MFA Bombing: New Phishing Scam Targets iPhone Users with Password Requests

Pune, 21st June 2024: A new phishing scam known as MFA Bombing (Multi-Factor Authentication Bombing) is targeting iPhone users, posing significant risks. Scammers repeatedly send password change requests to users’ devices, aiming to frustrate them into mistakenly approving the requests. This scam has been gaining attention due to its sophisticated approach and the potential consequences for victims, including unauthorized access to sensitive information.

In recent years, online scams have escalated, with scammers devising new techniques to deceive users. MFA Bombing specifically targets iPhone users by sending continuous password reset requests to all devices linked to the victim’s Apple ID. The objective is to annoy the victim until they accidentally approve a request, giving the scammer access to their Apple ID and potentially their bank accounts, credit cards, and other personal information.

The scam operates by first obtaining the victim’s Apple ID and mobile number through data breaches, social engineering, or phishing attacks. The scammer then initiates multiple password reset requests, flooding the victim’s devices with notifications. When the victim starts the password reset process, they must enter their old password and select a new one. Continuous requests from the scammer aim to frustrate the victim into clicking on the approval request sent by the scammer, inadvertently granting them access.

To protect against MFA Bombing, users should:
1. Use a strong password for their Apple ID, with at least 12 characters including letters, numbers, and symbols.
2. Enable Two-Factor Authentication (2FA) for added security.
3. Avoid clicking on messages and emails from unknown sources.
4. Regularly update their device software to fix security vulnerabilities.
5. Act quickly if targeted, by changing their Apple ID password and contacting Apple Support immediately.

The increasing frequency of such sophisticated scams highlights the need for heightened awareness and proactive measures to protect personal information. Keeping devices secure and being cautious about unexpected requests are crucial steps in safeguarding against these attacks.