How Phishing Scams Are Adapting to MFA


While many have touted multifactor authentication (MFA) as the pinnacle of account security, threat actors have found a way to bypass it with modern social engineering tactics. What can people do to protect their accounts and personal information? 

Phishing Has Adapted to Bypass MFA

For years, companies have said MFA is the be-all and end-all of security. An infamous Microsoft report claimed it reduced compromise risk by 99.22% after finding that 99.99% of participants’ MFA-enabled accounts remained uncompromised for the study’s duration. It is worth mentioning that the sample size was only 128,000 people — and the study lasted just five months. 

Despite the small sample size and short length, this report circulated quickly. As a result, many people believe the common misconception that MFA is nearly 100% effective. Information technology (IT) security professionals know better — just 42% believe it is very effective, with most saying they think it is only somewhat effective. 

Regardless of how many times Microsoft’s impressive figures are cited, the reality is that phishers and hackers have found ways to circumvent this authentication tool. End users need to understand how MFA bypass attacks work — and how they are evolving — to protect their personal information and accounts from scammers.

How Threat Actors Can Bypass MFA

Social engineering is the most common method because it is easy to carry out. The threat actor begins by using legitimate login credentials to gain access, which triggers MFA. If the recipient accepts the request — which is possible since MFA fatigue is increasingly common — they effectively hand over their account. If not, the scam enters the second phase. 

At this point, the phisher pretends to be a trusted entity, such as a member of IT security or a customer service department. They call, email or text, asking their target to accept the request or reveal a one-time passcode. Although this scam sounds obvious, it is often convincing — that’s why there were 3,661 social engineering incidents in 2023, the equivalent of 10 per day. 

Another way to circumvent MFA is with a man-in-the-middle attack. The first step is to make a fake website that looks like the real deal. As soon as someone who believes the website is legitimate tries to log in, hackers intercept their credentials to use on the real website. The victim unknowingly accepts an MFA request that isn’t theirs, inadvertently relinquishing their account. 

More sophisticated hackers may use the token theft method. Session cookies are stored on people’s devices so they don’t have to re-authenticate during active sessions. If a threat actor were to steal them, they could trick the web browser into believing they are being authenticated as the legitimate account holder. This gives them access to anything their target has access to.

Of course, there’s also the classic case of vulnerability exploitation. Hackers can exploit vugs and security weaknesses in MFA to trick or bypass authentication measures. For example, they could brute force the answer to a security question during account recovery, enabling them to change the email or phone number associated with the MFA service to their own. 

The Consequences of an MFA Bypass Attack

If an MFA bypass attack is successful, the scammer typically changes the original account holder’s passwords, security questions and contact information immediately. This makes recovery overly complicated or outright impossible. From there, they steal as much information as possible.

What a threat actor does after a successful MFA bypass attack varies. If they are targeting a high-ranking professional, they are likely looking for proprietary software or business secrets. In health care, they want valuable medical records and patient details. Their goal for banking applications is to drain funds into their own bank account. 

No matter what, victims will experience the fallout that comes with data theft, which ranges from a single compromised account to full-blown identity theft. Businesses face potential financial losses, regulatory action, legal issues and reputation damage. If it isn’t clear, people should do everything they can to defend themselves against MFA bypass attacks. 

What Can People Do to Protect Their Accounts?

There are several steps people can take to secure their accounts and MFA tools against phishers, hackers and scammers. 

  1. Create Strong Passwords

Although strong passwords can’t protect those who have their credentials leaked in a data breach or who enter their information on a phishing website, they add another layer of security. This way, MFA isn’t their account’s only line of defense against threat actors. 

A strong password contains numbers, letters and symbols. It should be at least 10 characters long but contain no identifiable sequences like words, phrases or dates — hackers can easily bypass those with an unsophisticated brute-force attack. 

  1. Adopt Zero-Trust Policies 

The concept of zero trust revolves around the idea that a person should not automatically trust any user, website, application or device. Continuous verification is essential because it uncovers phishing attempts. 

  1. Use Phishing-Resistant MFA

According to the United States Cybersecurity and Infrastructure Security Agency, many companies switch to security keys — which it calls phishing-resistant MFA — after experiencing an MFA bypass attack. 

A security key is a piece of hardware a person uses for authentication. It can plug into a device, scan biometrics or use Bluetooth to verify their identity. This way, the hacker can’t access the account even if the owner falls for a phishing attempt. 

  1. Leverage Passkeys

A passkey is a cryptographic key that replaces passwords. It is stored in the user’s device and tied to their account. This digital credential is more secure than traditional MFA, making it an ideal alternative. 

Threat Actors Will Continue Targeting MFA

The cybersecurity landscape continuously evolves as new technologies emerge and old vulnerabilities are patched. In other words, there was little to no chance MFA would remain the pinnacle of account security for long. The silver lining is that end users can defend themselves against MFA bypass attacks in several ways.


As the Features Editor at ReHack, Zac Amos writes about cybersecurity, artificial intelligence, and other tech topics. He is a frequent contributor to Brilliance Security Magazine.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.