What Is OTP Phishing?

OTP phishing is a social engineering attack in which threat actors deceive users into revealing their one-time password (OTP) codes used for multi-factor authentication. Unlike credential phishing which targets usernames and passwords, OTP phishing attacks target the second factor of authentication itself, typically through automated bots, fake support calls, SMS messages, or phishing emails that trick users into disclosing 6-8 digit OTP codes sent via SMS or generated by authenticator apps. Once obtained, the stolen OTP grants the attacker immediate access to the user's account, according to Experian, AuthGear, and Abnormal AI research published in 2025.

The technique exploits a fundamental assumption: that OTP codes cannot be stolen or reused. In reality, OTP codes remain valid for 30-120 seconds after generation, creating a brief window during which attackers can use real-time phishing or social engineering to capture and relay the code to legitimate services before expiration.

How does OTP phishing work?

OTP phishing employs multiple delivery methods and technical approaches to capture one-time passwords during their validity window.

OTP bot and automated SMS phishing uses automated tools designed to trick users via SMS, call, or email into revealing their one-time password. The bot contacts users impersonating a legitimate institution such as a bank, payment processor, or SaaS provider, claims there is suspicious activity or a security issue requiring immediate verification, and requests the user to provide their OTP code to "verify" or "confirm" their identity. When the user supplies the 6-digit code, it is immediately captured and used by the attacker.

OTP bot services were being sold for $10-$50 per attack on underground forums. One user on a Telegram-based OTP bot platform reported earnings of $50,000 in a single month from this operation, according to Experian research published in 2025.

Real-time phishing proxy with OTP interception uses Adversary-in-the-Middle (AiTM) phishing sites that capture both credentials and OTP codes during the authentication process. The user is phished to a fake login page visually identical to the legitimate site. When the user enters username and password into the fake form, the phishing proxy relays credentials to the legitimate service in real-time. The legitimate service sends an OTP code to the user's phone. The user enters the OTP into the phishing page, believing it to be legitimate. The phishing proxy immediately relays the OTP to the legitimate service while code is still valid, and the attacker gains authenticated session access, according to Paubox and Abnormal AI research.

This technique bypasses the time-window protection of OTPs by exploiting the fact that the OTP code remains valid for 30-60 seconds after the user receives it.

Phishing for Duo and higher education targeting specifically targets Duo Security OTP tokens at universities and higher education institutions. Credential phishing emails target university staff and faculty with spoofed institutional login pages. After user credentials are harvested, the attacker attempts to log in to the legitimate Duo-protected service. The user receives a legitimate Duo OTP push notification. The attacker, using social engineering, calls the user or sends a message claiming to be "Duo support" requesting they provide the code shown in their notification. The user, confused or under pressure, provides the code, and the attacker uses it to authenticate.

Over 40 compromised organizations and more than 30 targeted universities and colleges were identified with this attack pattern, according to Abnormal AI research published in 2025.

Support impersonation involves attackers impersonating IT support or account security teams via phone calls claiming "We detected unauthorized access. For your security, we need to verify your identity. What is the 6-digit code on your screen?", emails requesting "Confirm your identity by replying with the code from your authenticator app", or chat/SMS with real-time text-based support impersonation requesting OTP codes. Social engineering combined with urgency and authority claimed as IT support significantly increases user compliance, according to LoginRadius research.

OTP codes remain valid for 30-120 seconds. Attackers using AiTM phishing can relay captured codes to the legitimate service within this window, bypassing the "one-time" aspect of the password. Users typically assume that OTP codes are unhackable or that revealing them is "safe" because the code is temporary. Users may be more willing to share an OTP code than a password, not recognizing that the code is functionally equivalent to a credential during its validity window.

Urgency and authority created by phishing messages claiming to be from support, security teams, or urgent account issues create psychological pressure that causes users to bypass normal skepticism and quickly provide the code. OTP bot services enable attackers to automate phishing across thousands of phone numbers and emails simultaneously, dramatically reducing cost per successful compromise.

How does OTP phishing differ from other MFA bypass techniques?

