MFA spamming: Pause before you proceed

Illustrated mobile device with notification and email icons

Multi-factor authentication is an effective way to protect your accounts, but scammers are trying to bypass MFA protection by using MFA spamming techniques.

MFA spamming happens when a scammer has acquired your account credentials and attempts to log in to your account by initiating multiple MFA notifications until you approve one of them.

Scammers often send a high number of MFA notifications to your device in quick succession to create fatigue and pressure you into approving the notification. Scammers may also try to evade suspicion by initiating notifications during school or work hours, when you would be likely to log in to your account.

Phishing is another tactic that scammers use to trick users into taking action on their MFA account, such as providing one-time passcodes, which enables them to access the user’s account.

What can you do to keep your accounts safe?

  • Pause before you approve an MFA notification sent to your device. Only approve the notification if you logged in to an application that requires MFA within the last 60 seconds.
  • Report suspicious MFA notifications to security.response@utoronto.ca immediately.
  • Do not respond to emails that ask for your MFA one-time passcodes and report them to report.phishing@utoronto.ca.

What are the impacts of MFA spamming?

If a user approves an MFA notification sent by a scammer or provides a one-time passcode, their account becomes compromised, and the user may temporarily lose access to the information and systems they need until their account is restored.

Compromised accounts are one of the main points of entry for scammers, and this can put the University’s data at risk.

To help protect your accounts, use strong passwords, coupled with MFA, and brush up on how to spot phishing attempts.

If you have any questions, we’re here to help – reach out to security.response@utoronto.ca.