Google Voice, a virtual phone number service that allows users to call and text without a phone, has recently become the target of an elaborate new scam.

Fraudsters will find publicly posted phone numbers — such as those listed as a form of contact on Facebook Marketplace listings, or even as simple as lost dog posters — and reach out to the victim, pretending to be interested in the posting. Under the guise of confirming the legitimacy of the offer, the scammer will ask the seller to share a code they receive from the Google Voice service — which the attacker then uses to verify a new Google Voice account, giving them complete control of the user’s phone number.

Once compromised, the scammer can use the compromised number to send fraudulent texts and calls. Even worse, since Google Voice can receive texts, the attacker can intercept two-factor authentication (2FA) SMS messages and use them to further compromise other accounts, such as the victim’s Google account.

Google’s support website has information on how to recover from such an attack, but the best defense against falling victim to this kind of attack is never sharing 2FA codes with anyone, even if they claim to be with tech support. Two-factor authentication is designed to be something only you could know. Never give out your codes, and especially not to strangers!

For a more in-depth read, Bleeping Computer’s post has some great information about this scam and further tips on prevention.