One-time passcodes (OTPs) are a core part of traditional two-factor authentication (2FA) and multi-factor authentication (MFA). 

If you log in to an account or verify a transaction, you’ll receive them by email, SMS, or authenticator apps to confirm your identity. 

Now, cybercriminals have found a way to bypass these protections using OTP bots. 

What is an OTP bot?

An OTP bot is an automated software program that intercepts or steals one-time passcodes used to verify your identity. The goal is to gain control of your account in what’s known as an account takeover attack (or ATO).

Cybercriminals can buy OTP bot attacks on underground marketplaces, often via Telegram, for as little as $10 per attack. This low-cost, scalable approach lets attackers target many people at once with minimal effort. 

How OTP bots work

OTP bots are designed to exploit the time between when you receive a one-time password and when you enter it into the app or website. This window is often less than a minute.

Cybercriminals typically intercept the code in three ways:

OTP bot account takeover via social engineering

    The attacker uses stolen or leaked credentials to trigger the OTP step on a legitimate site. A bot then contacts you by SMS or phone call, using a script designed to create urgency — for example, by impersonating a bank’s fraud team. If you share the OTP, the bot passes it to the attacker in real time, giving them access to your account. The attacker can then change the login credentials and lock you out.

    OTP bot account takeover via interception

      Using stolen credentials to trigger the OTP, the bot attempts to intercept the code before it reaches you. Common methods include: 

      • SIM swap attack: The attacker convinces a mobile carrier to transfer your phone number to a SIM card they control, so SMS codes are delivered directly to them. 
      • API exploitation: The bot targets poorly secured authentication APIs to capture OTPs as they’re generated. 
      • Brute force: The attacker tries all possible combinations of short numeric OTPs, which is possible when the website or app you’re using has not set a limit for repeated requests.

      OTP bot account takeover via relay attack

        This variation does not rely on stolen credentials. Instead, it tricks you into giving an attacker both your login details and your OTP. You land on a fake website that looks like the real one and enter your credentials. The bot immediately uses those credentials to log in to the real website, which triggers an OTP sent to your phone. The fake website then asks you to enter the code, which the bot relays to the real website in real time. This lets the attacker complete the login before the code expires. 

        As with the other variations, the attacker can then change the credentials and lock you out of your account.

        How an OTP bot can affect your business

        The ease of obtaining OTP bot services is likely to increase attacks on businesses. While banking and ecommerce are common targets, any industry can be affected. Small and medium-sized businesses (SMBs) are often targeted more frequently(nuova finestra).

        Financial losses can be significant, but they are not the only risk you should consider.

        As damaging as financial losses can be to an organization, that’s not the only loss that should concern business owners.

        Loss of customer trust

        Customer trust often drops after a data breach(nuova finestra). A 2024 study by Vercara(nuova finestra) found that 58% of consumers consider affected brands untrustworthy, and 70% would stop shopping with a brand after a security incident.

        Regulatory compliance risks

        Even if no funds are stolen, your business may face fines for failing to meet data protection requirements. For example, the General Data Protection Regulation (GDPR) applies to any organization that processes the personal data of EU residents, regardless of location or company size. Penalties for non-compliance can be substantial.

        How to protect your business from OTP bots

        Given that human error is the hardest thing to protect against, businesses should implement as many technical safeguards as possible. These might include:

        Rate limiting and throttling

        Limit how many one-time passcode (OTP) requests can be made from a single IP address, phone number, or account within a set timeframe. This prevents attackers from flooding your systems with automated requests.

        CAPTCHA and behavioral analysis

        Use CAPTCHA challenges when suspicious activity appears, and apply behavioral analysis to detect non-human patterns such as rapid form submissions or unrealistic mouse movements.

        Device fingerprinting

        Track device characteristics to identify repeat offenders and flag devices making multiple OTP requests across different accounts.

        Multi-factor authentication beyond OTP

        Add stronger authentication methods, such as hardware security keys, biometric verification, or push notifications, to reduce reliance on OTP alone.

        API security hardening

        Protect your OTP APIs by requiring authentication, signing requests, validating inputs, and using secure communication channels to prevent interception or manipulation.

        Monitoring and detection

        Monitor usage patterns to identify unusual behavior that may indicate bot activity. Use real-time alerts to catch spikes in OTP requests or unexpected geographic access. Review logs regularly to detect threats early.

        How to protect yourself from OTP bots

        OTP bots can be dangerous, but you can take simple steps to protect your accounts.

        Use strong, unique passwords or passkeys

        Use a business password manager to generate and store unique credentials for each account. If possible, use passkeys, which remove the need for one-time passwords (OTPs).

        Use a hardware security key

        Physical security keys, such as YubiKey, provide strong protection against automated attacks because they require physical access to your device.

        Watch for phishing attempts

        Be cautious of unsolicited messages that ask for verification codes. An OTP is meant to be entered into a website or app, not shared with anyone.

        Monitor your account activity

        Check login history and account settings regularly for unusual activity.

        Use an authenticator app instead of SMS

        Time-based one-time passwords (TOTP) — codes generated by an authenticator app — are more secure than SMS-based OTPs, which can be intercepted through SIM-swapping attacks.

        Good password hygiene is your first line of defense

        Combining strong technical safeguards with good credential hygiene goes a long way toward keeping attackers out. 

        A business password manager is one of the simplest and most effective tools you can use — it ensures employees aren’t reusing weak passwords across accounts, which is exactly the kind of vulnerability OTP bots are designed to exploit. 

        Pair it with phishing-resistant authentication methods and a culture of security awareness, and you make your business a much harder target.