This scam has been around for at least a year but we were unaware of it.
We recently became aware of this scam when we listed an item for sale on Craigslist. We immediately received a response that was clearly automated. You can tell this when the title of the email is something like, “I want to buy your ______” and the text then matches your item description exactly, no matter how awkward the wording.
Our suspicions aroused, my husband responded anyway, reasoning that the supposed buyer had his phone number from our listing anyway. He then began speaking to an actual person, but this buyer had an odd request. He wanted to “send a code” like a verification code to my husband. The buyer claimed that this was the only way he could tell if my husband was a legitimate seller. This was a very suspicious and odd request.
It turns out this is a very dangerous scam that takes advantage of two-factor authentication. Two-factor authentication is a method used by many businesses to verify your identity. As detailed in this article by Apple, two-factor authentication is an extra layer of security designed to ensure that you are the only person who can access your account, even if someone knows more information about you, like your password. It involves you receiving a code on a device like your smartphone and then you must enter that code before you can get into your account. The point here is that you should NEVER give this code to anyone else.
This scam allows the scammer to create an online account with your phone number. The scammer starts to create the account which triggers the sending of an authentication code to your smartphone. The scammer is only pretending to generate this code himself. If you agree to receive the code and then repeat it back to the him, the scammer will have access to an account in any name he wants but associated with YOUR phone number. This method can be used by the scammer to create any accounts using two-factor authentication, for example Google Voice or Craigslist. Any spam or illegal activity he does with that account will be associated with YOUR phone number.
Bottom line: don’t give any verification code to anyone.