MFA Push Bombing Scams via Phone Calls
How attackers flood a victim's authentication app with approval requests then call them posing as tech support to convince them to approve access.
Part of: MFA Push-Bombing and Account-Recovery Scams
Last reviewed: 8 June 2026
Multi-factor authentication push bombing combines two tactics: automated flooding of a victim's authentication app with login-approval requests, and a social-engineering phone call timed to coincide with the flood. The attacker already has the victim's password from a breach or phishing attack; the MFA push is the final barrier. By triggering dozens of requests, they hope the victim will either accidentally approve one, or be primed to accept the offer of 'help' from the caller.
The phone call typically impersonates IT support, an account security team, or a major technology company. The caller warns that someone is trying to break into the victim's account — which is technically true, because the caller is that person — and instructs the victim to approve the next push notification to 'block' the attack.
How this scam works on phone calls
The victim receives rapid successive push notifications from their authenticator app asking to approve a login. Simultaneously or shortly after, a call arrives from someone claiming to be from the company's security team. The caller uses technical-sounding language, may reference the victim's account details, and explains that approving the notification will reject the attacker's access.
If the victim approves, the caller — who is the attacker — gains full access to the account. In corporate environments, this attack has been used to compromise email accounts, VPNs, and cloud services. Personal targets include email, bank, and social media accounts.
Common red flags
- Sudden flood of MFA push notifications for logins you did not initiate
- A phone call arrives coinciding with the push flood, claiming to be from tech support
- Caller asks you to approve an MFA notification to 'block' an attacker
- Caller knows your username or account email, creating false credibility
- Caller urges immediate action before you have time to verify their identity
How to protect yourself
- If you receive unexpected MFA push notifications, deny all of them — do not approve any
- Never approve an MFA notification at the instruction of an incoming phone caller
- Use number-matching or phishing-resistant FIDO2 MFA rather than simple push-approve where possible
- Report the incident immediately to your real IT support team or account provider using a known contact number
- Treat any unsolicited caller discussing your account security with extreme scepticism
How to report it
- Report to your organisation's IT security team if in a workplace context
- Report to the account provider's official security team using contact details from their official website
- Report to your national cybercrime authority (IC3 in the US, NCSC in the UK)
Frequently asked questions
Why would an attacker call me at the same time as the push flood?
The push flood alone may be ignored or denied indefinitely. The call provides a pretext — 'approve this to stop the attacker' — that misleads the victim into actively granting access. The combination exploits both the victim's fatigue and their trust in apparent authority.