Article summary: AI voice cloning has made it possible for attackers to call your accounts payable team sounding exactly like your CEO, and the requests they make follow a predictable formula. Deepfake voice scams are an evolution of business email compromise, and AP teams are the primary target because they can move money. A simple voice check playbook is the most effective defense available.
The call sounds like your CFO. The cadence is right. The urgency is familiar.
A wire transfer needs to go out today. It's confidential. The normal approval process doesn't apply this time.
This is a deepfake voice scam, and accounts payable teams are its most valuable target. Not because they're careless, but because their job is to move money quickly when leadership asks.
Building strong controls around financial approvals is no longer just about locking down system access. It's also about what happens when the phone rings and the voice on the other end sounds exactly right.
Why Accounts Payable Teams Are the Primary Target
Accounts payable (AP) teams handle what attackers care about most: payments. They process invoices, authorize wire transfers, and manage vendor banking details. They're also trained to respond quickly to requests from leadership, especially when a request comes marked urgent and confidential.
That combination of financial authority and habitual responsiveness makes AP teams the top target for impersonation-based fraud.
Business email compromise (BEC) has been among the most expensive fraud categories in the US for years. This is where attackers impersonate an executive or vendor over email to redirect payments. Now, attackers are adding voice to the same playbook.
Business email compromise cost US businesses $2.77 billion in 2024 alone.
According to the FBI's 2024 Internet Crime Complaint Center report, BEC ranked as the second-highest source of financial losses across all cybercrime categories, with over 21,000 complaints filed that year. Adding a cloned voice to the same attack makes the deception significantly harder to dismiss.
How a Deepfake Voice Scam Actually Works
A deepfake is AI-generated audio, video, or both that realistically replicates a real person. In a voice scam, the attacker builds a voice clone from publicly available recordings.
Voice cloning tools require only a few seconds of sample audio to produce a convincing replica. The result matches the target's tone, cadence, and accent closely enough to mislead people who speak with them regularly.
The FTC has flagged voice cloning as one of the most difficult scams to detect, precisely because it exploits a form of trust people aren't trained to question: recognizing a familiar voice.
More than 1 in 4 executives say their organization has already faced a deepfake fraud attempt targeting financial or accounting data.
In a Deloitte poll, 25.9% of executives reported at least one deepfake incident in the past year, and 51.6% expect attacks to increase.
The formula across every documented case is consistent: authority (a trusted figure is calling), urgency (it needs to happen today), and secrecy (don't involve anyone else). These three levers are chosen specifically to suppress the verification habits that would otherwise stop the transfer.
It's the same impersonation logic behind reply-chain phishing attacks, where attackers hijack trusted conversations to manufacture compliance. The difference is that voice is far harder to dismiss in the moment.
Three Scenarios Your AP Team Should Know
The details change. The structure doesn't.
The urgent wire transfer
The "CFO" or "CEO" calls directly about a same-day transfer for a confidential deal. There's always a reason the normal approval chain shouldn't apply.
In early 2024, engineering firm Arup lost $25 million after a finance employee was convinced by a video call in which every participant, including the CFO, was AI-generated.
The vendor account change
A familiar supplier calls to notify the AP team that their banking details have changed. The voice matches the contact on file. The request seems routine. This version is effective because it doesn't require an immediate transfer.
The confidential deal
An executive calls ahead of a public announcement and asks for a payment to move before news breaks. The secrecy framing is what makes this version effective: it gives the target a built-in reason not to verify with colleagues.
Your AP Team's Voice Check Playbook
The strongest defense against a deepfake voice scam isn't a detection tool. It's a consistent process your team follows every time, regardless of how convincing a call sounds.
1. Never approve a payment based on a call alone
A phone call is a heads-up, not an authorization. Any payment request or account change should require confirmation through a second, pre-established channel before anything moves. Think of it as multi-factor verification for financial approvals: one input is never enough to confirm identity or intent.
2. Hang up and call back on a known number
If a call creates urgency around a payment, hang up and call the person back on a number already verified in your systems. Not a number provided by the caller. Attackers can spoof caller ID, and the number they give you may route directly back to them.
3. Set a team code word
Pre-agreed verification phrases are a layer that voice technology cannot bypass. Ferrari executives foiled an executive impersonation attempt in 2024 simply by asking the caller a personal question the real CEO would have been able to answer.