OTP phishing employs distinct mechanisms compared to other authentication bypass methods.

OTP phishing requires explicit user cooperation to divulge the code, while AiTM phishing captures codes transparently during the authentication flow. MFA fatigue exploits user exhaustion from repeated prompts rather than deceiving users about the nature of the code. Session hijacking operates entirely post-authentication and does not require OTP codes.

The cost structure differs significantly. OTP bot services at $10-$50 per attack represent commoditized offerings accessible to lower-skilled attackers. AiTM phishing requires infrastructure setup and technical sophistication. MFA fatigue requires only credential access and login automation tools.

Why does OTP phishing matter?

The prevalence and effectiveness of OTP phishing challenges the security assumptions underlying OTP-based MFA implementations.

European authorities shut down the JokerOTP cybercriminal operation in early 2025, which was responsible for over 28,000 phishing attacks across 13 countries, netting approximately $10 million in fraudulent transactions using OTP bots to bypass two-factor authentication, according to Experian research. This demonstrates the scale and profitability of OTP phishing at criminal enterprise level.

Bots accounted for 30% of fraud attempts at the beginning of 2024, rising to 80% by the end of the year—a nearly threefold increase. This surge is partially attributed to widespread adoption of OTP bots for account takeover and payment fraud, according to Experian research published in 2025.

Threat actors specifically target higher education credentials and Duo OTPs to compromise accounts. Researchers identified more than 40 compromised organizations and over 30 targeted universities and colleges with this attack pattern, according to Abnormal AI.

According to a 2024 Microsoft study, over 40% of users who experienced account takeovers had some form of MFA enabled, with many compromises occurring through real-time phishing attacks that captured both passwords and OTP codes. This indicates that OTP-based MFA provides weaker protection than hardware keys when combined with sophisticated phishing.

The psychological effectiveness of OTP phishing stems from user misunderstanding of how OTP security works. Many users believe OTP codes cannot be stolen or that sharing them is safe because they expire quickly. This misconception makes users more willing to provide OTP codes when requested by convincing social engineering.

Organizations that have deployed OTP-based MFA believing it provides comprehensive protection face continued exposure to account takeover when users can be socially engineered into revealing codes.

What are the limitations of OTP phishing attacks?

Despite their effectiveness, OTP phishing attacks face several operational and technical constraints.

FIDO2 immunity represents the most significant limitation. Hardware security keys using FIDO2 cannot be phished because they verify the legitimacy of the service before authenticating. Even if a user is tricked into attempting authentication on a fake site, the hardware key will not generate a valid response, making the attack impossible.

User awareness among trained users who recognize OTP phishing can effectively prevent this attack. Users trained that support will never ask for OTP codes and that codes should not be shared can refuse OTP disclosure requests, reducing attack success rate to near 0%, according to LoginRadius research published in 2025.

Security-conscious users who understand that legitimate support can verify identity through backend systems without requiring users to provide codes to them represent a strong defense. Organizations with comprehensive security training achieve more than 95% user compliance with "never share OTP" policies.

OTP expiration windows limit attack effectiveness when codes expire after 30-120 seconds. If the user does not input the code within this window because they are skeptical and delay, the code becomes invalid and cannot be used, forcing the attacker to restart the attack with a new code request.

Slower than direct credential theft makes OTP phishing operationally more complex. OTP phishing requires real-time interaction with the user, waiting for them to receive the code, enter it, and reveal it, and is slower than session hijacking which is immediate post-compromise. This extended timeline increases detection risk.

Detectable spam patterns enable organizations and mobile carriers to increasingly deploy SMS/email filtering that identifies high-volume OTP phishing campaigns by detecting spoofed sender addresses matching legitimate institutions, suspicious domain mismatches in phishing emails, repeated SMS messages from different numbers to same recipient in short timeframe, and message content matching known phishing patterns.

Technical OTP protections frustrate automated campaigns when modern OTP systems implement IP-based anomaly detection flagging OTP from different country than user, device fingerprint matching making OTP code only valid on specific device, and rate limiting allowing no more than 3 OTP requests per hour.

