one-time passcode scam is a type of fraud where criminals convince victims to share OTPs or verification codes that can be used to access accounts, approve payments, or bypass security measures.

Will a bank ever ask me to share a one-time passcode?

No. Banks generally warn customers never to share one-time passcodes with anyone. If someone asks for a code over the phone, by email, or by text message, treat it as a red flag.

How do scammers get my banking information?

Scammers may obtain information through data breaches, phishing attacks, malware infections, fake websites, social media profiles, or publicly available business information.

What should I do if I gave a scammer my verification code?

Contact your bank immediately, change relevant passwords, review account activity, and report any suspicious transactions as soon as possible.

Can scammers access my account with just an OTP code?

In some cases, yes. If criminals already have other information about you, a one-time passcode may be enough to approve a transaction, reset credentials, or gain access to an account.

Why are small business owners targeted by bank impersonation scams?

Small business owners often manage payments, banking, and finances themselves. Scammers know that busy entrepreneurs may feel pressured to act quickly when they receive a fraud alert or security warning.