Protect Your MFA So It Can Protect You

Multi-Factor Authentication (MFA) is so effective at securing accounts and personal information that it has caused cyberattackers to adjust their tactics. Increasingly, they're attempting to circumvent MFA by fooling people into giving out your confidential MFA code or responding to a fake MFA authentication request. Targeting the human, rather than the technology, to undermine security is called social engineering, and it's how most cyber attacks succeed.

On this page: What's the threat? | How are cyberattackers attempting to fool us? | How can you protect yourself (and others)? | Think you might have been compromised? | What is NYU doing to help protect the community? | Additional information

What's the threat?

Cyberattackers who compromise MFA via this type of phishing attack can gain access to everything you have access to—including NYU Email, NYU cloud storage, Workday, internal systems, and anything else you use your NYU login to access.

One compromised account could open the door for an attack on other critical systems and services. They can even disrupt or reroute your paycheck and add their own device to your MFA profile.

How are cyberattackers attempting to fool us?

  • The primary method attackers use is to send fake MFA authentication notices, often a lot of them, in an attempt to fool you or annoy you into clicking APPROVE (you might hear this called MFA bombing) or giving someone your passcode.
  • They can come via SMS text message, email, phone call, or even what looks like a notification from Duo. By phone, the attacker will usually claim to be a co-worker or IT support staff.
  • The goal is to get you to:
    • Approve a fraudulent Duo notification.
    • Give them your passcode if you authenticate by passcode or SMS text message.
    • Click something on a convincing fake authentication site that collects your data.

Additional info: MFA Related Phishing Attempts (NYU IT Security News and Alerts)

Examples of phishing email and fake login screen

sample email

1. Cyberattackers are sending links like the one in this email, urging the recipient to click a link that leads to a fake MFA authentication screen.

example of a fake login page

2. An example of a fake login screen. Note the odd URL as a key giveaway that this site is not legitimate.

How can you protect yourself (and others)?

While attacks on MFA constitute a significant security threat, they are easily blocked using one simple method:

  • If you didn't initiate MFA authentication immediately before getting the notification, DO NOT RESPOND. If it's someone on the phone, hang up. That's usually all it takes to beat this sort of scam.
  • Don't react to any sense of urgency or panic they attempt to create.
  • If they claim to be from NYU, they're lying. No one at NYU will EVER contact you and ask for information about your MFA credentials, just as no one at NYU will contact you asking for your password.
  • Multiple authentication requests can be annoying, especially in the middle of the night. Attackers are relying on your frustration to succeed.
  • If you receive an authentication request you did not initiate, select DENY on the Duo screen. You will then be asked: “Was this a suspicious login?” Select Yes, and Duo administrators will be alerted.
  • Report the attempt immediately to security@nyu.edu so NYU's Global Office of Information Security (GOIS) can investigate the attack and help protect you and everyone else at the University.
  • You can see what devices have been added to your MFA profile via the instructions below.

Think you might have been compromised?

  1. First, don't panic—but do take action quickly. The faster you report the incident, the less damage the attacker can do. Scammers are good at what they do, so there's no need to feel bad if they got you.
  2. Change your NYU password.
  3. Email security@nyu.edu to report the incident. Please include as much information as you can. If you're unable to send email, contact the NYU IT Service Desk by phone.
  4. Review the list of devices associated with your MFA enrollment and remove any you didn't add yourself (see the "Manage your MFA devices" instructions above).

If you're unsure that your MFA may have been compromised, you should still contact NYU IT for support. It's easier to breathe a sigh of relief over a false alert than it is to recover from a successful attack that goes unreported.

What is NYU doing to help protect the community?

NYU is constantly evolving its cybersecurity infrastructure to counter attacks. This includes increasing rapid response to incidents, studying reports and trends to be on high alert when a known attack is impacting multiple community members, and continuing to expand the database of attacks used to screen phishing and social engineering attempts.

Additional information