We’ve all heard of things like Malware, perhaps even more specific terms like Spyware, but in this blog, we’ll cover two methods of bypassing MFA that you may not be aware of.
Two of the most common methods we’re seeing today are push bombing (also known as MFA fatigue) and SIM swapping. Both are ways attackers can bypass multi-factor authentication (MFA) – a security measure designed to keep your accounts safer.
Let’s break them down.
Push bombing works by flooding a user’s phone with endless MFA requests. The attacker tries logging into a system over and over, which triggers a flood of verification prompts (those “approve sign-in?” popups).
Eventually, the target gets annoyed or confused – or thinks it’s just a glitch – and accidentally hits “approve.” Boom. The attacker is in.
And the worst part? Because the login was technically approved, your IT or security team may not even realise anything suspicious has happened.
SIM swapping is a little more technical but just as dangerous. The attacker calls up your mobile provider, pretends to be you, and convinces them to move your phone number to a new SIM card they control.
Once they’ve got your number, they can receive all your calls and texts – including those all-important one-time passwords (OTPs) that many systems still send via SMS for 2FA.
From there, they can:
Bypass MFA
Reset passwords
Take over accounts
Install remote access tools
And in some cases, move deeper into your company’s network
Let’s say Tom in finance gets hit with a push bombing attack on a Friday afternoon. He’s trying to finish early for the weekend when he starts getting non-stop authentication prompts on his phone. After the tenth one, he sighs and taps “approve,” assuming it’s just an annoying glitch.
The attacker now has access to the finance system- it really does go from 0 to 100 like that.
Meanwhile, over in HR, Emma’s phone suddenly stops working. Unknown to her, someone just SIM-swapped her number. The attacker is now receiving her text messages, including MFA codes for the HR platform.
Within the hour, the attacker has:
Accessed sensitive payroll data
Changed key admin credentials
Installed remote tools for future access
All without tripping any obvious alarms.
Use number-matching MFA where possible (where the user has to input a code instead of just tapping “approve”)
Avoid SMS-based 2FA – use app-based authentication (like Microsoft Authenticator or Google Authenticator)
Train staff to report suspicious MFA prompts or mobile issues immediately
Work with mobile providers that have strong SIM-swap protection
We hope you’ve liked this blog. Stay tuned for more blogs like this. Stay safe!
