Avoiding common scams

Avoiding common scams

Some scammers try to impersonate Expensify by sending fake emails or calling you directly, often asking for your Magic Code (your login code). These scams are designed to trick you into giving up access to your Expensify account.

This article explains how these scams work, how to recognize them, and what actions to take.

Note: Expensify will never call you asking for login codes, passwords, or payment information. If you receive such a call, it’s a scam.

What is the Magic Code?

The Magic Code is a one-time login code Expensify emails or texts to you when you sign in without a password. It should only be used by you during login.

Expensify will never call, email, or message you to ask for your Magic Code.

How to recognize phone call scams pretending to be Expensify

  • The scammer claims to be from Expensify and needs your Magic Code to verify your account.
  • They may spoof a legitimate phone number to make it seem more convincing.
  • Some scammers may create a sense of urgency (e.g., “We detected suspicious activity on your account.”)

If you receive this type of call, hang up.

How to recognize phishing emails or texts pretending to be Expensify

  • Emails and text messages often look like they’re from Expensify or Visa, but the sender address is likely not from an expensify.com email address.
  • These emails and text messages may have links that lead to a fake login page, prompt you to reset your password, or ask you to reply with your Magic Code.
  • Scammers sometimes use urgent language like “Your account will be closed if you don’t respond.”

Don’t click suspicious links, and never share your Magic Code in email. Expensify will only generate a magic code for you when you take an action in the app, such as logging in or making a high-risk change.

How to protect your Expensify account

  • Never share your Magic Code — not over the phone, not by email, not via text.
  • Don’t click suspicious links — always verify the sender’s email address.
  • Use two-factor authentication (2FA) - this adds an extra layer of security to your account.
  • If in doubt, message Concierge - reach out directly from within the Expensify app.

Learn how to enable two-factor authentication.

What to do if you receive a Magic Code you didn’t request

If you receive a Magic Code email but didn’t try to log in, this does not necessarily mean your account has been compromised. It can happen for a variety of reasons, such as someone mistyping an email address.

Here’s what to do:

  1. Do not share the code with anyone — simply ignore or delete the email.
  2. Do not click any links in the email.
  3. Consider enabling two-factor authentication for extra account security.

Note: You do not need to lock your account just because you received an unexpected Magic Code. Only lock your account if you believe someone has gained access to your email account or if you shared your Magic Code with someone.

What to do if you shared your Magic Code

If you accidentally gave someone your Magic Code, act fast to:

  1. Lock your Expensify account immediately to block unauthorized access.
  2. Contact Concierge from a safe device and explain the situation.
  3. Enable two-factor authentication to protect your account going forward.

How to report phishing and lock your account

If you believe your account has been targeted or compromised:

  1. Lock your Expensify account immediately to block unauthorized access.
  2. Message Concierge immediately via email, or from within the Expensify app (web or mobile).
  3. Let us know if you’ve received a suspicious message or phone call.
  4. Our team will work to secure your account.
  5. Once things are secure, we’ll guide you through restoring access safely.

Note: You can also forward phishing emails to abuse@expensify.com so we can investigate and take action.

FAQ

Why does Expensify use Magic Codes for login?

Expensify uses Magic Codes instead of passwords to simplify login while keeping your account secure. These codes are valid for one-time use and expire quickly.

How do I know if an email is really from Expensify?

Legitimate Expensify emails always come from an address ending in @expensify.com or @team.expensify.com. If you’re unsure, don’t click any links — just log into the Expensify app directly and message Concierge.

I received a Magic Code I didn’t request. Is my account compromised?

No. Receiving an unrequested Magic Code does not mean your account is compromised. It most likely means someone entered your email address by mistake when trying to log in. As long as you don’t share the code with anyone, your account is safe. You can simply ignore or delete the email. If you want extra protection, enable two-factor authentication.

Can Expensify call me?

Expensify will never call you asking for login codes, passwords, or payment information. If you receive such a call, it’s a scam.

Didn't find what you were looking for?

Concierge is here to answer all your questions.
Recommend a change to this page