MFA bypassing phishing attacks are increasingly prevalent in the UK and businesses in the North East and Yorkshire are no exception. These attacks are designed to bypass multi-factor authentication (MFA), leaving organisations and individuals vulnerable.
New data released for October Cyber Security Month by the North East Business Resilience Centre (NEBRC), a Police-led, non-profit which helps small businesses reduce cyber risk, has found that over a third of workers in the North East (38%) and almost half in Yorkshire and Humber (46%) have experienced some form of phishing incident within their work environment.
The survey conducted with 1,000 British working adults found a gap in workplace protection and outdated training. In the North East and Yorkshire regions, many workers have had no training, can’t remember it or have outdated training in MFA and phishing.
What Are MFA Bypass Phishing Email Attacks?
Phishing emails are deceptive messages sent by hackers pretending to be legitimate contacts or organisations. These emails aim to trick recipients into one of three things:
Clicking on a malicious link
Opening a dangerous attachment
Divulging sensitive information, such as passwords, or making fraudulent payments
Martin Wilson, Police Detective Inspector and Head of Student Services at NEBRC explains,
“The latest trend in phishing involves hackers using compromised, legitimate email accounts to send these phishing emails. Instead of creating fake email accounts that are easy to spot (like “ebbay.com” instead of “ebay.com”), hackers prefer to take over real accounts and send malicious emails to people in the victim’s address book.”
Martin adds,
“Typically, a phishing email prompts the recipient to open a link or attachment, which leads to a fake login page (like a fake Microsoft 365 sign-in page). The page requests the user’s login credentials, and if the user provides them, the hacker captures the username and password.
“If the compromised account has MFA enabled, you have an additional layer of protection. However, certain types of MFA, like SMS text codes or authenticator apps, can still be bypassed.”
Here’s how:
OTP (One-Time Password) Interception: When you enter the MFA code (sent via SMS or generated by an authenticator app), the hacker can steal it in real-time. They then use the code to gain access to your account.
Once inside, hackers often:
Send phishing emails to your contacts, rapidly spreading the attack.
Set up email rules that hide incoming messages from your inbox, making it harder for you to notice the compromise.
Continue using the account until someone, usually a recipient of a suspicious email, contacts the account owner to alert them of the issue.
More Secure MFA Methods: On-Screen Codes and Physical MFA Keys
Over one in five (22%) UK workers don’t use any type of MFA in their workplaces, with this figure rising to a shocking almost half (44%) for those in the North East.
Consider using more secure forms of MFA, such as:
On-Screen Codes: Some MFA systems display a code on your screen, which you verify with an app or physical device instead of typing it in. This can make it harder for hackers to bypass MFA during a phishing attack.
Physical MFA Keys: Devices like USB security keys are extremely hard to compromise. A hacker would need to physically possess the key to log in, making phishing attacks ineffective.
Steps to Protect Against MFA Bypass Attacks
1) Educate Your Team: Ensure employees know how to spot phishing emails and understand the risks of opening suspicious links or attachments.
2) Implement Stronger MFA: Use MFA methods that rely on physical keys or app-based verifications rather than SMS or codes.
3) Be Cautious of Unusual Activity: If you notice unexpected login attempts or MFA prompts, investigate them immediately.
4) Regularly Review Email Rules: Check email settings for suspicious rules that could hide important messages from your inbox.
5) Use Spam Filters: Ensure your business has up-to-date spam filters that can detect phishing attempts.
6) Set up Geolocation Rules: Consider only allowing MFA requests from UK-based requests, denying requests that don’t originate in the UK – sometimes technical controls can be brought in to achieve this.
Shockingly, almost a third of workers (32%) have never undertaken MFA or phishing training. What’s more, 66% (two-thirds) of business owners haven’t had training on MFA or phishing within the last year, with a shocking 50% saying that they have never undertaken training in this area. This is surprising given, the huge financial and reputational damage such breaches can cause.
Businesses can find further guidance from the NEBRC and National Cyber Security Centre (NCSC).