Unmask the threat – how to spot scams that compromise Multi-Factor Authentication

Multi-factor Authentication (MFA), sometimes known as two-factor authentication, is a way of strengthening the security of your online accounts with an additional layer of protection. It works by requesting that an individual verifies their identity with two separate factors: for example, a password and a one-time code.

The main advantage of using MFA is that even if a criminal manages to obtain a password, they will still require a second means of authentication which only the legitimate account holder can approve. However, scammers are now shifting their approach, they look to steal someone’s credentials and attempt to bypass this security measure by tricking them into providing their one-time passcode to take over their account.

Two of the most common tactics scammers use include:

MFA Bombing, also known as MFA Fatigue, is a social engineering technique which involves repeatedly pushing login requests (second-factor authentication) to the target victim’s email, phone, or registered devices. The goal is to coerce the victim into confirming their identity via notification, thus approving the attacker's attempt to enter their account or device. To understand how hackers exploit MFA fatique, let's break down the step-by-step strategy behind this attack.

To avoid becoming a victim of MFA bombing, you should ask yourself if you were expecting a one-time passcode notification. If you were not trying to login to an online account then don not verify the authentication request. It is strongly recommended that the same security precaution is applied to all accounts (business and personal) to ensure maximum protection.

Another social engineering strategy scammers use is by pretending to be a trusted individual such as an IT helpdesk employee in your organisation to lure you into doing what they want, from accessing credentials to installing malware. Posing as an IT support worker creates a (false) sense of authority to gain an individual's trust, as they are usually here to help us, making it even harder for us to detect. If you want to know how IT Spoofing works in practice, we have broken it down for you.

To avoid becoming a victim of IT Support spoofing, you should be wary of unsolicited calls claiming to be IT support and always verify who is requesting the information before providing it. You should never share passwords or authentication codes with anyone as a legitimate IT support worker will never ask for this. If you believe an account has been compromised, you should report this in line with the firm’s security procedures.

Of course, clients can be very vulnerable to these scams too and so, where possible, they should also be made aware of these types of threats.

For more tips on how to protect your business from cyber threats, visit our dedicated cyber security hub.

How we protect you and your clients

We understand the importance of keeping your firm’s and your clients’ information safe and secure. We use proven, industry-recognised security tools and processes to protect against fraud and security breaches and we regularly upgrade this protection in response to advances in security threats.

Fidelity is a member of Cifas, the UK’s fraud prevention agency, which works closely with law enforcement partners. Cifas Protective Registration is a fraud protection scheme that helps us protect your clients should they be at risk of fraud.

If you have any concerns about security, please call us as soon as possible on 0800 358 7717.

Issued by Financial Administration Services Limited, authorised and regulated by the Financial Conduct Authority. Fidelity, Fidelity International, the Fidelity International logo and F symbol are trademarks of FIL Limited. UKM0925/415108/SSO/0926