Hackers using social engineering to bypass two factor authentication

Hackers are sending text messages posing as technology services to scare people into sending them the authentication code that can compromise their accounts. The attackers require a password to attempt the attack, but this can be extracted from one of the leaked databases of usernames and passwords. https://twitter.com/maccaw/status/739232334541524992 First the hacker sends a message like the one above. This scares the targets into thinking that they have received an alert from the official source about an attempt to get into their accounts. The message is very close in wording to the actual message you get when there has been such an attempt on your account, but the number will be unknown. Instead of asking users to enter in the 2FA (2 factor authentication) code to gain access to the account, the message asks for the 2FA code to temporarily lock the account. Then, the attackers feed in the username and password. At this point, the actual two factor authentication kicks in, and sends a 2FA code to the mobile device associated with the account. The right thing to do for the user is to ignore all the messages at this point. The login attempt will not be authorised. However, if the target sends the 2FA code to the attacker, then the hacker gets access to the target’s email. This is a social engineering attack. The attacks were reported by Business Insider. There are two ways to secure yourself from such attacks. First, do not reply to any message unless you are logging in. Second, and most importantly, no legitimate support staff will ask you for your 2FA code. Also, 2FA codes are for granting access to an account, not denying access.