Subscribe
woman doing her work on laptop.

Fraud How to defend against MFA fatigue attacks

Ways to protect your organization against a newer kind of security attack

Cybercrime: Multifactor authentication fatigue

How to defend against a persistent security attack

Online fraud attempts are at an all-time high. The AFP 2025 Payments Fraud and Control Survey Report indicates that in 2024 alone, 79% of organizations experienced some form of real or attempted cyberfraud.Disclosure 1 To combat this alarming rise, cybersecurity professionals have developed and popularized a host of novel security apps and protocols—the most widely adopted of which has been multifactor authentication (MFA).

Upon initial release, MFA’s requirement of two or more factors—such as a standard credential password combined with user biometrics or a unique one-time code provided through secure, stand-alone apps—confounded hackers’ efforts to access businesses’ digital networks.

But cybersecurity is a game of cat and mouse. Within a few years of MFA’s widespread adoption, hackers developed MFA fatigue attacks—a devious, unrelenting, and now widely adopted method of assault on credential security that has left some of the world’s biggest companies reeling in its wake.

Key concepts

In this article, we explore:

  • What MFA fatigue is
  • Who it targets 
  • How you can prevent it

What is MFA fatigue?

MFA fatigue—also called MFA bombing or MFA spamming—is a cybersecurity fraud technique that aims to overwhelm users with verification requests. When fraudsters enter a stolen password, your MFA system sends a verification request to the target (the credential’s true owner).

If the target (your employee) approves it, the hacker gains instant access to your system. If they don’t approve it, hackers will continue bombarding employees with authentication requests for hours or even days—wearing down busy or distracted staff members until they approve a fraudulent request that gives them access to your system.

MFA fatigue succeeds by exploiting a common vulnerability of people, from CEOs to junior team members alike. The busier the user is—and the more they trust your authentication system—the more likely they are to approve one of the verification requests and compromise your network security.

Good news: Next-gen MFA tools will increase credential security.

Security experts are perfecting MFA defenses that don’t require passwords. Currently, federal agencies require phishing-resistant fraud prevention technology such as FIDO2 authentication.Disclosure 2 This approach replaces passwords with a fingerprint, face scan, or security key.

Case study: Strong security keeps planes flying and passengers safe in Hawaiian Airlines MFA fatigue breach.

In June of 2025, the internal systems of Hawaiian Airlines were breached by a combined phishing and MFA fatigue attack.Disclosure 3 First, fraudsters used social engineering to obtain employee login credentials. The criminals then bombarded targeted employees with MFA push notifications until one was accepted. Though the hackers gained access, following cybersecurity best practices enabled the airline to quickly detect and strategically contain the attack—neutralizing the hackers before additional data theft could occur and preventing the grounding of any flights.

A horizontal, rectangular infographic with a dark purple background. A pie chart on the left has three quarters of a circle colored lavender, and the remaining one quarter colored light blue. Text on the graphic reads: “25%: Percentage of push-based MFA fatigue attcks that resulted in targets approving a fraudulent push<sup><a href="#disc4" name="disclaimer-sup"><span class="sr-only">Disclosure </span>4 </a></sup>” The color of the “25%” text is light blue to indicate it represents the portion of the circle that is of the same color. The source for this statistic is listed in the bottom right hand corner of the rectangular infographic and reads: Data source: Cisco Telos Intelligence Blog, June 18 2024

Best practices and prevention

Halting MFA fatigue is possible by training your staff and tightly managing the boundaries of your digital network. Here are a handful of tips that can help kickstart your efforts.

Educate team members on credential theft through social engineering fraud.

Teach colleagues how to identify and spot the telltale signs of social engineering fraud. This preemptively foils scammers’ ability to launch MFA fatigue attacks by eliminating their ability to steal staff credentials.

Raise awareness around MFA security red flags.

Make teammates aware that incessant verification requests, notifications at odd hours, and other unusual messages can be signs of a hacker’s attempted MFA attack. Even slight inconsistencies in notification behaviors should be treated as red flags—and reported immediately.

Keep security protocols tidy.
Passwords should be created following IT security standards, changed regularly, never shared, and never reused. Have your IT team consistently monitor sign-in activity to detect irregularities that could signal attacks. Also, direct employees to install updates for firmware, software, and security apps as soon as they become available.