4. Treat secrecy requests as a red flag
Legitimate executives don't typically ask AP staff to bypass review processes or keep a payment confidential from colleagues. If a caller says "don't loop anyone else in" or "this needs to stay between us," treat that as a reason to escalate through official channels rather than a professional courtesy to honor.
5. Limit publicly available voice samples
The FBI has warned that attackers harvest voice audio from public recordings, including webinars, conference sessions, LinkedIn posts, and social media. Encourage senior staff to think carefully about the volume of audio published under their name, particularly recordings where they speak at length.
Ready to Build Your Team's Defense?
Deepfake voice scams work because the voice sounds like someone your AP team already trusts. The protection isn't a technical product. It's a set of habits.
The businesses that stop these attacks aren't necessarily better equipped. They're just harder to rush.
Contact Sound Computers to schedule a consultation. We can help you put a practical AP security protocol in place and make sure your team knows what to listen for. Call us at (860) 577-8060, reach us online, or email info@soundcomputers.net.
Article FAQs
What is a deepfake voice scam?
A deepfake voice scam uses AI-generated audio to impersonate someone you recognize and persuade you to take a financial action. The voice is cloned from publicly available recordings, and the result can be convincing enough to fool people who interact with that person regularly.
Why are AP teams specifically targeted?
AP teams have direct authority over payments and are trained to respond quickly to instructions from leadership. That combination of financial control and responsiveness to urgency is exactly what attackers need.
How do attackers clone someone's voice?
Voice cloning software can produce a convincing replica from just seconds of audio, sourced from webinars, recorded meetings, video posts, or saved voicemails. The output closely matches the original speaker's tone, cadence, and accent. Some tools are accessible to anyone with an internet connection and a free account.
What should my AP team do when they receive a suspicious call?
Hang up and call the person back using a number already verified in your systems, not one provided by the caller. Require any payment or account change to be confirmed through a second channel before acting. If the caller emphasizes urgency or secrecy, treat that as a reason to pause and escalate, not to proceed.
Article summary: Personal apps, personal cloud accounts, and reused passwords on work devices create security gaps that IT rarely sees until something goes wrong. Shadow IT has grown sharply alongside remote and hybrid work, and the most common risks are easy to miss. A few straightforward habits and clear policies close most of these gaps without disrupting how your team works day to day.
Most small businesses are thoughtful about who has keys to the building. Fewer are as deliberate about what employees are doing on their work devices at home.
A personal Gmail account used to share a work document. Personal cloud storage for a large file that needs to move quickly. A browser that auto-fills a personal login on a work machine, along with every other saved credential.
These habits feel harmless in the moment. They're where data exposure quietly begins.
Closing these gaps doesn't require a major security overhaul. It starts with understanding where business security becomes a daily habit, not just a policy document.
Why Everyday Habits Create Real Security Gaps
Shadow IT is the term for using apps, accounts, or tools that haven't been reviewed or approved by your IT team. It's rarely intentional wrongdoing. Employees reach for familiar, convenient tools when the approved alternatives feel slower or harder to access.
The security problem is a visibility problem. IT can only monitor, patch, and protect the tools it knows about. When work data flows through a personal cloud account, a personal messaging app, or an unapproved browser extension, that data leaves the managed environment entirely.
A Dashlane survey of 1,500 employees found that nearly 4 in 10 people regularly use unapproved applications on company hardware.
Research cited by Cloudflare shows shadow IT usage increased 59% with the shift to remote and hybrid work, with 54% of IT teams saying their organizations are significantly more exposed to a data breach as a result.
This isn't a fringe concern. It's likely happening across your business right now, even if no one is tracking it.
The same dynamic applies to AI tools. Our guide on running a shadow IT audit walks through how to find what's being used without slowing your team down.
Where the Lines Blur Most Often
Shadow IT risk doesn't come from one single habit. It comes from the accumulation of small decisions that each seem reasonable on their own.
Password reuse across personal and work accounts
When a staff member uses the same password for a personal streaming account or shopping site as they do for their work email, a breach of the personal account can expose the work one. Attackers count on this.
