Be Aware of Sophisticated MFA Phishing Attack

Monday 17 February 2025

As we press forward in a new year, it is timely to talk about the security of your website and how it is always our highest priority. 

There’s always increased scamming activity at this time of year, however, security experts globally are reporting an uptick in the number of Phishing attacks specifically targeting Multi-Factor Authentication (MFA), in addition to the traditional username/password attacks. Rising alongside is spear-phishing tactics, where users’ emails and text messages are highly targeted to the recipient to exploit them into divulging sensitive information. 

MFA Phishing attacks want to do more than just steal usernames and passwords; they aim to capture the special code that MFA requires to complete a login process. This allows attackers to bypass the extra layer of security that MFA provides. 

Greater technology advancements also bring greater security risks in areas such as MFA phishing attacks. These kinds of attacks will continue to be a growing threat that focus on urgency and social engineering tactics (i.e. attackers calling or messaging people and posing as service or sales agents) to bypass security measures.

Help us to help you keep your websites safe from cyber vulnerabilities. This is a shared responsibility between all of us. Stay a step ahead of potential attacks from these more sophisticated Phishing scams by following our top tips:

  • Be Alert to Unexpected MFA Requests: If you get an unexpected MFA prompt, don’t approve it. Only approve MFA requests as part of logging in or a revalidation process. 
  • Check Login Pages Carefully: Before entering your credentials, make sure the URL is correct and uses HTTPS. Look out for any small differences in the URL. 
  • Beware of Urgent Messages: Phishing attacks often use urgent messages to make you act quickly. If you suspect something is off, you can check if a message was legitimately sent to you by contacting the GovCMS Service Desk. 
  • Consider Phishing-Resistant MFA Methods: If you can, use hardware-based authentication keys like YubiKey for higher security. These keys require physical presence to approve a login attempt. GovCMS now offer SSO so if your Identity Provider supports phishing resistance  you can take benefit of this.
  • Under shared responsibility, GovCMS provides you with the ability to enable MFA for your website’s privileged users. Please check with your developers and make sure this is enabled for your website.
  • GovCMS is currently exploring options to provide a phishing resistant MFA solution for our customers. Stay tuned for updates.

Additional information on securing your devices is available at the Australian Cyber Security Centre webpage.