Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • The Security Leadership Issue
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementTechnologies & SolutionsSecurity Leadership and ManagementSecurity Education & Training

How attackers are pairing MFA manipulation & social engineering tricks

By Sinan Eren
Computer with a lock

Image via Unsplash

February 15, 2023

Stolen credentials can pose a major threat and give attackers instant access to a company's assets — employee data, customer data, sensitive information and financials. According to the 2022 Verizon Data Breach Investigations Report (DBIR), stolen credentials are responsible for nearly half of all cyberattacks. This is up from about 30% in 2017. The increase of stolen credentials on the dark web has made additional authentication methods vital for identity protection. The most commonly discussed is multi-factor authentication (MFA). MFA is a layered approach to cybersecurity where a user must present two or more credentials to verify that they are, in fact, who they say they are.

Previously touted as a vital security feature, MFA is not all it was once cracked up to be. Recent attacks on Uber and Twilio have shown that attackers are finding ways around it. One of the main problems with MFA? The tired person on the other side. Employees receive non-stop notifications requesting access to systems and, eventually, they give in or make a mistake.

Today’s hackers are waiting for people to make that same mistake. They deploy social engineering, spear phishing and waterholing attacks — and now push bombarding or exploiting MFA fatigue. In an MFA-fatigue attack, the hacker already has the victim’s username and password, which they likely gained using a credential stuffing or an email phishing attack. The only thing missing is the secondary authentication step. From this point, the hackers start sending push notifications to a user’s phone or device, where the user has to press accept or deny. They keep sending it until the user typically gets fed up before accepting it to eliminate the relentless notifications. Additionally, attackers send these push notifications at the most active times of the day to catch employees off guard. Today’s hackers are adaptable and have time to "lie in wait."

Dangers of MFA fatigue

MFA-fatigue attacks are pushed at the beginning of a work day, while in a meeting, right before lunch, in the middle of the night and right before holidays — times when employees are rushed to get things done. Employees become complacent since they deal with the authenticator app potentially hundreds of times a day and they just want it to go away. Pressing accept not only makes the notifications stop, but it also gives the attacker exactly what they want.

When attackers gain access to a business system the possibilities are endless. And, if hackers get access to the right account, they can gain access to a cloud service provider or network, laterally move throughout that environment and take custody or advantage of sensitive and confidential information. Attackers can do a lot of damage and even ruin a company’s reputation with the simple push of a button.

Prevention starts with proper training

Today’s attackers take advantage of the fact that users complete authentication requests without much thought. Users get the notification, press accept and go about their business. In a perfect world, this would be fine, but the attacker complicates the process and undermines the effectiveness of MFA. That’s why today’s businesses need to do more to prevent such infiltration.

Employees need proper training to know what to look for in these instances. Users need to know how to respond, or rather not respond, and whom to notify should they get a push notification they did not initiate. IT teams may also be able to configure access rules to prevent the process from completing if a device or request does not conform with policy.

Implement the principle of least privilege

Businesses serious about protecting their assets should also go a step beyond training and implement the principle of least privilege. Under the principle of least privilege, users only have access to what they need to carry out their job. This includes applications, files and data access. Only giving employees specific access can limit the damage that an MFA-fatigue attack can incur. Of course, this takes preparation on the part of the IT team and would require developing a process to define how requests for access are handled. There should also be periodic reviews to determine how access is utilized and privileges should be updated based on job functions and usage patterns.

Companies should also implement a zero trust strategy where every device and user are authenticated and authorized. Devices and users that are not authenticated and authorized simply don’t get access. Zero trust frameworks can eliminate the risk of credential theft even if hackers have a username and password and can launch an MFA-fatigue attack. The trick here is that despite having user credentials, the attacker has no way to attest to the device identity and additional user-centric contextual information such as geographic locations, time-based policies or device-posture requirements. With these additional cryptographic verification and contextual information steps, zero trust thwarts unauthorized logins.

Today’s attackers are adaptable and evolve quickly. As users, we must also evolve and take steps to secure our identities. With the right combination of training, security policies and zero trust technology, it is possible to provide protection from any credential-based attack vector.

KEYWORDS: burnout hacker least privileged access multi-factor authentication phishing attack zero trust

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Sinan Eren is the VP of Zero Trust Security at Barracuda.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Cybersecurity
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Cybersecurity
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security camera

40,000 IoT Security Cameras Are Exposed Online

Fountain pen

Trump Administration Executive Order Changes Cybersecurity Policy

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • hacker

    How can companies keep up with social engineering attacks?

    See More
  • threat

    How security teams can combat social engineering and insider threats

    See More
  • Child touching robot hand

    Report: Generative AI bots are susceptible to user manipulation

    See More

Related Products

See More Products
  • Whitepaper-Social-Media-3.gif

    Optimizing Social Media from a B2B Perspective

  • 9781138378339.jpg

    Surveillance, Crime and Social Control

  • school security.jpg

    School Security: How to Build and Strengthen a School Safety Program

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!