MFA push-bombing and code-relay scam

You've enabled multi-factor authentication on your accounts. Good. But MFA push-bombing — also called "MFA fatigue" — bypasses it.

The attacker already has your password (from a previous data breach or phish). They start logging in repeatedly, triggering a flood of MFA push notifications to your phone — sometimes one every 30 seconds, often at 3am. The attacker is betting you'll tap "Approve" eventually, either out of confusion or just to stop the noise.

Once you tap, the attacker is in. Famous compromises (Uber 2022, the Cisco breach 2022, and several MGM Resorts incidents) started this way.

The code-relay variant: the attacker calls you posing as IT support, claims a "synchronization issue," and asks you to read the MFA code aloud or tap Approve to "help verify the system."

• A flood of MFA push notifications appear on your phone with no login attempts you initiated.
• The pushes continue late at night, in clusters, restarting after you dismiss them.
• You get an email about a login attempt from an unusual location or device.
• A phone call follows, claiming to be IT, asking you to approve the prompt or read the code.
• You see new sign-in alerts in your email from your bank, exchange, or work account.

• "Hi, this is IT — I'm troubleshooting a sync issue, please tap Approve when the prompt appears."
• "Read me the 6-digit code on your screen so I can re-register your device."
• "Don't worry, this is just to silence the false positives."
• They claim to be your bank, work IT, or a payment platform, calling you out of the blue.
• They want urgency — "before more alerts go out."
• They know your name and some personal context — easy to lift from LinkedIn or breach data.

1. Never approve an MFA prompt you didn't trigger. When in doubt, deny.
2. Move from push-notification MFA to number-matching MFA where available. Microsoft, Google, Okta, and Duo all support number-matching, where you must enter a number shown on the login screen, not just tap Approve.
3. Hardware-key or passkey-based MFA (YubiKey, Apple/Google passkeys) cannot be bypassed by push-bombing because there's no "approve" — the key must be physically present.
4. If pushes arrive unexpectedly: immediately change your password from a clean device, then resume.
5. For "IT support" calls: hang up and call IT back on the company's published support number. Don't trust caller ID.
6. Encourage your organization to enable rate-limiting and conditional access on MFA flows. Microsoft Entra ID, Okta, and others can block excessive prompts.

• Sign out of all sessions immediately. Most platforms have a "sign out everywhere" option in security settings.
• Change your password. Use a long, unique passphrase.
• Rotate any session tokens — for work accounts, contact IT to revoke active sessions.
• Review recent activity for unauthorized actions (account changes, password resets, transfer initiations).
• Check email rules and forwarding — attackers commonly add forwarding rules to hide responses.
• Check connected apps and OAuth grants — revoke anything you don't recognize.
• Enable hardware-key / passkey MFA going forward. The next attempt won't work the same way.
• If a financial account was breached: call the bank, file fraud reports, place credit freezes.

• Do not tap "Approve" just to silence the prompts. The attacker depends on this.
• Do not read your MFA code over the phone to anyone, ever — IT included.
• Do not assume the calls and prompts are unrelated. They are choreographed.
• Do not dismiss the alerts without changing the password. The attacker has your password.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

How did the attacker get my password in the first place? Most commonly, from a previous data breach. Visit haveibeenpwned.com to see which breaches your email appears in. Reuse of passwords across sites is the multiplier.

My company uses SMS for MFA. Is that safe? SMS is the weakest common MFA. It's vulnerable to SIM swap (see that page) and to phishing of the SMS code. Push notifications are better, number-matching is better still, hardware keys and passkeys are best.

Can I tell IT this was a push-bombing attempt? Yes, and you should. IT can review login attempts, identify the attacker's IP and geography, and tighten conditional-access policies. Most security teams want to know.

Are passkeys actually phishing-resistant? Yes. Passkeys are cryptographically tied to the domain you're authenticating to. A phishing site can't trigger a passkey login because the domain wouldn't match. Hardware keys (YubiKey) work the same way. Both are dramatically safer than passwords with SMS or push 2FA.