How can organizations defend against OTP phishing?

Defense against OTP phishing requires implementing phishing-resistant authentication methods, comprehensive user education, and technical controls that limit attack effectiveness.

Migrate to FIDO2 hardware keys or passwordless authentication as the primary defense. Implement FIDO2 hardware security keys or platform authenticators like Windows Hello or Face ID that cannot be phished. FIDO2 is immune to OTP phishing because it verifies the legitimate service before responding. Deploy FIDO2 for all high-value accounts including admin, financial, and sensitive data access, according to Abnormal AI and LoginRadius research published in 2025.

The cryptographic challenge-response mechanism of FIDO2 means that even if users are tricked into attempting authentication on a phishing site, the hardware key will refuse to generate a valid response because the domain does not match the registered service.

Eliminate SMS-based OTP and use app-based TOTP with caution by removing SMS-based OTP as a primary MFA method since SMS is intercepted via SIM swapping and phishing. Upgrade to app-based TOTP like Google Authenticator or Authy with synchronization to prevent direct SMS interception. However, recognize that app-based TOTP is still vulnerable to real-time AiTM phishing that captures codes during authentication. Recommend FIDO2 as the superior alternative to any OTP-based method, according to FBI and CISA guidance published in 2025.

Deploy strong user education on OTP sharing by educating users that legitimate support will never ask for OTP codes, training users that OTP codes are secret and should never be shared via any channel, teaching users to recognize phishing by understanding that "Support should use your account to verify identity, not request codes from you", and creating organizational culture where users report OTP disclosure requests to security team. Organizations with strong OTP security training achieve more than 95% user compliance with "never share OTP" policies, according to LoginRadius and Abnormal AI research.

Implement OTP rate limiting and device binding by limiting OTP generation to 3-5 requests per hour per account, binding OTP codes to the specific device that received them, and invalidating OTP codes immediately upon first failed entry. This frustrates both automated OTP bot attacks and real-time phishing proxy attacks by increasing the likelihood of code expiration, according to LoginRadius and Paubox research.

Deploy SMS filtering and carrier authentication by implementing sender ID authentication to ensure SMS appears to come from legitimate institutional numbers, deploying SMS filtering to block known phishing numbers, working with mobile carriers to implement STIR/SHAKEN protocols to verify legitimate SMS sources, and educating users that legitimate institutions rarely send OTP requests via SMS in initial contact. Legitimate flow is user initiates login, then code is sent, then user enters, according to FBI guidance.

Implement behavioral analytics for OTP anomalies by monitoring for suspicious OTP patterns such as same user receiving 5+ OTP codes in 10 minutes suggesting phishing bot attack, alerting when OTP codes are used from different geography/IP than code was sent to, tracking which users disclose OTP codes versus enter them correctly since users who repeatedly fail to enter codes may be victims of phishing pressure, and detecting impossible timelines like code used 5 seconds after sent suggesting user provided code to attacker for relay, according to Abnormal AI and Vectra AI research.

Establish help desk verification and password reset controls by never resetting MFA via phone or email but requiring in-person or biometric verification, training help desk to never ask for user codes or secrets, implementing callback verification where if user calls help desk, call them back at registered number, and disabling remote MFA reset for accounts unless initiated by user themselves in authenticated portal, according to LoginRadius.

Deploy continuous credential monitoring to monitor for leaked credentials in real-time and notify users immediately, and enable users to rotate passwords immediately after credential breach discovery, invalidating any stolen credentials before OTP phishing attacks can be executed, according to Expert Insights research published in 2025.

Implement anti-bot detection on authentication systems by deploying authentication system defenses that detect and block automated OTP bot traffic through rate limiting with no more than 5 authentication attempts per 10 minutes from same IP, Captcha challenges after repeated failed attempts, IP reputation blocking to block known VPN, proxy, and datacenter IPs used by bot services, and behavioral fingerprinting to detect bot patterns versus human patterns in login flows, according to Abnormal AI.