Simple social engineering is getting around two-factor authentication, security vendor Symantec has warned.
A new scam has seen attackers activate the password recovery feature on webmail accounts to have a verification code sent by SMS to the legitimate user's mobile phone. The scammer then sends a follow-up SMS message pretending to be the email provider, asking for the code.
"This social engineering attack is very convincing and we've already confirmed that people are falling for it," said Symantec principal research engineer Slawomir Grzonkowski on a blog post.
"To pull off the attack, the bad guys need to [only] know the target’s email address and mobile number."
The majority of cases Symantec has observed have been on Gmail, Hotmail and Yahoo webmail services.
Grzonkowski wrote that the scam works effectively because of its simplicity and "an overwhelming tendency" for people to trust figures of authority.
"Take for example dressing up as a police officer and asking someone to hand over the keys to their car. The average person on the street would probably hand them over without question," he said.
Symantec advised that users should be suspicious of any messages requesting verification codes, as legitimate two-factor authentication would merely send you a code, not request one.
"If uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate," stated Symantec's advisory. "Remember, just because someone looks like a police officer and sounds like a police officer, that doesn’t mean you should hand over your car keys without seeing some ID first."
_page-0001.jpg&w=100&c=1&s=0)
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
