New Social Engineering Tactics Target Multi-Factor Authentication Apps

New Social Engineering Tactics Target Multi-Factor Authentication Apps

WHACC is happy to share this article sent to us by NOACC, originally written by CMIT Solutions of Cleveland.

Social Engineering Tactics Evolve to Try and Compromise Accounts and Steal Login Credentials

Social engineering has taken on a new twist, according to cybersecurity experts. This online tactic, which leverages personal details gleaned from the Internet to try and convince a user to take action, is now arriving in the form of multi-factor authentication (MFA) prompts.

These usually arrive as push notifications from an app or unique codes delivered via email or text message. Reports have emerged of both criminal hackers and nation-state actors using this technique with which bad actors attempt to irritate users with repeated MFA alerts. The hope, according to researchers who have studied the new social engineering tactic, is that users will become so annoyed by the prompts that they will unthinkingly accept the request to log in to their account.

New Tactics Target Multi-Factor Authentication AppsHow can hackers pull this off?

By finding publicly available phone numbers and email addresses to which they can deliver personalized messages to devices and accounts. By bombarding someone with repeated alerts—often late at night, when users aren’t thinking as clearly or prepared for spam attempts—hackers attempt to gain access to a legitimate MFA portal, from which they can enroll another device. That shadow device can then be used to steal login credentials or access accounts that contain privileged information.

Other variations on this new social engineering trick include calling the target and pretending to be part of their actual business. If hackers can get the user on the phone, they can often impersonate a company executive or other key contact (discovered, for instance, by scrolling through social media accounts) and try to gain access to passwords or MFA portals. In addition, some hackers will send only one or two MFA prompts per day but at the same time to try and simulate legitimate login procedures.

No matter the method, the goal is usually the same: to steal sensitive ​information, gain access to protected accounts, and capture company data, often with the hopes of extracting a ransom or financial reward.

How can you protect your information and keep your digital identity safe?

CMIT Solutions has accumulated five tips to protect MFA and login credentials while understanding the threat to small and mid-sized businesses across North America.

To read the tips and gain a deeper understanding of social engineering tactics, read the full article here.

About WHACC Publisher

The Warrensville Heights Area Chamber of Commerce works to promote, enhance, and foster the growth of business in the area communities of Highland Hills, North Randall and Warrensville Heights, Ohio. Visit to subscribe, get involved, or join. Do you have news, updates, or opportunities you would like to share? We’re looking to our members to submit world-class content for our print newsletters, email newsletters, and social media channels. Please submit your business articles, tips, and resources to