Two-Factor Authentication Scams Prey on Panic


In a recent post, we discussed the cause of a 270% increase in business e-mail compromise scams, known as “B.E.C.” scams. There, hackers spoofed e-mails of company executives that directed lower-level employees to wire money to hacker-owned bank accounts under the guise of purchase order or other business invoice. While B.E.C. scams are relatively unsophisticated, other recently reported scams are more complex.

One such scam preys on two-factor authentication (“2FA”) techniques often used by financial institutions and other highly sensitive keepers of data. Like in B.E.C. scams, in the 2FA scams, a hacker first uses a spoofed e-mail or text message. The spoofed message will appear to come from a company with which the target has an account. It will notify the target of “suspicious activity” or some other potential “breach” of the target’s account, and direct the target to reply with or forward an authentication code, which the target will receive via text messaging to a particular number.

The hacker then logs into the target’s account using usernames and passwords that he or she acquired from phishing scams, keystroke-logging malware or prior data breaches, prompting the authentication code to be sent to the target. Unbeknownst to the target, the hacker owns the phone number to which the target sends the authentication code, and the hacker has unfettered access to the target’s accounts.

The security enhancements of 2FA systems are only as strong as the authenticator’s ability to handle the unexpected. Business organizations and their clients should be familiar with 2FA scams. Leaders should warn executives and their customers that authentication codes will never be requested and should never be forwarded. Authenticators should not panic if they receive an unexpected message warning of suspicious activity or a breached account. Instead, by working together, businesses and their clients can avoid becoming the next victim of 2FA scams.

Eric Walz is an associate at Nixon Peabody, a global law firm specializing in complex challenges in litigation, real estate, corporate law and intellectual property anywhere in the world. Read more Nixon Peabody blogs here.

Nixon Peabody

At Nixon Peabody, we see 21st century law as a tool to help shape our clients’ futures. We are constantly thinking about what is important to our clients now and next so we can foresee obstacles and opportunities in their space and smooth the way. We work together to handle complex challenges in litigation, real estate, corporate law, intellectual property, and finance anywhere in the world.