Most people know that multifactor authentication (MFA) does a great job of preventing criminals from logging in with a stolen password. But as the saying goes, better mousetraps make smarter mice.
Cybercriminals are now effectively bypassing MFA by targeting people directly through phone calls. With the help of AI, threat actors can gather detailed information about a victim, including what applications they use and which phone numbers are associated with their IT support team.
Using spoofed caller ID, criminals call the victim pretending to be IT support. They then direct the person to a phishing website that looks nearly identical to a legitimate login page. Once credentials are entered, it can be game over in seconds.
This attack method commonly targets platforms such as Microsoft 365, Google Workspace, Dropbox, Salesforce, Slack, Zoom, Box, and many others. In some cases, attackers can compromise a company’s entire Single Sign-On (SSO) portal, giving them access to multiple business-critical systems at once.
One of the most concerning aspects of this attack vector is how accessible it is. The criminals carrying out these attacks often do not need advanced technical skills. Instead, they purchase “as-a-service” phishing toolkits that handle most of the work for them. Sophisticated cybercrime groups sell these ready-made kits to multiple attackers, dramatically increasing the scale of these threats.
The takeaway is simple: be suspicious when you receive an unexpected call from IT support, even if the caller ID looks legitimate. Always use verification methods to confirm the caller’s identity before taking action.
And yes, we still strongly recommend using MFA. While it is not perfect, it remains one of the most effective security controls available and significantly reduces risk when combined with user awareness.
Want to see a tech tip on a specific topic, or have a great idea to share? Contact Pegasus and let us know. Your suggestion may appear in a future newsletter.
