Office of Information Technology warns of authentication scam

Morehead State's Office of Information Technology (OIT) is warning users about potential multi-factor authentication (MFA) scams.

According to Director of Information Security and Compliance Patrick Gonzalez, MFA offers greater security for accounts than a simple username and password login, but it is not foolproof.

"It is important to realize that while MFA provides a significant increase in privacy and security. It does not provide complete safety from attackers and compromised accounts," Gonzalez said. "Once an attacker has acquired your username and password, they can send MFA requests to your authentication device by repeatedly attempting to log in with your credentials. This attack is called “MFA prompt bombing."

Common forms of MFA prompt bombing include:

• Persistently sending MFA requests to your phone until you accept one to make the "noise" stop.
• Sending one or two MFA prompts per day. This method often attracts less attention but is often successful in deceiving by distraction.
• Calling you, pretending to be part of the organization, and telling you they need to send you an MFA request as part of a standard policy or process.
• Gonzalez urges MSU users not to accept a login request from their authentication device that they did not immediately initiate.

"MFA is a powerful control and a best practice to prevent cyber-attacks. However, we must remain mindful of the continuous innovation of cyber criminals and threat actors who prey on our attitudes and behaviors. You are our first and last line of defense," Gonzalez said.

For more information or to report suspicious emails or account activity, contact the OIT at 606-783-HELP (4357) or ithelpdesk@moreheadstate.edu.