Multi-factor authentication (MFA) is one of the easiest and most effective ways to protect your business accounts. Adding this additional layer of security can prevent more than 99% of account compromise attacks. The unfortunate reality is that cybersecurity is a constant cat-and-mouse game and attackers are constantly evolving their tactics. One of the newest attacks focuses on fooling victims into handing over their MFA codes, commonly referred to as MFA phishing or OTP (one-time password) phishing.
The scam works like this:
The target receives a phone call, either from a real person or a recorded voice, stating to be their bank, Pay Pal, Amazon, or other service. The voice on the other end informs them that a suspicious charge has been detected and they are trying to confirm the details. They next tell the target that in order to stop the charge they need to confirm their identity. The voice on the other end will tell the victim that they are sending a code that needs to be provided over the phone for verification. Once the target provides that code, the attacker will state that the charge has been stopped and that the call can be ended.
What the target may not realize is that the code provided was not sent to verify the account and block the charge. It is actually the MFA code to access their account. In attacks like this, the attacker already has the target’s phone number, username, and password. All they need to gain access to the account is the MFA code. As the scam call is in action, the attacker is waiting to initiate a login attempt to the victim’s account. Once the timing is right during the call, they attempt to log in. This login attempt sends an MFA code to the victim’s phone as if they were logging in themselves. Since the target is likely distracted and concerned over fraudulent charges, the code being sent seems like an everyday occurrence and the target is more likely to provide it to the criminal on the other end of the line.
Below is a real life example of what the victim would hear if they were the target of this style of attack:
In order for this attack to be successful, the cybercriminal needs to have access to the target’s email address, password, and phone number. One way you can protect your organization’s business credentials is with The Purple Guys’s Dark Web Monitoring service. Click here to learn more about Dark Web monitoring and how it can combat against modern threats like OTP phishing.
This new threat is only becoming more popular and we anticipate an increase of OTP phishing attacks against the small business sector. In order to protect your business from this type of threat we would strongly encourage sharing this information with your staff. Are you interested in improving your organization’s cybersecurity posture? Reach out to us today!