The Emerging Way Around 2FA

With individuals and companies understanding that security and phishing risks are on the rise, the implementation of 2FA (2 Factor Authentication) has become increasingly more prevalent. 2FA allows a user to add a level of security by adding another “factor”, besides their password that they must enter correctly to gain access to their account. Typically, 2FA is enabled on more high risk accounts such as finance applications or email but as the threat becomes greater it’s becoming utilized on more sites and apps.

As technology progresses, the social engineering capability does as well. Instead of a standard phishing attack where you receive an email with a dummy link, click the dummy link, then enter your (very real) banking information and they hacker then takes that information and tries it on the real banking site and gains access to your account. You can read more about how phishing works here.

As 2FA becomes more prominent the depth of these phishing-style attacks have as well. Attacks are now being sent through text messages making it more difficult to sense their legitimacy. See an example below:

The way these attacks are conducted is as follows:

Step 1: You’ll receive a text like the one above from a “trusted” institution like Chase or Bank of America, explaining some reason why you need to access your account.

Step 2: You click the link leading you to a dummy page that looks identical to a Chase or Bank of America Website.

Step 3: The website asks you to “reset” your password asking you to enter your old password and then your new one.

Step 4: Within 15-30 seconds that information is plugged into the actual Chase of BOA website, but you have 2FA enabled.

Step 5: You get a real text from the financial institution asking you to input a code on their site (the one the hackers are currently logging into) however, the dummy site asks for the code as well.

Step 6: You input the 2FA code into the dummy site and hackers now have your passwords and 2FA code and have gained full access to your account.

Once a hacker gains access via 2FA it’s pretty much over for any information behind that wall, they can use the same technology that got them in there to keep you out. Typically, by the time you’re able to allow the company to grant you access to the page, they’ve already done what they needed to do.

How to spot a potential 2FA phishing attempt?

There are key factors when it comes to spotting a fraudulent message, much like emails. If a text contains the following: Misspellings, links that don’t seem consistent with the brand that’s reaching out, broken English and sometimes improper wording.

The reason why these are effective is because if you’re not paying close attention, you could very easily miss the aforementioned criteria. A text message differs from an email because there’s no name, signature, font options, colors, etc. all of which can tell you different things about an email. With text messaging you have a single font, a single color, so all they have to do is get the wording and verbiage correct.

These attacks are so widespread that throughout the summer of 2021, the number of phishing URLs designed to impersonate Chase jumped by 300%, says security firm Cyren. That speaks to not only the shift in types of phishing but the effectiveness overall.

What to do to avoid falling victim?

Overall, these campaigns are meant to deceive, attackers are incredibly good at knowing how to trick us. Attackers take into account dozens of factors to make us believe the message we have received is legitimate. Here are few ways you can help yourself not become a victim:

Links – Never click links or dial phone numbers sent in emails or text messages. When possible, go to a company’s website or mobile app to make absolutely sure you’re accessing the right information and aren’t getting targeted for a phishing attack.

Second Opinion – A second opinion thwarts more attacks than you’d expect. A second set of eyes on a questionable message or email is a proven way to make sure that someone else can see the same potential inaccuracies that you are. Often times others have been approached with similar phishing style messages so it’s good to show a friend or family member if you receive something you think is suspicious.

Slow Down – This is a large part of the attacker’s advantage, we’re all so engaged in our lives that sometimes move too fast and don’t ask simple questions like “why is this website link different?” or “why doesn’t this email address have the proper suffix?”. Attackers prey on our ability to just trust bigger, very reputable corporations and follow instructions as they’re given to us because of their proven trustworthiness. In the end, just slow down and look into anything you receive that regards a high priority account.

Overall, we have to be vigilant when it comes to unfamiliar texts or emails we receive. It’s especially important to help older friends and family members who may not be a technologically savvy because they make up a large part of the victims of scams like this one among many others. If something doesn’t look or feel right about a text or email, odds are, it probably isn’t.