When Employees Help Hackers: How Threat Actors Bypass MFA

In the field of cyber incident response, we’re seeing more instances of criminals successfully bypassing multi-factor authentication (MFA) protocols. The ability to skirt MFA is particularly concerning, as it’s a cornerstone defense that businesses use to protect sensitive data and systems.

What’s more unfortunate? Employees are often how attackers bypass those defenses. 

Too often, employees are unwittingly helping bad actors circumvent MFA defenses, as sophisticated phishing emails trick overloaded employees into approving fake authentication requests. Once inside the system, the attackers can initiate fraudulent wire transfer requests from genuine company email accounts. 

As a result, business wire fraud losses have been skyrocketing — and those funds are usually irretrievable. By the time the victim discovers their error, it’s often too late.

Wire Fraud Is the New Cybercriminal Darling

While hijacking official company email accounts isn’t a new tactic, the sophistication of business email compromise (BEC) has been taken to a new level. The criminals’ end-game of these attacks is frequently wire fraud, since the funds are exceedingly difficult to recover once they’ve been transferred. 

The privacy attorneys who sit on TransUnion’s incident response advisory board report most of the multiple BEC cases they see on a daily basis are tied to wire fraud. Earlier this year, the average fraudulent wire request was more than $24,000 — a 46% jump over the previous month. 

The scheme often begins with phishing emails, which are now extremely convincing with help from AI. The attacker gathers enough information — sometimes using breached personal information available on the dark web or gathered from public social media accounts — to convincingly impersonate a trusted individual or organization. Mimicking the communication style of the impersonated party, the message usually contains a link to a spoofed login page designed to look identical to the organization’s actual sign-in portal. 

As the employee logs in, the attacker captures their credentials and, if possible, the session token, both of which allows them to bypass multi-factor authentication.

Once they’ve infiltrated the email system, they can impersonate executives directing a transfer be made or vendors sending payment instructions that appear legitimate but direct funds to fraudulent accounts. 

Overloaded Employees Make Mistakes

For these attacks to work, criminals rely heavily on human error. The problem isn’t employee negligence or a lack of cybersecurity defenses, but rather simple employee overload. 

Employees already receive a stream of system alerts and authentication prompts, so they don’t always think twice if they start receiving a succession of verification prompts. Hackers are hoping employees will eventually experience MFA fatigue and click “Approve” to make the notifications stop — either out of confusion or exhaustion. 

In workplaces characterized by crowded inboxes, endless notifications and tight deadlines, being digitally overwhelmed is understandable. Some employees can become so desensitized that whenever they receive a prompt, they approve it without thinking. That’s the one click a hacker needs. 

From IT’s perspective, the login appears authenticated — the correct credentials were entered and the user approved access.

It’s a low-effort, high-reward tactic that bypasses technical safeguards by simply betting on human distraction. Even criminals with limited technical skills can execute highly profitable scams, as long as they target the right overloaded employee. 

What Can Companies Do?

Because cyber incidents involving wire fraud are so difficult to reverse, awareness, recognition and prevention are key. When organizations follow these five practices, they can better support employees and reduce the odds of a permanent loss.  

1. Implement (and still require) MFA.

After just highlighting some of its flaws, this may seem counterintuitive. But, while MFA is not perfect, it remains a strong deterrent, especially when combined with other cybersecurity layers. Not every criminal may be stopped, but the additional verification steps can help prevent or slow down many attacks. 

2. Train employees regularly.

Phishing simulations and frequent reminders about good MFA practices (like never approving a login you didn’t initiate) are important. They may seem like basic measures in a landscape of advanced cybersecurity tech, but they work. Even better, these steps are inexpensive. 

3. Strengthen payment procedures.

It may be time to revisit company protocols for wire transfers — they should never be approved solely by email. Define formal procedures and approvers to layer on additional verification steps. 

4. Develop and rehearse your incident response plan.

When the worst happens, a company’s response can have a major impact on how it recovers. Knowing who to call, how to preserve evidence and how affected parties will be notified can help limit the financial, operational and reputational damage caused by cyber incidents. 

5. Collaborate with insurance and legal partners.

Cyber incidents and wire fraud schemes can create significant financial, regulatory and legal exposure. Engaging cyber insurance providers and legal experts early can help you better manage the fallout and complex legal ramifications. 

Empowering With Knowledge, Not Just Tech

No technical defense is foolproof and, in today’s digital workplace, cybercriminals don’t need to break down the door if they can trick an employee to open it.

Many employees don’t realize the critical role they play in the organization’s cybersecurity, so they may let their guard down — which is what cybercriminals are counting on. Empowering employees with knowledge and confident in addition to strong cybersecurity tools makes them far less likely to make costly mistakes.