diff --git a/app/auth/views/mfa.py b/app/auth/views/mfa.py
index 9af158ab..14414f1c 100644
--- a/app/auth/views/mfa.py
+++ b/app/auth/views/mfa.py
@@ -92,6 +92,10 @@ def mfa():
             return response
 
         else:
+            flash("Incorrect token", "warning")
+            # Trigger rate limiter
+            g.deduct_limit = True
+            otp_token_form.token.data = None
             send_email_with_rate_control(
                 user,
                 ALERT_INVALID_TOTP_LOGIN,
@@ -107,10 +111,6 @@ def mfa():
                 ),
                 1,
             )
-            flash("Incorrect token", "warning")
-            # Trigger rate limiter
-            g.deduct_limit = True
-            otp_token_form.token.data = None
 
     return render_template(
         "auth/mfa.html",
diff --git a/app/auth/views/recovery.py b/app/auth/views/recovery.py
index d72672fe..371a3ebf 100644
--- a/app/auth/views/recovery.py
+++ b/app/auth/views/recovery.py
@@ -68,6 +68,7 @@ def recovery_route():
         else:
             # Trigger rate limiter
             g.deduct_limit = True
+            flash("Incorrect code", "error")
             send_email_with_rate_control(
                 user,
                 ALERT_INVALID_TOTP_LOGIN,
@@ -83,6 +84,5 @@ def recovery_route():
                 ),
                 1,
             )
-            flash("Incorrect code", "error")
 
     return render_template("auth/recovery.html", recovery_form=recovery_form)