Hackers more often than not are using social engineering attacks amongst companies to gain access to corporate credentials and breach large networks. With more businesses implementing multi-factor authentication to avoid attacks like this, these bad actors are using this security measure to their advantage called MFA Fatigue.
What is MFA Fatigue?
One way to implement multi-factor authentication is to use something called 'push' notifications. When logging into an application the employee will enter in their credentials and then receive a prompt on their cellphone to verify the login attempt.
The bad actors have figured out how to abuse this system by running a script of the stolen information to send a push request to the account owner's phone. The goal is to keep doing this repeatedly day and night to break down the target's awareness on cybersecurity and inflict "fatigue" regarding these MFA prompts.
After awhile the target gets overwhelmed from these constant notifications that they accidentally hit 'Approve' or accept the MFA request to stop the notifications from flooding their phone. This social engineering technique has been proven to work as big companies such as Microsoft, and Cisco have been breached with this scam.
What do I do if this happens to me?
If you do become a target of MFA Fatigue we highly advise not to approve the request and to contact your IT department right away. You should also change your password for the account to prevent the bad actor from sending you MFA requests.
Another way to prevent this from happening is to use Microsoft's MFA number matching, known as Verified Push in Duo. This feature will give you a code that you will need to type in, in order to complete the login process. With this step in place it reduces the risk of getting hacked as the bad actor will not be able to retrieve the code from your mobile to complete the login process.
Other practices to keep in mind.
With Cybersecurity Awareness Month coming to an end, other things you can do to keep your accounts protected is to:
- Recognize and report phishing.
- Practice strong password management (using applications like ITGlue).
- Be careful with what links you click on.
For more information on how to keep your business protected please visit our website skycomp.ca and talk to a professional today.