What Is a Two-Factor Authentication Phishing Attack?

When you leave your home, do you just leave the light on to trick thieves into thinking that someone’s home, or do you lock all doors and windows? When you park your car, do you lock it but leave the window open, or do you make sure that no one can get in and steal your personal belongings? It is general common sense that we do whatever it takes to keep ourselves safe in the physical world, then why don’t we take the same approach in the virtual world? Luckily, more and more people now realize how important it is to set two-factor and multi-factor authentication systems. Without a doubt, those who only use a password/pin/passcode to log into their accounts are at a much greater risk when compared to those who set up 2FA or MFA. That being said, nothing and no one can guarantee complete security.

Although no one can steal your smart TV or harm you physically if you have your password exposed to attackers, the consequences can be more painful than you think. For example, if attackers manage to get into your online bank accounts, they might end up cleaning out your savings. If they manage to hijack social media profiles, they can seriously harm your reputation by using your name in malicious scams set up to, for example, attack your friends and colleagues. Virtual attackers are usually relying on phishing scams to find gullible users and vulnerable systems, and some of them are so sophisticated that even more experienced users can be tricked. In this report, we discuss two-factor authentication phishing scams and the impact they might have. If you have 2-factor authentication set up, and you think you are invincible because of it, you need to read this report. At the very least, you will learn how phishing attacks work, but we also hope that you will learn how to protect yourself against them.

How do two-factor authentication phishing attacks work?

It is no longer news that 2FA is not invincible. Just a couple of months ago, we discussed how hackers are able to intercept text messages to steal two-factor authentication codes and, consequently, hijack users’ accounts without their notice. Two-factor phishing scams work in a very similar manner: Hackers seek to steal authentication codes. To do that seamlessly, without alerting the victim, they set up fake websites and webpages. At first, the attackers have to cast the fishing line, and they can do that using pop-ups, links, advertisements, emails, and many other mediums. Of course, the scam has to be believable from the get-go, which is why the pop-up, link, advertisement, or email message has to be convincing and look legitimate. This might sound confusing, but, in reality, phishing scams work because they are simple in their structure.

Let’s say that the attacker introduces you to an email message that looks as if it was sent to you from Google. The interface of the message might look identical to other messages received from Google, which means that you might see the same font, a similar color scheme, familiar buttons, etc. Even the email address might look legitimate, but keep in mind that it is not difficult for experienced schemers to fake an email address. For example, something like googlesupportus@gmail.com might seem like a legit address, but it is completely bogus. If you are tricked into interacting with the links, buttons, or attachments sent to you using the misleading message, you can be sent to a phishing website. This website – just like the email message – is set up in a way to trick users, and so everything starting with the URL and ending with the interface might confuse you. The point of this kind of a phishing scam is to make you think that you are completely safe. Ultimately, if you are curious as to how phishing attacks work, you have to remember one thing: Trust is everything.

In this particular situation, you should be informed that your login credentials have been compromised or that you need to authenticate yourself for some reason. The page you land eventually should look like a real authentication code page, but, in fact, it is set up by schemers who want to steal it. So, for example, if you are informed that you need to authenticate your Google account before you log in, you might request an authentication code by clicking a button or a link, and the attackers, at the same time, might be trying to get into your real Google account and requesting the same code on a legitimate site. Without a doubt, the fake website does not send any codes, but a real 2-factor authentication code is sent to, for example, your phone because the attackers requested it at the same time. Since the attackers cannot access your phone and read the code, you are tricked into disclosing it yourself. If the two-factor authentication phishing scam works, the attackers obtain the code and immediately use it to bypass the system and hijack the account.

If something feels fishy, it might be a phishing scam

Most platforms provide a limited amount of time before the sent authentication code can be applied. If the user is not rushing things, the attackers might not have enough time to apply the code on their end. If the session expires, you might be informed that the code you entered was incorrect, that an error occurred, or that something else went wrong. If you are sure that the code you entered was correct, you need to be suspicious about what is going on. This might be your only chance to save yourself. It is also a good idea to go straight to the source when you are asked to authenticate yourself. While, in most cases, schemers are very smart and know how to expose you to fake login pages, if, for example, you are sent a link via email, you might as well go straight to the website or the app to log in. Do NOT trust random links, buttons, and sites or you might get trapped by a phishing scam.

If it is possible, you should replace two-factor authentication with multi-factor authentication because it is much more difficult for the attackers to bypass multiple authentication systems using a simple phishing scam. You also should consider biometric authentication where it is possible because biometric data is usually something that attackers cannot fake or steal; at least, not yet. Of course, before you can figure that out, if your accounts have been hijacked, you need to recover and strengthen their security first. We recommend using a free password management tool called Cyclonis Password Manager. It will help you generate much stronger passwords to replace the corrupted ones, it will encrypt them to ensure their safety, and it will also provide you with an extra layer of security when it comes to password protection. If you have questions about the tool, the security of your passwords, or how phishing scam works in general, post a comment below.