← Back to BlogEmerging Threats

MFA Fatigue Attacks: When Cybercriminals Spam Your Approvals

MFA Fatigue Attacks: When Cybercriminals Spam Your Approvals

So you've set up multi-factor authentication. You're feeling smug about your cybersecurity hygiene. Good for you — you should be. But now there's a new problem: criminals have found a way to abuse MFA itself.

It's called an MFA fatigue attack (or push bombing), and it's exactly as exhausting as it sounds.

How it works:

  1. A criminal somehow gets your username and password (through a phishing attack, a data breach, or credential stuffing).
  2. They try to log in, triggering an MFA push notification on your phone.
  3. They keep trying — over and over and over — sending a flood of "Are you trying to log in?" notifications to your phone.
  4. At 2am, or after the 40th notification, or in the middle of a busy workday, you hit "Approve" just to make it stop.
  5. The criminal is in.

This is not a hypothetical attack. It's been used successfully against major organisations, including a high-profile Uber breach in 2022.

Why does it work?

  • We're conditioned to tap "approve" when our phone asks us to
  • Repeated interruptions wear down our resistance
  • People often assume repeated prompts mean there's a technical glitch — not an attack
  • We don't always read the context carefully before approving

How to protect yourself:

  1. Switch to number-matching MFA. Modern MFA apps like Microsoft Authenticator have a feature where the app shows you a number, and you have to enter the matching number shown on the login screen. A criminal sending push notifications won't know the right number.
  1. Switch to an authenticator app instead of push notifications. If your MFA involves you typing a code from an app rather than approving a push, this attack doesn't work — the criminal can't spam your phone.
  1. Never approve an MFA request you didn't initiate. If you get a push notification and you're not actively trying to log in — that's not a glitch. Someone has your password and is trying to log in. Deny it immediately, then change your password.
  1. For businesses: Enable SSPR (Self-Service Password Reset) lockout policies. If there are repeated failed MFA attempts on an account, lock it temporarily and alert the user.
  1. Report the attack. If you're receiving a flood of MFA requests you didn't trigger, contact your IT team or managed service provider immediately.

The bottom line

MFA is still far better than no MFA. Don't let this put you off using it. Just use it smartly — choose number-matching or code-based MFA over simple push approvals, and treat any unexpected push notification as a red flag.

Build better security habits at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →