One Time Password (OTP) is a service in which users provide an extra layer of security. This is mostly used when accessing accounts and carrying out financial transactions etc. to identify the real user of the account. When a user request for an OTP, it comes as an SMS message and the sender of that OTP will be the actual service provider. Ex-If you request an OTP from Google, the sender of that OTP would be Google itself and you will receive a message from Google.

If you receive your OTP from a local private number, instead of from your service provider it means that the message has come through an unauthorized third party who has access to your OTP messages. They normally change their content slightly except the OTP code and send it to the user through a private number.  Please refer above images for example.

Impact: 

• Loss of access to your online accounts such as social media, emails, online banking, etc.
• Financial loss

Solution/ Workarounds:

• Use authentication application developed by service providers instead of OTP SMS.

Ex-Google Authenticator, Facebook Authentication app, Microsoft Authenticator, etc.

• If the OTP is essential, request it through a voice call rather than an SMS message.
• If you received an OTP message through a private number change your password immediately and set proper account recovery options.

Reference: ALERT-Sri Lanka CERT|CC - Receiving OTP via a Local Private Number