Fake Two-Factor Authentication Scams
Tricks and 'MFA fatigue' attacks designed to capture or approve your second authentication factor.
Last reviewed: 1 June 2026
What this scam is
Fake two-factor authentication (2FA) scams are attacks specifically designed to defeat the second layer of security you have added to your accounts. Two-factor authentication was introduced precisely to protect accounts even when a password is stolen — these scams are the response to that protection.
There are several distinct methods. In MFA fatigue attacks (also called prompt bombing), an attacker who already has your password spams your phone with push-approval notifications, hoping you will tap 'Approve' to stop the interruption. In real-time phishing relay attacks, a fake login page captures your password and one-time code as you enter them, passing them to the attacker simultaneously. In social engineering attacks, someone impersonating IT support or your bank calls and asks you to approve a prompt or share a code, claiming it is part of a verification or investigation process.
All of these attacks share a common feature: the attacker already has your password. The 2FA factor is the only thing standing between them and your account. Understanding this helps clarify the response — if you receive unexpected 2FA prompts, someone else has your password and is actively attempting to get in.
How it works
MFA fatigue works by volume and persistence. The attacker triggers authentication requests repeatedly — sometimes dozens of times — until the account holder approves one to end the interruptions. Some attackers follow up with a phone call claiming to be support, saying there is a login issue being investigated, and that the person needs to 'just approve one more prompt to confirm their identity'. This social engineering component transforms an inconvenience into a plausible-seeming request.
Real-time phishing relay is technically more sophisticated. The attacker sets up a proxy site that sits between you and the real service. When you enter your credentials on the fake page, the proxy logs them and passes them to the real site in real time. The real site then sends you a one-time code, which the fake page also captures — completing the login with full second-factor bypass before the code expires.
Code-phishing via phone combines social engineering with the fact that you have already received a real code. The caller fabricates a pretext — a security test, a fraud investigation, a system error — and asks you to read out the code that just arrived. The code was triggered by the attacker attempting a login. Reading it out completes their authentication.
Even push notifications can be targeted more precisely. In some advanced attacks, the approval prompt includes location data or a login description, and the caller pre-empts questions by naming the correct location as part of their cover story.
Why this scam works
MFA fatigue exploits the fact that authentication prompts arrive on your phone as interruptions to whatever else you are doing. After the tenth notification in a row, the emotional state shifts from 'what is this?' to 'how do I make it stop?'. Approval is the path of least resistance.
When a phone call accompanies the prompt flood with a plausible explanation, the cognitive load is reduced further. You have been given a reason for the prompts and a socially credible way to respond.
Real-time relay attacks succeed because even security-conscious users may not realise that entering a code on what looks like a legitimate page can be exploited if the page is a proxy. The one-time code's entire defence rests on it being entered on the genuine site — a relay defeats this by acting as the genuine site.
A typical pattern
An employee working from home receives a stream of push-approval notifications from their workplace authentication app. After the sixth prompt in five minutes, they receive a phone call from someone claiming to be from IT security. The caller says there is a system error triggering false prompts and asks the employee to approve one final prompt to 'clear the queue'. The employee approves it. The caller thanks them and ends the call. The prompt the employee approved was the attacker's own login attempt — they now have full access to the employee's workplace account.
Common red flags
- Repeated unexpected login approval prompts on your phone
- A phone call arriving immediately after a prompt flood, offering to 'help' or 'investigate'
- Request to approve a prompt 'just to confirm your identity' during a call
- Someone asking you to share or read out a one-time code
- Pressure to approve 'to make it stop' or 'to clear the backlog'
- Phishing page prompting for a code immediately after your password
- Caller claims a prompt you need to approve is part of a 'security test'
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
This is IT support — we are testing your account security. Please approve the login prompt on your phone.
You will receive an authorisation request shortly. Please approve it to verify your identity for our fraud investigation.
We have detected suspicious activity. Can you please read out the 6-digit code that just arrived on your phone?
Your account is being secured. Approve the login notification on your authenticator app to confirm it is you.
This is the security team. There has been an authentication error. Please deny any prompts you receive and call us at [phone number].
