Double up on security with two-step authentication
At Meridian, we’re committed to helping every Member live their best life. Part of our commitment involves keeping you informed about potential risks and scams, while providing you with access to support. Learning about Two-Step Authentication (“2FA”)/One Time Passcode (“OTP”) scams and recognizing the signs and tactics of this fraud can help protect you and your loved ones.
What is a 2FA/OTP scam?
A 2FA or OTP scam is a type of fraud where scammers trick you into sharing the one-time passcode (OTP) sent to your phone or email when logging into your online banking. Scammers often impersonate banks or trusted institutions and trick victims into sharing their One-Time Passcodes (OTPs). In many cases, the scam begins with a phishing attempt that gives them access to your credentials.
Once they try to log in, a real OTP (one time password) is sent to your device – and that’s when the scammer calls, pretending to verify a fraudulent charge or suspicious activity.
How to spot a 2FA/OTP scam
Watch for these common warning signs:
-
You receive a verification code (OTP) you didn't request.
-
Someone calls claiming to be from your bank and asks for your OTP.
-
You're told you must "verify your identity" by sharing a passcode.
-
The call feels urgent, unexpected, or pressuring.
How to protect your accounts
-
Never share your OTP with anyone, for any reason.
-
Don't provide remote access to your computer on device.
-
Check the URL before entering an OTP on a website.
-
Hang up and call back using the official number on your bank card or website.
-
Use strong, unique passwords for each of your accounts.
-
Avoid public Wi-Fi when accessing sensitive information.
-
Enable app-based notifications for 2FA – they're more secure than SMS or voice calls.
Tip: On your smartphone, enable Meridian's Mobile App Notification as your 2FA method for enhanced protection.
Frequently asked questions
Can my bank ask for my OTP?
No. Meridian will never ask for your OTP or login information over the phone, by text, or email.
What happens if I accidentally give out my OTP?
Contact your bank immediately, change your passwords and report the fraud.
Is it safer to use app notifications instead of SMS codes?
Yes. App-based 2FA is harder for scammers to intercept compared to text messages or phone calls.
What is the difference between 2FA and OTP?
2FA (Two factor authentication) is a security process requiring two forms of identity verification—usually a password and a second factor like a code. An OTP is one type of second factor used in 2FA, often sent via text or email.
How do scammers get my login credentials in the first place?
Most scammers use phishing emails, fake websites, or social engineering to trick you into revealing your username and password. They then attempt to log in and trigger the OTP process.
I got a code I didn't request—what should I do?
Do not share the code with anyone. It likely means someone is trying to access your account. Contact your bank immediately and change your password.
Can scammers access my account without the OTP?
In most cases, no. The OTP is required to complete login to your account. That's why scammers often try to trick you into handing it over.
Learn more about protecting what’s yours
If you encounter a scam, or believe you have been the victim of fraud, report it.
Explore resources from the Canadian Anti-Fraud Centre.
Learn about Meridian’s security guarantee
Discover common scams and types of fraud
Legal Notice and Disclaimer of Liability
Information provided by Meridian Credit Union Ltd. in this article is for informational purposes only, and we cannot guarantee it is accurate or complete or current at all times. This information is not intended to provide financial or legal advice and should not be relied upon in that regard.