It's called credential stuffing. It’s taking passwords stolen from one breach and automatically testing them across hundreds of other services. Your business doesn't need to be breached directly. A supplier, a retailer, or any other service your employee uses personally can be the starting point.
According to Cybernews, only 6% of analyzed passwords were unique. The scale of credential reuse means that a breach at an unrelated service is, statistically, also a test of your work systems.
It's the same mechanism behind password spraying attacks. This is where attackers work systematically through common or previously exposed credentials until something opens.
Personal cloud storage for work files
Google Drive, Dropbox, and iCloud are useful personal tools that employees often reach for when moving a large file or picking up work on a personal device. When work documents land in a personal cloud account, they're outside your organization's access controls, encryption policies, and retention rules.
If that personal account is later compromised, or the employee leaves the company, the data goes with them.
Browser extensions and personal logins on work browsers
Many browser extensions have broad permissions: access to page content, form data, and session activity across every site the browser visits. Personal extensions installed on a work browser may be sending data to third-party servers without the employee or IT team realizing it.
Saved personal passwords in a work browser profile create a separate risk: a hidden bridge between personal and professional credentials that standard security reviews rarely catch.
Personal email and messaging apps on work devices
Sending a work file to a personal inbox to finish it at home is one of the most common habits in any office. It bypasses spam filtering, encryption standards, and IT monitoring in a single step. Phishing attacks that reach a personal inbox, where protections are often weaker, can arrive on a work device and spread from there.
A Simple Habit Checklist for Your Team
None of these changes are technically complicated. The barrier is usually awareness and access to better defaults.
1. Keep work and personal browser profiles completely separate
Most major browsers support separate profiles with different saved passwords, extensions, and sync settings. A dedicated work profile means personal credentials don't auto-fill on work sessions, and personal extensions don't have access to work activity. This single step eliminates a wide category of accidental data mixing.
2. Never reuse a password between a personal and work account
CISA's Secure Our World program recommends using unique, strong passwords for every account and a password manager to make that realistic.
When every account has its own credential, a breach somewhere else stays contained. If your organization doesn't already provide a company-approved password manager, that's worth addressing.
3. Use company-approved tools for work files
Before reaching for personal Dropbox or a personal Google account to move a work file, employees should know what the approved alternative is. Most businesses already have one like SharePoint, OneDrive, or Google Workspace. Making those options easy to access removes the main reason employees default to personal tools.
4. Review browser extensions quarterly
Set a simple reminder to check what extensions are installed on work browsers. Remove anything not actively needed for work, and pay attention to extensions with broad site permissions. An annual or quarterly extension review is a quick task that closes a category of risk most security audits miss entirely.
5. Report unauthorized tools before they become a problem
Employees often know they're using something unapproved but stay quiet because they don't want it removed. An open process, where staff can flag what they're using or request approval for a new tool, is far healthier than a policy that pushes the behavior underground. Visibility is the starting point for managing shadow IT risk.
Ready to Close the Gaps That Policies Miss?
Personal web habits are one of the most common sources of shadow IT risk in small businesses, and one of the easiest to address once they're visible.
The fix isn't a complicated project. It's a clear inventory of what's being used, approved alternatives in place, and a team that understands why the habits matter.
Contact Sound Computers to schedule a consultation. We can help you identify what's running on your network, establish practical policies your team will actually follow, and close the gaps before they become a problem. Call us at (860) 577-8060, reach us online, or email info@soundcomputers.net.
Article FAQs
What is shadow IT?
Shadow IT is the use of apps, tools, accounts, or devices that haven't been approved or reviewed by your IT team. It's usually driven by convenience, not intent, but it creates gaps in visibility and security.
Why is password reuse between personal and work accounts risky?
When a personal account is compromised in a data breach elsewhere, attackers automatically test those same credentials against business systems. This is credential stuffing, and it's one of the most common ways work accounts are accessed without authorization. Using a unique password for every account, managed through a password manager, is the straightforward fix.
Article summary: Passwords are the most common entry point for business data breaches and complexity rules or standard MFA still leave credential theft on the table. Passkeys are phishing-resistant by design and now supported across every major platform. A phased passkey migration reduces your attack surface, cuts IT support overhead and replaces the most exploited vulnerability in your security stack without disrupting daily work.
Every breach starts somewhere.
