Security Alert: Push Bombing (MFA Fatigue) Attacks

We want to raise awareness about a growing cyber threat known as Push Bombing, also referred to as MFA Fatigue. This tactic targets users who have multi-factor authentication (MFA) enabled and relies on overwhelming them with repeated login approval requests.

How the Attack Works

Attackers first obtain a username and password, often through phishing or previous data breaches. They then repeatedly attempt to log in, triggering a flood of MFA push notifications on the victim’s device.

Their goal is to:

  • Frustrate or confuse you
  • Catch you off guard at a busy moment
  • Trick you into approving a login request you didn’t initiate

Once approved, the attacker gains access to the account.

Warning Signs to Watch For

  • Multiple MFA push notifications you did not request
  • Login approval prompts arriving late at night or during non-work hours
  • A sudden MFA prompt while you are not actively signing in

How to Protect Yourself

If you receive unexpected MFA prompts:

  • Do NOT approve them
  • Do NOT ignore repeated prompts
  • Select “Deny” or “Report” if available
  • Immediately change your password using 1Password
  • Notify the OPS & IT PM right away

Additional best practices:

  • Use strong, unique passwords for every account
  • Never reuse work passwords on personal sites
  • Stay alert for phishing attempts that may precede MFA fatigue attacks

Why This Matters

MFA is one of our strongest security defenses, but it only works if approvals are handled carefully. Approving a single fraudulent request can compromise your account, client data, and company systems.

Key Reminder

Only approve MFA requests that you personally initiated.
If you didn’t try to log in, it’s not your request.

If you experience push bombing or suspect suspicious account activity, report it immediately to OPS & IT PM.

Stay alert. Stay secure. And never approve unexpected login requests.

Similar Posts