Account Takeover (ATO)
An attack in which a criminal gains unauthorized control of a legitimate user's account, typically using stolen credentials. Strong MFA and OTP verification are the primary defenses against ATO.
Credential Stuffing
An automated attack that tries username-and-password pairs leaked from one breach against many other sites, exploiting password reuse. Rate limiting, bot detection, and MFA are essential countermeasures.
Brute-Force Attack
An attack that systematically tries many passwords or codes until the correct one is found. Short OTP expiry, attempt limits, and rate limiting make brute-forcing impractical.
Phishing
A social-engineering attack that tricks users into revealing credentials or OTPs through fake messages, sites, or calls. Passkeys and phishing-resistant authentication defeat phishing because there is no reusable secret to hand over.
SIM-Swap Attack
Fraud in which an attacker convinces a mobile carrier to port a victim's phone number to a SIM they control, intercepting SMS OTPs. SIM-swap risk is a key reason to prefer app-based or messaging-channel verification over SMS for high-value accounts.
OTP Interception
Any technique that captures a one-time password in transit, through malware, SS7 network flaws, SIM swaps, or real-time phishing. Short expiry windows and phishing-resistant methods limit the value of an intercepted code.
SMS Pumping (AIT)
Artificially Inflated Traffic fraud in which attackers trigger huge volumes of OTP SMS to premium-rate numbers they profit from, running up a business's messaging bill. Rate limiting, number lookup, and channel routing away from SMS are core defenses.
Man-in-the-Middle (MITM)
An attack where the adversary secretly relays and possibly alters communication between two parties who believe they are talking directly. TLS encryption and phishing-resistant authentication protect against MITM interception of credentials and codes.
Replay Attack
An attack that captures a valid authentication message, such as an OTP or token, and resends it to gain access. One-time use, nonces, and short expiry windows make replays ineffective.
Smishing
Phishing carried out over SMS, where fraudulent texts lure users into clicking malicious links or revealing codes. Branded Sender IDs and user education reduce the success of smishing campaigns.
Vishing
Voice phishing, in which attackers use phone calls to manipulate victims into disclosing credentials, OTPs, or financial details. Vishing often impersonates banks or support agents and pairs with other fraud such as SIM swaps.
Bot Attack
Automated, large-scale abuse carried out by scripts or bot networks, including fake sign-ups, credential stuffing, and OTP-triggering fraud. CAPTCHAs, device fingerprinting, and rate limiting are the front line against bot attacks.