Skip to content Accessibility info
517-482-1316
529 W Saginaw St
Lansing, MI 48933
En Español

Rathbun Insurance Blog

All You Ever Wanted to Know About Insurance

Cyber Bytes: What Is an MFA Fatigue Attack?

  • By Laura Stoken
  • Posted on Thursday, June 26, 2025

Multifactor authentication (MFA) is a cybersecurity technique that verifies your identity by requiring multiple credentials, like a security code sent to your phone. You might get an MFA notification when logging in to a new device or verifying a retail account. You might receive a lot of MFA verifications associated with your accounts or other people’s accounts you manage. Getting notifications for everything you do can become tedious.

Cybercriminals are counting on you to get tired of these notifications, hence the name MFA fatigue attack. This attack strategy isn’t new, but it’s regaining popularity with cybercriminals.

What is an MFA fatigue attack?

An MFA fatigue attack is a two-pronged account hacking strategy. First, the cybercriminal acquires your login credentials through a phishing attack or dark web purchase. Then, they bombard you with MFA requests. They're hoping you’ll become weary of the notifications and click the identity verification link, which grants them access to your account.

You and your device are the last layer of defense against a hacker successfully cracking your account. So, what’s their strategy? Wear you down.

How an MFA fatigue attack unfolds

The hacker already has your username and password, so they enter them, knowing you’ll get a notification. Most accounts have push-notification authentication, which sends you an MFA link to verify your login attempt. Cyberattackers bombard you with these push notifications with multiple login attempts. They’re hoping you’ll think it’s a malfunction, or you won't think at all. Either way, they know you’ll just want the notifications to end, so you'll click the link.

Remember, cybercriminals already have your login information, which means they probably have your phone number. This gives them another tool. If they’re not getting a response to the MFA notifications, they’ll follow up with a call. 

This follow-up strategy might happen if your MFA system uses a random code instead of a clickable link to verify your identity. Often, they pose as tech support, tricking you into thinking it’s a legitimate request. They’ll have a story about how the notifications are part of a system maintenance process, and they need you to verify that your account is working. They might even make it seem like a routine test to ensure cybersecurity is active on your accounts. In reality, they’re conning you to gain access.

That’s why some companies are changing the parameters on their MFA notifications, such as:

  • They’re reducing the number of MFA requests you can make in a time period. If you’ve ever been locked out of your account after too many failed MFA attempts, it’s for your protection.
  • They’re adding geolocation or biometric requirements to their cybersecurity. Beyond just the link, they require you to scan your fingerprint or turn on your phone’s GPS so the system can verify your location.

Work accounts are targets

You might not fall for an MFA fatigue attack on your personal accounts, but what about your work accounts? Hackers target employees at companies they want to infiltrate. You might be more inclined to click the link if it arrives in your inbox at work than at home, especially if you receive hundreds of emails daily. The 2022 cyberattack against Uber was an MFA fatigue attack that began with a driver and resulted in a company-wide breach.

Most hacks rely on human error, so your job might grant you the least security privileges possible on programs. Don’t be offended. This is to thwart an attack. Cybercriminals won't get far if your work account is compromised and it lacks administrative privileges or access to business systems.

Small and home-based business accounts are at risk

Cybercriminals look for high-value accounts to create new accounts and bypass cybersecurity systems. Once inside, they crawl through systems to reach bigger targets, like master administrative accounts. From there, they can create new accounts, redirect future MFA notifications and take control.

For example, say you’re a home business owner using a customer relationship management (CRM) system to organize and market to your clients. You created an admin account when you initially set up the account. After the initial setup, you started using the admin account less than your day-to-day sales account. One day, you get an email asking you to click a link to verify your CRM’s admin account login. Without thinking, you click it.

Unbeknownst to you, your CRM admin account credentials were exposed earlier in the year and sold on the dark web. The link you clicked to verify your account was legitimate, but the ones signing in to your account weren’t. The hacker takes over your admin account and steals all your client information, including personally identifiable information (PII) and financial information.

Even small business owners are responsible for the PII they maintain. If a hacker exposes your clients’ PII, the state can fine you and your clients can sue you. A cyberattack could cost tens of thousands of dollars.

A cyber liability policy can help you recover, but only after the fact. The best weapon is to educate yourself and maintain good cybersecurity hygiene on all your accounts.

Don’t get fatigued

If you’re getting suspicious notifications, don’t click them. If someone calls you asking you to verify an account using MFA, hang up. Change your account passwords immediately. Staying one step ahead of the con artists requires a bit of vigilance, but you can stay cybersafe out there!


More articles related to…
Learn more about…

Quick Quote

Secure form

We respect your privacy. Your information will be sent securely and handled with care. View our privacy policy.

Note: leave the Subject field blank if you are a real person. If this field is filled in, your request will be ignored. This helps us protect against automated form posts (spam).