Verification Code Forwarding Attack

Verification Code Phishing Attack

We investigated a phishing attack in which attackers bypass two-factor authentication by luring users to forward verification codes delivered via SMS messages to them. We found an attack that can lure 50% of the users to give up their verification codes. We found that our robust messaging approach reduces the success of the most effective social engineering attack to 8%, or a sixth of its success against Google’s standard two-factor verification code messages.


  1. Hossein Siadati, Toan Nguyen, Payas Gupta, Nasir Memon, Markus Jakobsson, Mind your SMSes: Mitigating Social Engineering in Second Factor Authentication, Computers & Security, Volume 65, March 2017, Pages 14–28
  2. Hossein Siadati, Toan Nguyen, Nasir Memon, Verification Code Forwarding Attack, PasswordsCon, University of Cambridge, December 2015


  1. Verification code or cyber attack? NYU Press Release
  2. Researchers find vulnerability in two­factor authentication,
  3. Vulnerability found in two-factor authentication, Homeland Security News Wire
  4. More…