Account takeovers — when an attacker gains access to your email, bank, or social media account — are becoming more common and more sophisticated. According to Verizon’s annual breach report, stolen credentials are now involved in nearly 45% of all data breaches, up from previous years. Part of the reason is that attackers have found effective ways to work around the two-factor authentication (2FA) codes that many people rely on.
One tactic gaining ground is called MFA fatigue: attackers try to log in repeatedly, sending a flood of approval requests to your phone until you tap “Allow” just to make them stop. Another is phishing through fake login pages that look identical to real ones, capturing your password and your 2FA code at the same time. Infostealer malware — malicious software quietly installed on a device — can also harvest saved passwords directly from your browser without you ever entering them on a fake site.
The good news is that your habits still matter a great deal. Never approve a login prompt on your phone unless you actively initiated the login at that exact moment — if you get a surprise approval request, reject it and change your password immediately. Scrutinize login pages before entering your credentials: check that the web address is exactly right, not a lookalike domain. Keep your phone and computer updated, since security patches close the vulnerabilities that infostealer malware exploits. And review the list of devices and apps that have access to your important accounts (under Settings → Security on most platforms) and remove anything you don’t recognize.