How Hackers Bypass MFA Using Social Engineering

By now, you’ve likely heard about multi-factor authentication (MFA). You’re probably using it for most of your sensitive accounts. All the cybersecurity blogs you read (including this one) told you that you should be good and protected now.

But advances in cyber protection don’t stay “advances” for long. Hackers always catch up, it’s just a matter of time. MFA can be cracked now too, thanks to some simple social engineering tricks. If you’re using MFA, good for you—keep using it. However, you should be on the lookout for these tactics from hackers if you want to keep your data safe.

Let’s look at the top ways hackers can bypass MFA and what you can do about it.

Phishing

Phishing is the most widely used social engineering attack because unfortunately, it still works. Hackers will send lookalike emails or text messages (also known as “smishing” or SMS phishing), tricking users into clicking on the link and entering their credentials. They can capture more than just usernames and passwords with this method—they can collect MFA codes as well.

Example of This Cyberattack

• Global financial platform Payoneer was targeted with phishing attacks in early 2024. Many platform customers complained of receiving text messages asking for password resets with fraudulent links. The customers clicked on the links, provided their credentials…and their accounts were drained. The hackers were able to bypass Payoneer’s two-factor authentication system.

How to Protect Yourself from This Cyberattack

• If you get an unexpected email or text message from a bank or another company where you have an account, always scrutinize it. Don’t click on any links. The same goes for text messages.
• You can also consider switching to a phishing-resistant form of MFA. This type of MFA is passwordless and relies on public/private key cryptography. FIDO or PKI-based authentication don’t use any “something you know” factors but instead use a private cryptographic key embedded in your device, or a method like facial recognition. Phishing-resistant MFA is more common for organizations but it’s making its way to consumer products and platforms now too.

MFA Fatigue / MFA Push Bombing

Many MFA apps use push notifications to alert users when they need to authenticate during a login. This works well when it’s the user who’s trying to access their own account. But hackers have found a way to use this to their advantage. They attempt to log in over and over, generating several push notifications. People will either mistake them for a genuine prompt and accept it, or grow frustrated with the many notifications and accept just to make them stop. Once they accept, the hacker has account access.

Example of This Cyberattack

• In 2024, a group of Iranian hackers used brute force tactics, including MFA push bombing to Microsoft 365, Azure, and Citrix systems. The joint statement issued by the FBI, CISA, NSA, and international partners says that the campaign was trying to use “MFA exhaustion” to wear users down, in the hopes they would accept fraudulent MFA prompts.

How to Protect Yourself from This Cyberattack

• One simple way to protect yourself from this attack is to simply not accept any MFA prompts from your MFA app that seem suspicious. You could also limit how many MFA push notifications can be made for a single log-in attempt or simply turn off push notifications for the app entirely.

Adversary-in-the-Middle Attacks

An adversary-in-the-middle (AiTM) attack makes users believe they’ve logged into a genuine network, application, or website. However, the hacker snags their username and password, and can then manipulate the MFA function. Once the user enters their credentials on the fake site, the hacker enters them on the legitimate site, triggering a legitimate MFA request. The user, who just entered their credentials (on a fraudulent site), expects this MFA request and approves it. The hacker then gets access to their account.

Example of This Cyberattack

• Attackers used an AiTM campaign in November 2024 to try and steal credentials and intercept session cookies from Microsoft 365 accounts. Once the victims authenticate, the token gets sent back to the hacker, allowing them to log in no matter what kind of MFA they have set up.

How to Protect Yourself from This Cyberattack

• Passwordless authentication can come in handy against AiTM attacks.
• If you’re running an organization, you can use conditional access policies such as trusted IP address requirements or compliant devices.

Service Desk Attacks

MFA bypass attacks are common for customer service departments or support desks. The hacker calls the service desk pretending to be a customer who’s forgotten their password. They might pretend to be distressed to convince the service desk agents to bypass proper verification procedures. Attackers also call support agents claiming their phone is lost and request to enroll in a new device. The agent sends a password-reset link to the hacker-controlled device, and the hacker gets into the account.

Example of This Cyberattack

• The U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) issued a warning in April 2024 to alert IT staff in the health sector against service desk scams. A hospitality and entertainment organization was targeted in September 2023, and the attack involved the ransomware ALPHV (also known as BlackCat).

How to Protect Yourself from This Cyberattack

• If you’re a service desk worker, your employer should make sure there are customer verification procedures in place and that you know how to follow them properly. When in doubt, stick to your company’s security policies.

SIM Swapping

What’s the device you use most often for MFA? Your cell phone. That makes your phone a prime target for MFA hacks. SIM swapping schemes are similar to service desk attacks. Hackers contact your cell phone service provider to ask to transfer your service and data to a new SIM card—a card which is under the hacker’s control. Basically, they steal your phone and all your phone app data. They can then crack every MFA you have set up with either your phone number or an authenticator mobile app.

SIM swapping is one of the easiest hacks to do, according to Haseeb Awan, CEO of America’s most secure and private cell phone service. He says, “If you click on a thousand expensive neighborhoods in the US, you will find maybe 50,000 houses. You can go on White Pages and buy that data for 10 cents or something. It will give you the telephone number of everyone who lives in those houses. You just run a record, you run a couple of algorithms, and you’ll find everything. Now you have 50,000 people to play with. It’s somewhat simple. It’s a very easy attack to do.”

Example of This Cyberattack

• In August 2024, 10 people were charged with defrauding telecommunications companies, banks, and cell phone users in Canada of over $1 million. It was part of a SIM-swapping scam that the Toronto police had been investigating for over a year.

How to Protect Yourself from This Cyberattack

• Try to refrain from sharing identifying information such as your phone number, address, or name online. Never give details of your mobile account to anyone that calls you and claims to be a representative, either.
• You can also turn on the PIN for your SIM card to lock it, for an extra layer of security. Again, stronger forms of MFA, such as biometrics, can help protect against SIM swapping as well.

MFA Bypass Hacks: Stay Alert

If you’re using MFA, then you’ve already taken a step toward better security. However, times change and technology evolves. MFA methods that worked 10 years ago are cracking as cybercriminals look for new ways to break into our accounts. Keep the tips in this article in mind and think seriously about the security of your online and offline accounts.

Staying vigilant—and up to date on the latest security technologies—can keep your data safe.