More often than not, it starts with a login.
A staff member reuses a password from an old account. Someone approves a convincing phishing page without a second look. A credential stolen months earlier gets quietly tested against your systems until one of them opens.
Passwords were not built for the speed or scale of today's attacks. They rely on people to remember, rotate and protect a string of characters under conditions that make that increasingly unrealistic.
That is what passkeys are designed to fix.
Getting proper authentication controls in place for your team is no longer a complicated project. Passkeys are built into the devices your staff already use and migrating to them is more manageable than most small businesses expect.
Why Passwords Are Failing Your Business
The fundamental problem with passwords is that they are shared secrets. Your system stores them. Your staff carries them. Attackers collect them at scale.
Compromised credentials were involved in over 80% of data breaches in 2024.
Verizon's 2024 Data Breach Investigations Report found that stolen or weak credentials were a factor in the vast majority of incidents studied. The attacks have gotten faster and more automated but the entry point stays the same.
Tactics like password spraying (where attackers test a short list of common passwords across hundreds of accounts) are designed to slip past lockout policies entirely. A staff member who follows every password rule can still become an entry point if their credentials have appeared in an unrelated breach somewhere else.
Password resets make the picture worse. Each one drains IT time, frustrates the person locked out and creates its own risk when the reset link travels over an email account that may already be compromised.
What Is a Passkey?
A passkey is a login credential that uses cryptography instead of a memorized secret.
When a passkey is created, the device generates two linked keys. The private key stays on the device and never leaves it. The public key is stored by the service. To log in, the service sends a cryptographic challenge. The device signs it using the private key and authentication is complete.
No password changes hands. Nothing is transmitted that can be stolen.
Passkeys are built on FIDO2/WebAuthn which are open standards developed by the FIDO Alliance, a cross-industry consortium, and the World Wide Web Consortium (W3C).
Because the private key is mathematically bound to the exact website it was registered with, a fake login page cannot use it. The phishing attempt simply fails at the technical level.
What Passkeys Actually Change
The security argument stands on its own. However, passkeys also reduce friction in ways that show up in day-to-day operations.
Organizations report up to 81% fewer sign-in-related help desk calls after deploying passkeys.
The FIDO Alliance's Passkey Index tracks real-world deployment data from Amazon, Google, Microsoft, PayPal and others. Passkeys achieve a 93% login success rate compared to 63% for traditional methods.
For staff, the experience is noticeably more simple. Where MFA (multi-factor authentication) requires a password and a one-time code, a passkey replaces both with a single biometric prompt. If you have ever weighed the different MFA options available and found them all add a layer of friction, passkeys are where that trade-off resolves.
Microsoft reports passkeys are three times faster than traditional passwords and eight times faster than password plus MFA. That is not just convenience. It is operational time recovered across every login every single day for every person on your team.
Your Step-by-Step Passkey Migration Plan
Migrating to passkeys doesn't mean flipping a switch. A phased rollout keeps work moving while steadily reducing your dependence on passwords.
1. Audit your current logins.
Start by listing every system your staff authenticates into: email, line-of-business apps, cloud storage, accounting tools, remote access. Note which platforms already support passkeys. Most major ones do including Microsoft 365, Google Workspace and the majority of common SaaS tools.
If a platform doesn't support passkeys yet, note it separately. That is not a blocker for getting started. It just means those accounts stay password-protected for now.
2. Prioritize your highest-risk accounts.
Start with the accounts attackers target first: admin logins, finance tools, anything holding sensitive client data or giving broad system access. These benefit most from phishing-resistant credentials and migrating them first moves the security needle fastest.
3. Choose your authentication method.
Most staff can use devices they already own. Windows Hello, Apple Face ID and Touch ID and Android biometrics all support passkeys natively. For shared workstations or roles that require higher assurance, hardware security keys are the more controlled option.
4. Roll out in phases instead of all at once.
Enroll a pilot group first. IT staff or a handful of technically comfortable team members are the best choice. Work through any friction, refine the enrollment steps and document what you learn. Then expand to the wider organization in manageable waves.
Keep passwords available as a fallback during the transition. The goal is a gradual shift rather than a hard cutover that leaves anyone stuck.
5. Plan account recovery before you need it.
The most common concern about passkeys is what happens when an employee loses or breaks their device. The answer is to sort this out before rollout instead of after.
