Cybercriminals are using any and every method they can to steal valuable personal data. Once held to the highest security standards, two-factor authentication (also called multi-factor authentication) has been used to keep data and information safe. However, criminals have been busy looking for ways to get past these security standards.

What is 2FA/MFA? 

2FA (also referred to as MFA) is a security measure that creates another layer to protect your online accounts such as your bank, social media accounts, and more.

After entering your username and password into an online account, 2FA sends a second request to verify your ID. This may be by sending a code to your phone via text message or possibly through an authentication app on your phone. When you receive the code, this must be entered to finish the login. Without this information, you will not be able to access the account.

If a criminal has your username and password but doesn’t have the 2FA code sent to your phone, then they are unable to get into your account. Even if they have stolen credentials, criminals will be locked out of your account if they don’t have the correct 2FA code.

The Scam

With multi-factor authentication, it’s necessary to login into your account with the proper credentials. These may include an email and password. With 2FA, it also includes an authenticator app or a device, such as your smartphone. The phone would then receive an additional login approval request.

However, criminals have begun calling their victims, then asking them to approve the authentication request that comes up on the phone.

While this may seem like an obvious ruse, cybercrooks are great at taking advantage of their victims. They use pressure and urgency to get you to act now, immediately. Criminals may even pretend to be from your organisation, perhaps even someone from the IT department. They may even masquerade as someone at a higher level within the company.

Plus, it’s easy to get caught up in the moment, especially if you see a button put up on the phone that says, “Approve.” It’s much easier to do this than provide the criminals with a pin. However, pushing that button could provide the criminals with the permission they need to gain access to your accounts.

How to Prevent This Type of Attack? 

It’s best never to approve an authentication request from anyone who calls you. Instead, check with a trusted person or all a trusted number to see if the request was legitimate or not.

Another 2FA Scam with SMS Messages

A very bad spoof is going around that easily bypasses 2FA, especially if the victim is not aware of this type of security issue. Criminals, who have access to massive databases that contain millions of credentials, have been found online. When criminals send a phishing email to a person from the database, it usually has a malicious code attached.

Next, the attached file is downloaded and activated. This process may install a keylogger, which sends credentials back to a hacker.

The hacker then moves on with the next process in the scam. They send a target text message, which looks as if it’s coming from a legitimate company the victim may have an account with. The text message says the organisation has detected suspicious activity on their account, and then they’re sending the 2FA code, which the target should immediately text back to them. The threat used is that if the instructions are not followed, the victim’s account will be locked.

Then the attacker logs into the account with the known credentials. This will then prompt a 2FA code to be sent to the victim’s smartphone.

They receive the text and, wanting to avoid being locked out of their account, sends the code back to the attacker. However, in this instance, the victim gave the hacker the information needed to gain access to the account.

From there, the hacker then enters the target’s 2FA code, and they’re in the account. This is how simple the attack can take place.

How to Protect Yourself from 2FA & MFA Scam? 

For those accounts you’ve set up 2FA, remember that you’ll only be sent a code to verify your identity when logging into your account. So, if you receive a message out of the blue, which includes a verification code through a text message, then this is a scammer. They have your username and password and want to gain entry to your account.

Another way to protect yourself and your data is to avoid using email-based account resets. This makes it even easier for a hacker to get past the 2FA settings you’ve created. In other words, they only need your user name and password to get into your account.

You can also set up 2FA to use a combination of authentication methods. This means you may be able to set up security for your accounts with more than one 2FA method. The more methods you use, the more secure your accounts will be.

And remember never to give your verification code to anyone. Only use the code when you’re logging into an account where you’ve set up 2FA. In addition, avoid giving out personal information to anyone over a text message. You just can’t be sure who is on the other end!

Experts Recommend Moving Away from Text Messages

Receiving 2FA codes via text message is not as secure as using an authentication app. Instead of text messages, be sure to install an authenticator such as Google Authenticator, Authy, or Microsoft Authenticator. This way, codes won’t have to be sent via your service provider. The codes stay within the app, instead. Besides, the codes usually expire after 30 seconds, making them useless to hackers.

Plus, an authenticator app is much faster than having codes sent via text message. Just open the app, then tap a button to verify your identity. It’s really that easy.

If you have any questions about 2FA or 2FA/MFA scams, don’t hesitate to reach out for more information. We’re here to ensure you and your data stay secure.