One more prompt is coming to finalise the security review of your account. Please approve it when it arrives.
Common variations
- MFA fatigue / prompt bombing — flood of push-approval requests followed by social engineering call
- Real-time relay phishing — proxy site captures code in transit as you type it
- Code-phishing by phone — caller collects a code verbally after triggering a genuine one
- SIM-swap attack — attacker convinces the mobile carrier to transfer the number, capturing future SMS codes
- SS7 exploitation — technical interception of SMS messages in transit (rare, targeted)
- Authenticator app impersonation — fake app collects codes and transmits them to the attacker
How to verify before you act
The rule for approval prompts is: never approve a login you did not initiate. If you receive a push notification for a login you are not performing, deny it. This is always the right action regardless of any calls, messages, or explanations you receive afterwards.
If you receive multiple unexpected prompts in a short period, your password has been compromised. Change it immediately on the real service (not via any link) and consider whether the account needs a full security review.
For code requests by phone, the same rule as password reset scams applies: never share a one-time code with anyone. It does not matter how credible the caller sounds or what reason they give.
For push-notification 2FA, consider enabling number matching (where you must enter a number displayed during login to approve) or using a hardware security key, both of which are resistant to these attacks.
Payment methods used
- Account takeover followed by financial theft or data exploitation
Who is usually targeted
- Anyone using 2FA — particularly app-based push notifications
- Employees using workplace authentication
- High-value personal account holders
What to do immediately
- Deny any approval prompt you did not initiate — immediately
- Change your password on the real service right away from a clean device
- Report the prompt flood to the platform's security team
- If you approved a prompt accidentally, treat your account as compromised — contact the service
- If you shared a code, change your password and check for unauthorised account changes immediately
- Review account activity for any logins, new payees, or changed recovery details
- Consider upgrading to phishing-resistant 2FA such as a hardware key or passkey
How to prevent it
- Deny any 2FA prompt you did not initiate — treat unexpected prompts as an alert that your password is compromised
- Never share or read out a one-time code to anyone
- Change your password immediately if you receive unexpected approval prompts
- Enable number matching on push-notification 2FA where available
- Use a hardware security key or passkey for high-value accounts — these are phishing-resistant
- Consider switching from SMS-based 2FA to an authenticator app for important accounts
- Report a prompt flood to the relevant platform's security team
Evidence to preserve
- Timestamps and count of authentication prompts received
- Caller ID or number of anyone who called during or after the prompts
- Account activity logs showing login attempts
- Any messages received alongside the prompts
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
What is MFA fatigue?
It is when attackers spam you with login-approval prompts hoping you will tap 'Approve' out of annoyance or confusion. If you receive prompts you did not trigger, deny all of them and change your password — your credentials are likely compromised.
I approved a prompt during a flood — what should I do?
Treat your account as compromised. Change your password immediately on the real service, check for any unauthorised account changes or activity, and contact the platform's security team to report the incident.
Is SMS-based 2FA safe?
It is significantly better than no 2FA. However, SMS codes can be intercepted via SIM-swap attacks or captured via relay phishing. App-based authentication and hardware keys provide stronger protection against these specific attacks.
Can an attacker bypass 2FA if they have my password?
Yes, through the methods described here — MFA fatigue, relay phishing, or social engineering to collect the code. This is why the behaviour rules around 2FA (never share codes, always deny uninitiated prompts) are as important as having 2FA enabled.
What is a hardware security key and how does it help?
A hardware security key is a physical device you plug in or tap to approve a login. Unlike a one-time code, it cannot be phished via a relay site because it cryptographically verifies the site's identity before responding. It is the strongest available defence against 2FA bypass attacks.
Why would someone call me during a prompt flood?
The call is designed to provide a plausible explanation for the flood (a system error, a security test, an investigation) and to guide you toward approving the prompt. The attacker is the cause of the flood, not the person investigating it.
My 2FA code was requested on what I now think was a fake site — am I compromised?
Yes, likely. Change your password immediately on the real site, enable stronger 2FA if available, and review recent account activity. A relay site would have used your code in real time, so act within minutes if possible.