Multifactor authentication (MFA) has long been a foundational security practice, offering an added layer of protection for business email, banking, HR portals, and more. But in 2025, a disturbing new trend is emerging: cybercriminals are successfully bypassing MFA using phishing kits, session hijacking, and push fatigue attacks. While MFA remains essential, it is no longer a guaranteed shield against cyber losses.

The Growing Threat Landscape

According to the FBI’s Internet Crime Complaint Center (IC3), business email compromise (BEC) and credential phishing attacks are up 24% year over year. Many of these attacks are targeting employees at mid-sized organizations that believe MFA makes them immune to compromise.

Unfortunately, cybercriminals are adapting just as fast as businesses are.

Attack Example: The Push Bombing Scam

A finance manager at a professional services firm received a late-night barrage of authentication push requests. Tired and assuming it was a glitch, she approved the login. Within minutes, $128,000 was wired to a fraudulent vendor account.

This is known as a “push bombing” or MFA fatigue attack. It preys on human error, not technological failure.

Attack Example: The Spoofed Login Page

In another case, a midwestern manufacturer was hit with a fake Microsoft 365 login page that perfectly mimicked their internal portal. When the employee entered their credentials, the attacker captured the session token and logged in directly—bypassing MFA entirely.

Why MFA Alone Isn’t Enough

MFA does reduce risk—but it’s only part of a layered cyber strategy. Here’s why it falls short on its own:

· Session Hijacking: If an attacker steals a valid session token, they can bypass MFA entirely.

· Social Engineering: Employees can be tricked into approving authentication requests.

· Phishing Kits: These prebuilt tools mimic login portals and intercept MFA codes in real time.

· Legacy Systems: Some applications still don’t support modern MFA protocols.

What Businesses Should Do Now

To stay ahead of evolving threats, your organization should combine MFA with the following risk management strategies:

1. Employee Training & Phishing Simulations

Even the best tech stack can’t overcome human error. Regular training and simulated phishing exercises reduce the chance of a successful attack.

2. Use Authenticator Apps or Physical Tokens

Push-based MFA (“Approve/Deny” on your phone) is most vulnerable to social engineering. Use time-based one-time passcodes (TOTP) or hardware keys like YubiKeys whenever possible.

3. Implement Conditional Access Policies

Don’t treat every login the same. Require extra verification for high-risk logins, such as access from unknown locations or untrusted devices.

4. Enable Session Monitoring and Alerting

IT teams should be alerted to suspicious login behavior in real time, such as multiple failed MFA attempts or logins from new countries.

5. Review and Upgrade Cyber Liability Insurance

Cyber insurance isn’t just for tech companies anymore. Many insurers offer coverage for: - Business interruption - Social engineering fraud - Breach response and legal fees

In fact, some carriers now require evidence of MFA plus endpoint protection and training in order to bind coverage.

Real-World Claim Example: What It Cost

A regional logistics firm fell victim to an MFA bypass scheme that led to fraudulent wire transfers totaling $440,000. Fortunately, they had a cyber policy that covered social engineering fraud—but only up to $100,000. The rest came out of pocket.

After the loss, they upgraded: - All financial transactions now require verbal verification. - MFA was replaced with passkeys and physical token use. - Their new cyber policy includes full-limit social engineering and phishing coverage.

Final Thoughts

MFA remains critical, but today’s cybercriminals are finding ways around it. Businesses must move beyond checkbox security and adopt a layered defense strategy that includes: - Technology - Training - Insurance

Cyber threats evolve—and your protection should too.

Not sure if your MFA or cyber policy is strong enough for 2025 threats? Contact us for a cyber liability review and gap analysis customized to your risk profile.

MFA Isn’t Enough: How Hackers Are Bypassing Your Best Line

of Cyber Defense