If you or someone you know owns an iOS device, watch for en-masse password reset spam. If it happens, you’re on the receiving end of a two-factor authentication (2FA) bombing attack.

While the attack may seem scary, you’re completely in control of the situation. As long as you know how 2FA bombing works, the scammer can’t access your account.

person inputting 2fa password into laptop and smartphone

What Is 2FA Bombing?

2FA bombing (also known as “MFA bombing” or “MFA fatigue”) is when an attacker gets a hold of somebody’s account information and tries to log in with it. If the account hastwo-factor authenticationprotection and doesn’t use a separate authenticator app or device, it will send a text, email, or phone notification to the account holder, asking if they want to log in.

Usually, this is the end of the story. However, with 2FA bombing, the attacker bombards the user with 2FA requests in hopes that they will either accidentally allow it or accept it to stop the messages from coming in.

iOS

How Does the iOS 2FA Bombing Attack Work?

2FA bombing can be effective, but it’s very easy to defend against. You just need to reject the requests or change their 2FA confirmation method, and the scammer won’t get in. However, a new strain of 2FA bombing that affects iOS users has appeared.

The attack starts as normal. The scammer sends a wave of iOS 2FA notifications asking you to let them in. After a few minutes, the scammer stops sending 2FA notifications and calls your phone.

When you pick up, the scammer pretends to be from Apple support. They’ll claim the wave of notifications was due to a hacker trying to gain access to their account. They will then ask you for some information under the guise of protecting them.

What’s worrying is that the scammer will already have a lot of information about you. This is because some services collect data on people, including tying personal information to phone numbers. This means the caller will know sensitive data like your name, date of birth, and address.

The scammer aims to get a hold of your 2FA code, which you receive via text. Once you hand over the code, the hacker will access your account.

How to Avoid an iOS 2FA Bombing Attack

As scary as this attack may sound, you have complete control over the situation. If you notice your iPhone blowing up with 2FA requests, don’t panic; that’s exactly what a scammer wants you to do. Remember, they cannot access your account if you do not accept the request.

Decline all 2FA requests you receive that you did not ask for. If someone calls you asking for a code, do not give it to them. If you’re concerned that the call is real, see if you’re able to spottelltale signs that the person calling you is a scammer. You can also hang up and call Apple support yourself to double-check if something really is wrong with your account.

Unfortunately, changing your password will not work because the scammer can send you 2FA notifications by just entering your phone number. As such, you can either change the number on your account or ride it out until Apple comes up with a solution. You can alsostop scam calls on your iPhoneto prevent the scammer from phoning you.

2FA bombing attacks can be scary and mentally draining, but that’s exactly what the scammer wants. As long as you decline the notifications and ignore any calls from Apple, you won’t risk losing your account.