Multi-factor authentication is an effective way to protect your accounts, but scammers are trying to bypass MFA protection by using MFA spamming techniques.
MFA spamming happens when a scammer has acquired your account credentials and attempts to log in to your account by initiating multiple MFA notifications until you approve one of them.
Scammers often send a high number of MFA notifications to your device in quick succession to create fatigue and pressure you into approving the notification. Scammers may also try to evade suspicion by initiating notifications during school or work hours, when you would be likely to log in to your account.
Phishing is another tactic that scammers use to trick users into taking action on their MFA account, such as providing one-time passcodes, which enables them to access the user’s account.
What can you do to keep your accounts safe?
- Pause before you approve an MFA notification sent to your device. Only approve the notification if you recall initiating it within the last 60 seconds.
- Report suspicious MFA notifications to firstname.lastname@example.org immediately.
- Do not respond to emails that ask for your MFA one-time passcodes and report them to email@example.com.
What are the impacts of MFA spamming?
If a user approves an MFA notification sent by a scammer or provides a one-time passcode, their account becomes compromised, and the user may temporarily lose access to the information and systems they need until their account is restored.
Compromised accounts are one of the main points of entry for scammers, and this can put the University’s data at risk.
If you have any questions, we’re here to help – reach out to firstname.lastname@example.org.