By now, most of us are familiar with 2-factor authentication. It’s a simple, but important, security precaution for your most sensitive online accounts such as your email and personal banking information. It’s a safety net that provides you with an additional layer of protection in case your password is stolen or exposed. With 2-factor authentication, if you (or someone else) tries to login to one of your accounts from an unusual location, a text message (or email) will be sent to your phone with an additional code that will need to be entered before the account will unlock.

This dramatically increases the security of any account. While it is possible for a password to be exposed in a data breech, guessed at by someone with a bit of knowledge about you, or otherwise brute forced, the odds that someone will also have access to your cell phone and be able to intercept the second code is almost zero. This is why many major sites such as Google and various social media platforms either push the user to adopt a 2-factor set-up during account creation, or outright require it.

But, like any kind of security, it isn’t foolproof. There is a new scam targeting 2-factor users that is increasing in popularity and likely to be prolific during the holiday spending season this year when credit card and online shopping is at its peak. Here’s how it works:

Simple but effective

Just like 2-factor security itself, the scam to get around it is equally simple but effective.

When you try login to an account that requires 2-factor authentication, you’ll receive a simple text message from an unknown number that includes the code. If you are not currently trying to log into something yourself, you can generally assume that someone is trying to access your account and ignore it.

But where the scam comes in is with a simple bit of social engineering. A hacker specifically targeting you (they need to know your cell number) will immediately text you with a false message after trying to access your account because they know you’ll have just received a code.

They’ll text something provocative, but official looking. Something like “Google Alert: We have detected suspicious activity on your account. Please reply with the verification code just sent to your mobile device to secure your account.”

It’s the kind of thing where if you stopped to think about it for a few moments, you’d realize it was a scam. But, like so many similar cons, it relies on surprise and anxiety to pressure you into making a mistake. Receiving a mystery authentication code out of the blue is already concerning; you know that someone, somewhere is trying to breech your accounts.

Then, seemingly a lifeline is thrown out to you: An official looking text offering you a way to take action and protect your sensitive information and bank accounts, what a relief! When you’re already upset and on the backfoot, you might just respond without thinking.

What should you do?

First of all, you should make sure 2-factor authentication is enabled on all your major accounts. This scam aside, it is still a good idea that will help protect your information and identity.

Secondly, remember to NEVER send anyone an authentication code, PIN number, or password. At its core, this is just the latest version of an old con. Fraudsters have long preyed on people by posing as a bank representative and asking for “PIN verification” over the phone, or with phishing emails that look authentic but include a fraudulent link they hope you’ll click on and try to login under, catching your info in the process.

Your email provider, bank, phone company, or anyone else should not be contacting you asking for a piece of secure information. If you ever have the slightest bit of doubt about a call or text from one of your service providers, don’t respond in the moment. Wait, think it through, and if you still believe it might be authentic, log in or contact them using an official and publicly available login or phone number and ask about your account.

As long as you stay calm and play your cards close to your chest, scammers shouldn’t be able to spoil your holiday season.