MFA Push-Bombing and Account-Recovery Scams
Attackers flood your phone with authentication-approval requests until you accept one by mistake, then impersonate support staff to confirm the 'error'.
Last reviewed: 1 June 2026
What this scam is
Multi-factor authentication (MFA) push-bombing — also called MFA fatigue — is an attack in which a criminal who already has your username and password sends repeated authentication push notifications to your phone or authenticator app. The volume of notifications is designed to be overwhelming, causing you to approve one simply to make them stop, or to accept it by accident in a moment of distraction.
A related tactic is account-recovery social engineering: after triggering the push requests, the attacker calls you posing as security or IT support, explains there has been unusual activity on your account, and asks you to approve the notification they are about to send — so they can 'investigate'. You approve it believing you are helping to resolve a problem; you are actually granting the attacker access.
These attacks have been used against employees at large organisations and against individual consumers, particularly targeting accounts with high value: banking apps, cryptocurrency platforms, cloud storage, and corporate email. MFA was designed to prevent unauthorised access even when a password is known — push-bombing is specifically designed to defeat it through human error rather than technical means.
How it works
The attacker first obtains your email address or username and password, typically from a data breach, phishing attack, or password-reuse across sites. With these credentials, they attempt to log in to your account, which triggers an MFA push notification on your registered device.
They repeat the login attempt — and thus the notification — dozens of times. Your phone buzzes repeatedly. Each notification asks you to approve or deny access. The goal is either to exhaust your patience until you tap 'approve' to stop the notifications, or to distract you into approving one in a moment of inattention.
In the social-engineering variant, you receive a phone call — often spoofed to display a number from the genuine service provider — from someone claiming to be a support agent. They explain that your account is showing suspicious access attempts and that they need to verify your identity by sending you an authentication request. You are asked to approve this notification while on the call. You do so, believing you are cooperating with security, and the attacker gains full access to your account.
Once inside, accounts are drained, data is extracted, or credentials are used to access connected services.
Why this scam works
Push-bombing works because it weaponises a security feature against its own purpose. MFA was designed to add a human approval step — but bombarding that step with noise exploits the human element it relies on. People are not designed to receive the same notification forty times without eventually responding.
The social-engineering overlay makes the attack far more potent. Receiving a call from apparent security support in the immediate aftermath of an alarm creates a context in which approving a notification seems like the right response. The caller appears to be on your side, helping to resolve the very problem that the flood of notifications signalled.
Authority bias amplifies this: when a caller presents as a service's security team and uses real-sounding details about your account, challenging them feels inappropriate or paranoid.
Common red flags
- Sudden burst of authentication approval requests you did not initiate
- Phone call immediately following unsolicited MFA notifications
- Caller claims to be support and asks you to approve an authentication request during the call
- Repeated notification flood that is difficult to stop or dismiss
- Caller knows your username, email, or account details and uses them to establish credibility
- Notification approval is framed as a 'verification step' by the caller
- Your account shows login attempts from unfamiliar locations or devices in recent activity
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
We have detected suspicious login attempts on your account. To secure it, please approve the verification request we are sending you now.
Our security team has flagged unusual activity. Please approve the authentication notification on your phone — this confirms your identity and locks out the attacker.
This is [service] security. We are investigating access from [location]. To confirm you are the account holder, approve the push notification I am sending now. Do not close it.
Common variations
- Corporate VPN push-bombing targeting remote employees
- Banking app MFA flood followed by impersonation of the bank's fraud team
- Cryptocurrency platform attack using push-bombing to access and drain wallets
- Number-matching bypass using social engineering to get victims to read out the code
How to verify before you act
The definitive rule is that legitimate service providers will never call you and ask you to approve a push notification during the call. No bank, tech company, or platform security team operates this way. If anyone on a call asks you to approve an authentication request, end the call immediately.
If you receive a burst of unsolicited notifications, deny all of them and contact the service through their official support channels — using contact details from their official website, not any number provided in a call or message.
Many authenticator apps now support number matching (the notification displays the same number as shown in the login page, which you must confirm) and application context (the notification shows which app is requesting access). If your service offers these, enable them — they make push-bombing less effective.
Change your password on any account that experienced an attack, even if no approval was given. The attacker already has your current credentials.
Payment methods used
- Attacker uses account access — no direct payment from victim
- Crypto wallets drained
- Banking apps accessed
Who is usually targeted
- Anyone using push-notification-based MFA
- Corporate email and VPN account holders
- Cryptocurrency platform users
- Cloud storage and financial service users
What to do immediately
- Deny every unsolicited push notification — never approve one you did not personally initiate
- End any unexpected call immediately and contact the service independently using verified contact details
- Change your password immediately if you believe a push notification was approved in error
- Contact the service's genuine support team about suspicious login activity
- Enable number matching or additional context in your authenticator app if your service supports it
- Report the attack to your employer IT team if it is a work account
- Check your account for any access or activity you did not authorise
How to prevent it
- Enable number matching and application context on all authenticator apps that support it
- Deny every push notification you did not personally initiate, no matter how many arrive
- Never approve an authentication request at the request of someone on a phone call
- Use a hardware security key as a second factor where possible — it cannot be socially engineered
- Switch from push-based MFA to time-based one-time passwords (TOTP) for sensitive accounts
- Report notification floods to the relevant platform's security team immediately
Evidence to preserve
- A log of the notifications received (screenshots with timestamps)
- The phone number that called you, if you received a call
- Your account's login activity or access history
- Any email or message that preceded the push flood
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
What if I accidentally approved a push notification I did not initiate?
Change your password immediately and end any open sessions on the compromised account. Check your account activity for any unauthorised access. Contact the service's genuine support team. If the account is linked to a payment method, contact your bank.
Is push-based MFA still worth using if this attack exists?
Yes. Push-based MFA still protects against the majority of credential attacks. The push-bombing technique requires the attacker to have your password already and to be actively engaged — far more effort than a standard account takeover. Upgrade to TOTP or a hardware key for the most sensitive accounts.