This one doesn't just target car buyers, but it shows up constantly in vehicle listing conversations, and it's worth understanding exactly why it works.
How it plays out
You're messaging a seller about a listing. At some point, they say something like: "Before we go further, I want to make sure you're a real buyer and not a bot. I'm going to text you a verification code — can you read it back to me?"
It sounds reasonable. Plenty of legitimate services do send verification codes. So a buyer, eager to move forward on a car they're excited about, reads the code back without thinking twice.
What's actually happening
That "verification code" was never sent by the seller. It's a real code — from one of your own accounts — like a password reset code, a login two-factor code, or an account-recovery code for your email, phone carrier, or a messaging app. The scammer triggered that code themselves by attempting to log into or reset one of your accounts, using your phone number or email they already had from the conversation.
When you read the code back to them, you're not verifying anything about yourself. You're handing the scammer exactly what they need to complete a login or account takeover — of your account, not theirs.
Why this works so well
It works because it flips the normal warning signs upside down. Most people are trained to be suspicious of links, downloads, or requests for passwords. A code that shows up on your own phone, that you're just reading back in a chat, doesn't feel like handing over a password — but functionally, it often is exactly that.
The rule is simple and has no exceptions: never read back, forward, or share a verification code that was sent to your own phone or email — no matter who's asking, no matter what reason they give. A legitimate business will never ask you to do this. If a code shows up that you didn't request, that's a sign someone is actively trying to access one of your accounts, whether or not you share it.
What to do if you already shared one
- Immediately change the password on whatever account the code was likely for (email, phone carrier account, messaging app).
- Enable two-factor authentication using an authenticator app rather than SMS, if the service supports it.
- Check for any account recovery changes you didn't make — recovery email, recovery phone number, forwarding rules on email.
- If your phone carrier account was involved, call your carrier directly to check for unauthorized SIM changes.
Dealing with a seller who's asking odd questions?
Send us the listing and the conversation. We'll flag this pattern and anything else that looks off before you go any further.
Run a scan — $9