Adjust MFA parameters.

Not all MFA security processes offer the same level of security. Consider adopting approaches that verify the user’s geolocation, increase the number of factors needed to gain network access, and limit the number of MFA attempts in a given period.

Vary your MFA methods.

Many MFA apps include verification methods less susceptible to fatigue. One example is MFA number matching, which provides users with a random string of digits generated by an authenticator app. The user must then select the correct number from several options offered by the network to avoid entry denial.

Consider implementing least privilege.

Least privilege places highly sensitive information like HR records and financial data under restricted access. With it enacted, only one or two people in an entire organization have the credential access to pull up certain information like bank account numbers. This means hackers can only get what they want by targeting a specific person, not just any employee.

FAQ on MFA fatigue

Component ID : "faq-1301646222"
Model : "faq"
Position : "left"

Yes, there are several. Among the stealthiest of these methods are adversary-in-the-middle attacks that use fake sign-in pages, and service desk social engineering, where bad actors trick IT support by impersonating a staff member who forgot their password.

Zero trust is a tightly controlled IT security method that demands ID verification for every user, no matter the circumstances.

Turn to professionals for protection.

To learn more about cybersecurity threats and the various types of fraud facing your organization, connect with one of Truist’s relationship managers.

Truist Purple PaperSM Guide to capital funding

Get insights and advice for navigating today’s capital markets.
Download the Purple Paper (PDF) about the Guide to Capital Funding.
Client Success Stories

Supporting a future-focused advisory firm through accelerated growth

Helping a repair service entrepreneur flip the switch on business transition

Paving the way to growth for an infrastructure innovator

See all Client Stories

Related resources

Protecting Your Business Against Social Engineering Fraud | Truist

Protecting Your Business Against Social Engineering Fraud | Truist

Fraud How to identify and prevent the most prevalent cyber scam

Preventing social engineering fraud

Article
Protecting Your Business Against Social Engineering Fraud | Truist

Social engineering involves exploiting a person’s trust to obtain private information or money to commit a crime. Learn how to prevent it here.

How To Defend Against Business Email Compromise

How To Defend Against Business Email Compromise

Fraud How to detect and defend against business email compromise

Article
07/22/2025
How To Defend Against Business Email Compromise

Business email compromise happens when scammers impersonate someone you trust in an attempt to defraud your company. Learn how to spot and prevent BEC.

How to defend against corporate phishing attacks

How to defend against corporate phishing attacks

Fraud How to defend against corporate phishing attacks

Learn tips and tactics for preventing fraud.

Article
09/08/2024
How to defend against corporate phishing attacks

Arming your employees with the knowledge and tools needed to protect your business from phishing attacks is vital.

    {0}

    {0}

    {2}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {6}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}
    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}

    Stay informed and get connected

    Looking for fresh thinking and new insights to help uncover opportunities for your business needs?

    Connect with a Relationship Manager

    Work with a partner who sees your vision and has the resources to help you achieve it. We’re ready to focus on the specific needs of your company—and where you are in your business lifecycle.

    *This form is for prospects. Truist clients should contact their relationship manager with inquiries related to commercial products and services.

    Contact us

    Helpful links

    Business Insights
    Truist Business Lifecycle Advisory
    Business Resource Center
    Sign up for monthly articles on Business Insights

    Sign up to receive our business insights, thought leadership, and client success stories that can help inspire your next bold business move.

    Please enter a first name
    Please enter a last name
    Please enter a valid email address
    Please enter a company name
    I'm also interested in: Please select a campaign option
    Component ID : "accordionGridLayout-1396148670"
    Model : "disclaimer"
    Position : "left"

    Disclosure 1 Association for Financial Professionals. (April 2025). 2025 AFP Payments Fraud and Control Survey Report.

    Disclosure 2 FIDO Alliance. (2024). Passkeys.

    Disclosure 3 Fadilpašić, Sead. (June 30, 2025).– Hawaiian Airlines says it was hit by ‘cybersecurity event’ but flyers should be safe. Techradar.

    Disclosure 4 Burton, Hazel. (June 18, 2024). How are attackers trying to bypass MFA? Cisco Talos Intelligence Blog.

