Trying to sell something on Facebook Marketplace. Within seconds of posting, a couple of people responded asking the usual “is this still available?”
Upon replying that it was, they immediately requested cell phone numbers. Suspecting that this would just be a way to inundate me with useless stuff, I sent back a landline number and informed them that it was such. One person dropped off immediately and the other requested a cell phone number multiple times before doing the same. Is this a new scam? If so, what are they trying to accomplish?
In this scam, the fraudster approaches sellers on Facebook Marketplace and pretends to be interested in items for sale. They ask for the seller’s phone number to discuss the purchase further.
Next, the scammer uses the victim’s phone number to create a Google Voice account. To verify this, the scammer requires the 2FA code that the victim receives.
The scammer then tricks the victim into passing the scammer the code, which allows the scammer to set up a Google Voice account in the victim’s name. The scammer will then use that clean number to engage in other scams.
If anybody asks you for your phone number and a 2FA code, it is highly likely that you’re being scammed. Never provide a 2FA code to any other party. Those codes are security codes meant only for you, and giving them away is always cause for alarm.
I put up a new ad this a.m. and got 3 replies immediately who wanted to communicate only via my cell number. This is surely all the rage in scamming right now.
I don’t think it’s quite an absolute rule that you should never disclose a 2FA code. As an example, I have needed to reinstall a secure banking app on a new phone. I forgot that I needed to use the old phone to generate a code to authorize the new phone, and I had already disposed of the old phone. I called the support line, and part of the verification process involved them sending 2FA codes by text and email that I had to read back to them. Of course, I had called them to initiate this process.
However, I think it’s an absolute rule that you should never disclose a 2FA code to any third party, or of course to anyone that calls you.
I agree. My bank gives me a courtesy call about once a year. (“We see you still have some money left over at the end of the year. Don’t you think you should have a bigger loan?”) We set up the call with email and then I call them on the agreed-upon date and they send me a text with a code that tells me not to give it to anyone. Then they ask me for it.
I’ve pointed out the absurdity of this multiple times and my banker/agent/whatever always agrees but I still haven’t seen it changed. I’m only ok with giving it to him because–even though they initiated the original contact via email, the number I call is the Customer Service number on the back of my debit card and it also matches the number on my monthly statement.
