How to avoid scams pretending to be from Expensify

Some scammers try to impersonate Expensify by sending fake emails or calling you directly, often asking for your Magic Code (your login code). These scams are designed to trick you into giving up access to your Expensify account.

This guide explains what these scams look like, how to spot them, and what to do if you think you’ve been targeted.

---

What is the Magic Code?

The Magic Code is a one-time login code Expensify emails or texts to you when you sign in without a password. It should only be used by you during login.

Expensify will never call, email, or message you to ask for your Magic Code.

---

Common scams to watch out for

Here are the most common types of scams we’ve seen targeting Expensify members:

1. Phone call scams requesting your Magic Code

• The scammer claims to be from Expensify and needs your Magic Code to verify your account.
• They may spoof a legitimate phone number to make it seem more convincing.
• Some scammers may create a sense of urgency (e.g., “We detected suspicious activity on your account.”)

If someone calls you asking for your Magic Code, hang up immediately.

---

2. Phishing emails and texts requesting you use their link to login to Expensify

• Emails and text messages often look like they’re from Expensify or Visa, but the sender address is likely not from an expensify.com email address.
• These emails and text messages may have links that lead to a fake login page, prompt you to reset your password, or ask you to reply with your Magic Code.
• Scammers sometimes use urgent language like “Your account will be closed if you don’t respond.”

Don’t click suspicious links, and never share your Magic Code in email. Expensify will only generate a magic code for you when you take an action in the app, such as logging in or making a high-risk change.

---

How to stay safe

Here’s how you can protect your Expensify account:

• Never share your Magic Code — not over the phone, not by email, not via text.
• Don’t click suspicious links — always verify the sender’s email address.
• Use 2FA (two-factor authentication) to add an extra layer of security.
• If in doubt, message Concierge directly from within the Expensify app.

---

What to do if you shared your Magic Code

If you accidentally gave someone your Magic Code, act fast:

1. Lock your Expensify account immediately to block unauthorized access.
2. Contact Concierge from a safe device and explain the situation.
3. Enable two-factor authentication to protect your account going forward.

---

How to report phishing and lock your account

If you believe your account has been targeted or compromised:

1. Lock your Expensify account immediately to block unauthorized access.
2. Message Concierge immediately via email, or from within the Expensify app (web or mobile).
3. Let us know if you’ve received a suspicious message or phone call.
4. Our team will work to secure your account.
5. Once things are secure, we’ll guide you through restoring access safely.

Note: You can also forward phishing emails to abuse@expensify.com so we can investigate and take action.

---

FAQ

Why does Expensify use Magic Codes for login?

Expensify uses Magic Codes instead of passwords to simplify login while keeping your account secure. These codes are valid for one-time use and expire quickly.

How do I know if an email is really from Expensify?

Legitimate Expensify emails always come from an address ending in @expensify.com or @team.expensify.com. If you’re unsure, don’t click any links — just log into the Expensify app directly and message Concierge.

Can Expensify call me?

Expensify will never call you asking for login codes, passwords, or payment information. If you receive such a call, it’s a scam.