As financial institutions strengthen their fraud mitigation strategies to further safeguard cardholder accounts, Multi-factor Authentication (MFA) has become standard.

But the rise of MFA usage has triggered an increase in sophisticated attacks aimed at circumventing it to commit financial fraud. One scam worth tracking is push bombing scams, a tactic used by cybercriminals to overwhelm and exploit the very systems designed to protect sensitive information. This is also known as MFA fatigue attacks or MFA bombing. 

While MFA enhances protection by requiring a second form of verification before granting access to an account, fraud vulnerabilities exist with this added security layer when your cardholder’s credentials become compromised and used against them in a push bombing attack.

Understanding Push Bombing Scams

In a typical push bombing scenario, after logging into an account, MFA prompts the user to verify their identity through a secondary method. Fraudsters have exploited this system by bombarding the victim with repeated authorization requests via push notifications, often in quick succession.

This type of scam doesn’t rely on complex deception but rather persistence and annoyance. The fraudster aims to overwhelm the victim so they will eventually approve the login, either accidentally or out of frustration. Globally, more than 1 billion unwanted SMS are sent every minute so it’s easy to see how these scams spread quickly.

The Risks of Push-Bombing

Push-bombing is particularly challenging because the fraudster already has the victim's username and password, often obtained through phishing, social engineering, or data breaches. Then, once the user mistakenly approves the login, the attacker gains full access to the account.

When a fraudster gains access to an account through push-bombing, the risks are high. Depending on the account type, the intruder could change passwords, lock the legitimate user out, and gain access to sensitive information, such as email addresses, birthdates, and stored financial details. They could also gain access to open new accounts or lines of credit, depending on what other credentials they have from the victim. This can lead to significant financial losses, identity theft, customer impact and long-term damage to your institution's reputation.

How Financial institution Leaders Can Protect their Cardholders

It’s important to be a resource for your cardholders. Telling your customers about these types of scams reminds them that their FI is looking out for their financial well being. It also helps them become savvier customers who know how to protect their digital identities. People should be aware that they should never approve a code request they did not initiate, or any code when they are not actively trying to log in.

Financial institutions should continue to educate their customers on how to recognize and respond to scams like push-bombing attacks by reminding them to:

1. Be aware of SMS scams: Remind customers to ignore MFA prompts if they did not initiate a login attempt. Emphasize that no action should be taken if they receive multiple notifications they did not expect. Remind customers why, when and how the customer should expect to receive a legitimate SMS from a financial institution.
2. Report suspicious activity: Create clear channels for customers to report unusual activity or suspected fraud attempts. Prompt reporting can prevent unauthorized access before significant damage occurs.
3. Protect their digital identities: Regularly update customers on the latest security threats and best practices for account protection, including the importance of never approving an MFA request they did not initiate or responding to a suspicious SMS.

By educating your customers about scams like push bombing and equipping them with knowledge to avoid such attacks, you can help safeguard their accounts and maintain trust in your institution.

Staying ahead of these evolving threats requires ongoing education and proactive engagement with your customer base. By fostering customer awareness and vigilance, you can better protect cardholder accounts and your reputation.

Want to learn more about how you can protect yourself and your cardholders?

Fraud is moving fast. Rippleshot helps financial institutions be faster by proactively detecting and stopping credit and debit card fraud before it hits. Rippleshot combines AI, machine learning, its data consortium of 5,000+ FIs and the expertise of its fraud and data scientists to deliver rapid risk detection, data-based decision rules and actionable intelligence. 

Equipped with predictive fraud analytics, Rippleshot gives fraud managers, analysts, their teams and the C-Suite comprehensive data visibility and insights to safeguard customers, streamline fraud operations and boost fraud mitigation performance.