What to do when receiving unprompted MFA OTP codes

2023-12-17 16:06

Marketplaces devoted to selling stolen consumer online accounts make financial fraud easy, where threat actors can buy accounts for as little as $1.50 to Amazon, Marriot Bonvoy rewards accounts, Dunkin, Instacart, and many other well-known retail stores.

To better secure your online accounts, many companies offer a security feature called multi-factor authentication, which when configured, requires users to enter an additional form of verification before being allowed to log in to their account.

This week, both a friend and a family member reached out to me stating that they received a text message from Amazon containing an MFA OTP required to log in to their account.

When receiving an unprompted 2FA code, the account holder should assume their credentials were stolen and log directly into Amazon, without clicking on any links in text messages or emails, to change their password.

This is a false sense of security, as threat actors have figured out ways to bypass MFA in the past, so there is no reason to give them the opportunity to do so with your account.

While SMS and email 2FA provide extra protection to your accounts, they are the most risky MFA method to use.

News URL

https://www.bleepingcomputer.com/news/security/what-to-do-when-receiving-unprompted-mfa-otp-codes/

#MFA