    Disclosures

    Truist Bank, Member FDIC. © 2025 Truist Financial Corporation. Truist, the Truist logo, Truist Purple, Truist One, Truist Marquee, LightStream, and the LightStream logo are service marks of Truist Financial Corporation.

    Equal Housing Lender

    Investment and Insurance Products:

    • Are Not FDIC or any other Government Agency Insured
    • Are Not Bank Guaranteed
    • May Lose Value

    TRUIST is a service mark of Truist Financial Corporation (Truist) and its affiliates.

    Services provided by Truist Financial Corporation (Truist) affiliates: Banking products and services, including loans and deposit accounts, provided by Truist Bank, Member FDIC. Trust and investment management services provided by Truist Bank. Securities, brokerage accounts and/or annuities offered by Truist Investment Services, Inc., an SEC registered broker-dealer, and member FINRA and SIPC, and a licensed insurance agency. Investment advisory services offered by Truist Advisory Services, Inc. and GFO Advisory Services, LLC, SEC registered investment advisers. Some insurance products offered by Truist Investment Services, Inc. Other insurance products offered by Marsh & McLennan Agency, LLC (as successor in interest to McGriff Insurance Services, LLC) CA License #0H18131, Kensington Vanguard National Land Services, and Crump Life Insurance Services. Truist Life Insurance Services (TLIS) is a division of Crump, Arkansas License #100103477. Variable insurance material is for broker-dealer or registered representative use only. Variable products distributed by P.J. Robb Variable, LLC, Arkansas License #100110185. Member FINRA.

    Marsh & McLennan Agency LLC, Kensington Vanguard National Land Services, Crump Life Insurance Services, Truist Life Insurance Services, and P.J. Robb Variable, LLC are not affiliated with Truist Financial Corporation or any of its subsidiaries.

    Truist Securities is a trademark of Truist Financial Corporation. Truist Securities is a trade name for the corporate and investment banking services of Truist and its subsidiaries. All rights reserved. Securities and strategic advisory services are provided by Truist Securities, Inc., member FINRA and SIPC. Lending, financial risk management, and treasury management and payment services are offered by Truist Bank.

    Mortgage products and services are offered through Truist Bank. All Truist mortgage professionals are registered on the Nationwide Mortgage Licensing System & Registry (NMLS), which promotes uniformity and transparency throughout the residential real estate industry. Search the NMLS Registry.

    Comments regarding tax implications are informational only. Truist and its representatives do not provide tax or legal advice. You should consult your individual tax or legal professional before taking any action that may have tax or legal consequences.

    "Truist Advisors" may be officers and/or associated persons of the following affiliates of Truist, Truist Investment Services, Inc., and/or Truist Advisory Services, Inc. Truist Wealth, International Wealth, Center for Family Legacy, Business Owner Specialty Group, Sports and Entertainment Group, and Legal and Medical Specialty Groups are trade names used by Truist Bank, Truist Investment Services, Inc., and Truist Advisory Services, Inc.

    Applications, agreements, disclosures, and other servicing communications provided by Truist Bank and its subsidiary businesses will be provided in English. As a result, it will be necessary for customers to speak, read and understand English or to have an appropriate translator assisting them. Please note that Truist provides translations of webpages, documents and disclosures as a courtesy and in the event of any inconsistencies or discrepancies between the English content and the translated content, the English content supersedes the translation. Truist offers phone support in Spanish at 844-4TRUIST (844-487-8478), option 9. For assistance in other languages, please speak to a representative directly.

    New York City residents:

    Translation or other language access services may be available. When calling our office regarding collection activity, if you speak a language other than English and need verbal translation services, be sure to inform the representative. A description and translation of commonly-used debt collection terms is available in multiple languages at http://www.nyc.gov/dca.

    Borrowers with Limited English Proficiency (LEP) needing information can use the following resources:

    The Consumer Finance Protection Bureau (CFPB) also provides additional resources for homeowners seeking payment assistance in select languages at: https://www.consumerfinance.gov/housing/housing-insecurity/help-for-homeowners/

    Site footer

    Footer Navigation

    Banking products
    About Truist
    Resources
    Support

    © 2025, Truist. All Rights Reserved.