In a recent post, we discussed the cause of a 270% increase in business e-mail compromise scams, known as “B.E.C.” scams. There, hackers spoofed e-mails of company executives that directed lower-level employees to wire money to hacker-owned bank accounts under the guise of purchase order or other business invoice. While B.E.C. scams are relatively unsophisticated, other recently reported scams are more complex.
One such scam preys on two-factor authentication (“2FA”) techniques often used by financial institutions and other highly sensitive keepers of data. Like in B.E.C. scams, in the 2FA scams, a hacker first uses a spoofed e-mail or text message. The spoofed message will appear to come from a company with which the target has an account. It will notify the target of “suspicious activity” or some other potential “breach” of the target’s account, and direct the target to reply with or forward an authentication code, which the target will receive via text messaging to a particular number.
The hacker then logs into the target’s account using usernames and passwords that he or she acquired from phishing scams, keystroke-logging malware or prior data breaches, prompting the authentication code to be sent to the target. Unbeknownst to the target, the hacker owns the phone number to which the target sends the authentication code, and the hacker has unfettered access to the target’s accounts.
The security enhancements of 2FA systems are only as strong as the authenticator’s ability to handle the unexpected. Business organizations and their clients should be familiar with 2FA scams. Leaders should warn executives and their customers that authentication codes will never be requested and should never be forwarded. Authenticators should not panic if they receive an unexpected message warning of suspicious activity or a breached account. Instead, by working together, businesses and their clients can avoid becoming the next victim of 2FA scams.