Hackers use various methods to get those login credentials. The goal is to gain access to
business data as a user. As well as launch sophisticated attacks, and send insider phishing
How bad has the problem of account breaches become? Between 2019 and 2021, account
takeover (ATO) rose by 307%.
Many organizations and individuals use multi-factor authentication (MFA). It's a way to
stop attackers that have gained access to their usernames and passwords. MFA is very
effective at protecting cloud accounts and has been for many years.
But it’s that effectiveness that has spurred workarounds by hackers. One of these nefarious ways to get around MFA is push-bombing.
When a user enables MFA on an account, they typically receive a code or authorization
prompt of some type. The user enters their login credentials. Then the system sends an
authorization request to the user to complete their login.
The MFA code or approval request will usually come through some type of “push” message. Users can receive it in a few ways:
• A device popup
• An app notification
Receiving that notification is a normal part of the multi-factor authentication login. It’s something the user would be familiar with.
With push-bombing, hackers start with the user’s credentials. They may get them through
phishing or from a large data breach password dump.
They take advantage of that push notification process. Hackers attempt to log in many times. This sends the legitimate user several push notifications, one after the other.
Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to mistakenly click to approve access.
Push-bombing is a form of social engineering attack designed to:
• Confuse the user
• Wear the user down
• Trick the user into approving the MFA request to give the hacker access
Knowledge is power. When a user experiences a push-bombing attack it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.
Let employees know what push-bombing is and how it works. Provide them with training on what to do if they receive MFA notifications they didn’t request.
You should also give your staff a way to report these attacks. This enables your IT security
team to alert other users. They can then also take steps to secure everyone’s login
On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.
Take a look at how many applications your company uses. Look for ways to reduce app “sprawl” by consolidating. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.