Multi-factor authentication (MFA) is a great way to add an extra layer of security to your login portals. However, clever cybercriminals may use a new method to bypass MFA and compromise your accounts. While cybercriminals haven't used this method in a real-world scam yet, researchers believe this scam could occur in the future.

In this scam, the cybercriminals use software called noVNC and a simple phishing link to bypass your MFA. The cybercriminals send you a phishing email that tells you to take urgent action and log in to your social media account or a similar website. If you click the link, you’ll be redirected to a fake login page that looks similar to the targeted website. However, this fake login page is actually on the cybercriminals’ server.

If you enter your credentials and MFA passcode on this page, the cybercriminals will be able to log in to your account from their own devices. Then, the cybercriminals can store your credentials for future access to your account.

Follow the tips below to stay safe from these types of scams:

  • Watch out for a sense of urgency in emails or messages that you receive. These types of scams rely on impulsive actions, so always think before you click.
  • Never click on a link or download an attachment in an email that you were not expecting.
  • Remain cautious, even when you're using additional safety precautions such as MFA. While these precautions are helpful, it's important to stay alert and look out for red flags.

For assistance with conducting a cybersecurity audit, improving the cybersecurity of your business, or building a strong cybersecurity plan, contact ORAM Corporate Advisors now at (617) 933-5060. The call and initial consultation are free and there’s no obligation.