← Back to BlogPractical Tips

Multi-Factor Authentication: Your Best Defence Against Phishing

Multi-Factor Authentication: Your Best Defence Against Phishing

If there's one thing you do this week to improve your cybersecurity, make it this: turn on multi-factor authentication (MFA) on every account that matters.

It's free. It takes five minutes. And it stops the vast majority of credential-based attacks dead in their tracks.

What is MFA?

Multi-factor authentication means that logging in requires more than just a password. It requires a second piece of evidence that you are who you claim to be. Usually, that second factor is:

  • A code sent to your phone via SMS
  • A code generated by an authenticator app (like Google Authenticator or Microsoft Authenticator)
  • A biometric — your fingerprint or face
  • A physical security key

The idea: even if a scammer steals your password through a phishing attack, they still can't log in without that second factor. And since they don't have your phone or your face, they're stopped.

How effective is MFA?

According to Microsoft, MFA blocks over 99.9% of account compromise attacks. That's not a small improvement. That's effectively bulletproofing your accounts against the most common type of attack.

Which accounts should have MFA turned on?

At a minimum:

  • Your email account (this is the master key — protect it first)
  • Internet banking and payment platforms
  • Your business management tools (accounting software, project management, CRM)
  • Cloud storage (Google Drive, OneDrive, Dropbox)
  • Social media business accounts
  • Any system that gives access to customer data

How to turn on MFA:

Most platforms make it easy. Look in your account's Settings > Security > Two-factor authentication (or Two-step verification). The process is usually:

  1. Choose your second factor (authenticator app is recommended over SMS)
  2. Set it up on your phone
  3. Done

Authenticator apps are preferred over SMS codes because SMS can be intercepted through "SIM swapping" attacks. Apps generate codes that expire in 30 seconds and don't rely on your phone number.

MFA for business

If you're running a business, don't just do this for yourself — roll it out across your whole team. Most business tools (Microsoft 365, Google Workspace, Xero, etc.) allow administrators to require MFA for all users. Do it.

A single employee's compromised account can be enough to breach your entire business. MFA is cheap insurance.

Learn more about phishing defences at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →