Navigation skipped

Help protect yourself from one-time passcode scams

One-time passcodes (OTPs) are an extra layer of security to protect your accounts and personal information. Unfortunately, OTPs are being targeted by scammers. Learn how to help protect yourself.

Updated
6 min. read

A one-time passcode (OTP) is an extra layer of security designed to protect your personal information and accounts when they are being accessed. An OTP is a random and unique numeric code – like a PIN – sent by your bank to your mobile phone by text message through SMS (short message service) in real time. The OTP is sent when you initiate a bank account inquiry or activity. It can only be used once to ensure a high security level of authentication and expires after a few minutes.

Sometimes BMO asks to confirm it’s you when you log into BMO.com, conduct online banking transactions, call BMO, or visit a branch. However, because OTPs are needed to gain access to accounts, these passcodes are becoming the target of scams. If you share your OTP, fraudsters can use it to login to your account and gain access to your funds.

Learn some critical prevention and cyber safety strategies, as well as what to do if you think you’ve been targeted by an OTP scam.

How do OTP scams work?

Unfortunately, fraudsters are always looking for ways to obtain OTPs to access your accounts to steal funds and/or your personal information. A fraudster will call claiming to be a BMO employee, stating they need to gain access to your account(s) so they can cancel a fraudulent payment, better secure your account, or they might present another convincing urgent request. They will state an SMS OTP is required to authenticate your identity before they can proceed with any action. Once they have the OTP, they can access your accounts and conduct unauthorized transactions.

It’s important to note that BMO will never call you and ask you to complete a SMS OTP verification. OTPs are only used when you (the customer) initiates contact with BMO – either by attending a branch, calling our call centre, or when you access your bank accounts via online banking (OLB) or the BMO mobile app.  

Important: If you share your OTP or password, fraudsters can use it to login to your account.

Spot the scam

There are numerous ways fraudsters can obtain and use contact information to convince victims into sharing OTPs. Here are some common OTP scams to look out for.

Fraudulent transaction scam

You receive a text from someone claiming to be a BMO Fraud Investigator stating that someone attempted to make a fraudulent transaction on your account. They send you an SMS OTP for authentication purposes stating they need it urgently to resolve the fraud. Meanwhile, the supposed Fraud Investigator is really a fraudster using the OTP to conduct unauthorized transactions on your account.

Bank website spoofing scam

You receive a text with an OTP that appears to be from BMO. They indicate a hold has been placed on your credit card due to suspected fraudulent activity. You are instructed to click the provided link that takes you to a seemingly legitimate BMO website. Here you are required to enter the OTP and then provide your personal information to reactivate your credit card. Unfortunately, you’re unknowingly entering your personal information and credit card information into a phony website operated by fraudsters, and they are now able to access your account to commit fraud.

Investment scam

You receive a call from someone claiming to be a BMO Investment Advisor. They use high-pressure sales tactics and promises of high returns to persuade you to invest your savings in cryptocurrency. Your interest in the offer is ignited, so you agree to provide sensitive bank account information to proceed with the trade process. The presumed Investment Advisor then sends you an OTP so she can assess your funds and analyze your options. The Advisor now has access to your account, but she is really a fraudster in disguise and can make unauthorized trades and transactions on your behalf. Note that no employee or authorized agent of BMO or BMO Private Wealth, or any related entity, is in any way associated with the investment opportunities or products offered by these fraudsters.

“There are numerous ways fraudsters can obtain and use contact information to convince victims into sharing OTPs.”

Protecting yourself from OTP scams: 

  • Know that BMO will never contact you and ask for your digital banking credentials, password, PIN, or OTP over the phone. You may be asked for an OTP but only when you call us at Call us at 1 8 7 7 2 2 5 5 2 6 6 or visit a branch, not when someone contacts you. If you receive a call asking for this information, hang up.
  • If you get a call, voicemail, email or text from someone claiming to be from BMO and you think it’s suspicious, contact us immediately using the information on the back of your card.
  • Never share any of your passwords or passcodes with anyone. If you receive an OTP, it is personal and unique to you.
  • Always use unique and strong passwords for your accounts and change your passwords frequently.
  • Verify legitimacy of website addresses before entering your OTP into a webpage.
  • Only use secure and trusted encrypted Wi-Fi networks. Do not use public Wi-Fi connections.

What to do if you become a victim:

  • Contact BMO immediately at Call us at 1 8 7 7 2 2 5 5 2 6 6 .
  • File a police report with your local police authorities.
  • Report the fraud to the Canadian Anti-Fraud Centre.

Additional safe banking tips:

  • Say no to unsolicited calls. If you get a call, voicemail, email, or text from someone claiming to be from your bank and you think it’s suspicious, hang up and contact the bank immediately using the information on the back of your card.
  • Guard personal information. Do not give credit card or debit card information, banking account details, passwords, PINs, or one-time passcodes to callers – regardless of how convincing the request may sound. Government agencies, banks and other legitimate organizations will never request sensitive information like PINs or passwords over the phone. Only provide one-time verification codes if you initiated the call.
  • Slow down and avoid any “urgent” requests. Be mindful of responding too quickly with personal or financial information. Scammers are adept at creating a strong sense of urgency to compel you to act immediately without verifying the request.
  • Monitor your accounts. Sign up for alerts to get notified when there is any activity on your accounts. Regularly check your bank statements and account activities to detect any unauthorized transactions promptly.
  • Stay informed. Keep up-to-date on the latest scams by regularly checking BMO's Security Alerts for new updates.
  • Avoid clicking on links in unsolicited text messages. Instead, independently verify the sender's identity by contacting your bank through trusted channels.
  • Download and use official banking apps from reputable app stores (such as Apple’s App Store or Android’s Google Play) to ensure the security of your transactions.
  • Report suspicious messages. If you receive a suspicious text, report it to your bank immediately so that they can investigate and issue alerts to protect other customers.

 

Learn how to protect yourself

For more information and updates on potential scams, refer to the BMO Security Alerts page.

BMO Security Alerts