
Most businesses now use multi-factor authentication (MFA) – the code or app prompt you approve after typing your password. It is one of the best security steps you can take, and we recommend it to every client. But a worrying trend has surfaced: attackers are finding ways to get past MFA without ever stealing your password.
Security researchers are highlighting techniques like “device code phishing”, where a scammer tricks an employee into approving a login that the attacker started. The victim thinks they are signing in to a legitimate Microsoft or Google service. Instead, they are handing the attacker a valid, MFA-approved session straight into your email, files and accounts. No password theft required, and the login can look completely normal in your security logs.
This matters because MFA can create a false sense of safety. It is still essential – but it is not a set-and-forget shield. The good news is that a few practical steps close most of the gap.
- Train your team to pause. If an MFA prompt or login request appears that nobody started, deny it and report it. Attackers rely on people approving prompts on autopilot.
- Move to phishing-resistant MFA. App-based number matching or hardware security keys are far harder to trick than a simple “approve” tap or an SMS code.
- Watch for unusual logins. Sign-ins from new countries, odd hours or unfamiliar devices are red flags worth alerting on.
- Limit the damage. Make sure staff only have access to what they need, so one compromised account does not open every door.
You do not need to be a specific target to be a victim – many of these attacks are automated and hit small and medium businesses every day. A quick review of how your MFA is set up can make a real difference.
Worried this affects your business? Get a free 15-minute IT check – call Trends IT on 0485 011 911 or visit /contact/.
