Miguel is a dedicated employee in the corporate offices of a department store chain. As part of his daily routine, he uses multi-factor authentication (MFA) to access his work applications. One morning, while he was focusing on a crucial project, his phone buzzed with a push notification asking him to approve an MFA request. Distracted, he declined the request, thinking it was a mistake. But the notifications kept coming—buzz after buzz, interrupting his workflow.
Frustrated by the barrage of alerts, Miguel approved one of the notifications, hoping it would stop the interruptions. The alerts did stop, but this was exactly what the attacker was counting on. A cybercriminal had obtained Miguel’s login credentials through a phishing scam and was now using an MFA fatigue attack to gain access to his company’s system. By the time Miguel realized his mistake, the attacker had already infiltrated the network, leading to a significant security breach.
Did you spot the red flags?
- Miguel should have discussed the issue with a manager or IT worker before approving the verification attempt.
- Miguel should not have approved the MFA request since he did not try to log into his account in the first place.
What you should know about this scam
If you receive multiple unexpected MFA requests, do not approve them. Immediately report the incident to your IT department and change the related account’s password.
Instead of using push notifications, try other types of MFA. Consider using biometric authentication (like face scans or fingerprints) or authenticator apps, which are less susceptible to MFA fatigue attacks.