Each week, the NTIC Cyber Center highlights a different social engineering scam impacting individuals and communities within the National Capital Region. We encourage everyone to share this information with friends, colleagues, and loved ones to help reduce their risk of becoming a victim of financial fraud and identity theft.
Two-factor authentication (2FA) scams are a type of man-in-the-middle phishing scheme in which criminals masquerade as customer service representatives to trick victims into revealing verification codes designed to authenticate account holders and prevent unauthorized access to online accounts.
Many online services, including those offered by financial institutions, social media platforms, webmail accounts, and online retailers, employ 2FA to improve account security and protect customer accounts from unauthorized access or modification. 2FA provides an extra layer of security by requiring an additional piece of information beyond a username and password, such as an alphanumeric code, to verify account ownership. After usernames and passwords are entered, websites and applications generate these unique codes and send them to account holders via an email, a text message, or a phone call. Once the code is entered, the website or online service authenticates the user and provides access to the account.
Scammers use social engineering methods to trick victims into revealing 2FA codes to gain unauthorized access to their accounts. To circumvent 2FA, scammers collect information about a particular target such as username and password combinations, mobile phone numbers, or any associated online accounts. Criminals have access to this type of information from any number of data breaches and hacker forums specializing in the sale and trade of such data. Once criminals acquire this information they then attempt to access one of the target’s accounts using stolen credentials or through the account’s “forgot password” function—actions that trigger a 2FA code to be sent to a customer’s phone or email address. The scammer then contacts the target by phone, masquerading as a customer service representative calling to report fraudulent activity or a compromised account. The scammer tries to convince the target to share the newly generated 2FA code by claiming that it is required to verify the account holder’s identity or to resolve account issues. Once the target relinquishes the verification code, the scammer will use it to bypass 2FA protection and gain unauthorized access to the target’s account.
Phone-based phishing scams are not the only attack vector scammers use to pilfer 2FA credentials from victims. Scammers may contact targets using emails or text messages that spoof legitimate correspondence or security alerts. When targets navigate to links in the fake messages, they are sent to a phishing page that harvests login credentials and 2FA codes. Behind the scenes, a scammer captures the information and uses it to circumvent 2FA protection and secure immediate access to the target’s account.
The NTIC Cyber Center frequently encourages users of online services to enable 2FA on all accounts that offer it, as this provides a higher level of security than usernames and passwords offer on their own. Unfortunately, however, scammers also understand the value of these authentication credentials and they target them accordingly.
Be sure to familiarize yourself with following techniques that scammers use to obtain 2FA codes to avoid becoming a victim:
Scammers can spoof caller-ID information to make calls appear as if they originate from an organization’s legitimate customer service line, so be vigilant when receiving any unexpected correspondence from callers seeking personal information.
If you receive a call prompting you to confirm your identity or account details, do not give out any personal or account information. Instead, hang up and use the Internet to locate a main telephone number for the organization to confirm the authenticity of the request.
If you receive a text message or email containing a confirmation or verification code to complete an action that you did not initiate or request, do not respond to the message or follow any prompts to authenticate your identity or account ownership. Change your password to the associated account immediately to guard against unauthorized entry or account compromise.
Scrutinize the URL of any webpage that prompts for login credentials. The web addresses of phishing pages often appear similar to those of trusted webpages but may include slight misspellings or punctuation differences or be hosted on a different top-level domain than the legitimate site (e.g., .ru instead of .com).
Keep passwords lengthy and complex and avoid using the same password across numerous platforms.
Instead of SMS-based 2FA, consider using a multifactor authentication application that generates a time-based one-time password, such as Authy or Google Authenticator, if the option is available on your account. Additionally, consider a hardware-based 2FA device to protect accounts.