Synced passkeys backed up through Microsoft, Google or Apple accounts can be restored on a new device using the employee's existing account access. For hardware key setups, a documented recovery process and a backup key for the most critical roles are both worth the effort to set up now.
Time to Move Your Team Off Passwords
Passwords will remain part of the landscape for a while. However, every account you migrate to a passkey removes a target.
A passkey migration doesn't need to be a major project. It needs a clear account inventory, a sensible rollout sequence and a recovery plan that is documented and tested before anyone relies on it.
Contact Sound Computers to schedule a consultation. We can help you map which accounts to prioritize, guide your team through enrollment and make sure recovery is covered before you go live. Call us at (860) 577-8060, reach us online or email info@soundcomputers.net.
Article FAQs
What is a passkey?
A passkey is a login credential based on cryptographic key pairs rather than a memorized password. The private key stays on your device and is unlocked by a fingerprint, face scan or PIN. The public key is stored by the service. Nothing is transmitted that can be phished or stolen in a data breach.
Are passkeys more secure than passwords?
Yes. Passkeys are bound to the specific website they were created for so they cannot be used on fake login pages. There is no shared secret to steal. They eliminate the main attack categories that compromise password-based accounts: phishing, credential stuffing and password reuse.
Do passkeys work for small businesses?
Yes. Passkeys are built into Windows, macOS, iOS and Android and are supported by Microsoft 365, Google Workspace and most widely used business applications. A small business can migrate in phases using the devices its staff already own without specialist hardware.
Most small businesses are not falling short because they don’t care. They are falling short because they didn’t build their security strategy as one coordinated system with security layers. They added tools over time to solve immediate problems (i.e. a new threat here, a client request there).
That can look like strong coverage. In reality, it often creates a patchwork of products that don’t fully work together. Some areas overlap. Others get overlooked.
When security isn’t intentionally designed as a system, the weaknesses don’t show up during routine support tickets. They show up when something slips through and turns into a disruptive and expensive problem.
Why “Layers” Matter More in 2026
In 2026, your small business security can’t rely on a single control that is “mostly on”. It must be layered because attackers don’t politely line up at your firewall anymore. They come in through whichever gap is easiest today.
The real story is how quickly the landscape is changing.
The World Economic Forum’s Global Cybersecurity Outlook 2026 says “AI is anticipated to be the most significant driver of change in cyber security… according to 94% of survey respondents.”
That is more than a headline. It means phishing becomes more convincing, automation becomes more affordable and “spray and pray” attacks become more targeted and effective. If your security model depends on one or two layers catching everything, you are essentially betting against scale.
The NordLayer MSP trends report highlights that active enforcement of foundational security measures is becoming the standard. It also points to a future where you are expected to actively enforce foundational security measures rather than just check a compliance box.
It also highlights that regular cyber risk assessments will become essential for identifying gaps before attackers do. In other words, the market is shifting toward consistent security baselines and proactive oversight rather than best-effort protection.
The easiest way to keep layers practical and not chaotic is to think in outcomes rather than tools.
A Simple Way to Think About Your Security Coverage
The easiest way to spot gaps in your security is to stop thinking in products and start thinking in outcomes.
A practical way to structure this is the NIST Cybersecurity Framework 2.0 which groups security into six core areas: Govern, Identify, Protect, Detect, Respond and Recover.
Here is a simple translation for your business:
- Govern: Who owns security decisions? What is considered standard? What qualifies as an exception?
- Identify: Do you know what you are protecting?
- Protect: What controls are in place to reduce the likelihood of compromise?
- Detect: How quickly can you recognize that something is wrong?
- Respond: What happens next? Who is responsible, how fast do they act and how is communication handled?
- Recover: How do you restore operations and demonstrate that systems are fully back to normal?
Most small business security stacks are strong in Protect. Many are okay in Identify. The missing layers usually live in Govern, Detect, Respond and Recover.
The 5 Security Layers MSPs Commonly Miss
Strengthen these five areas and your business' security becomes more consistent, more defensible and far less reliant on luck. You will have Phishing-Resistant Authentication.
Phishing-Resistant Authentication
Basic multifactor authentication (MFA) is a good start but it is not the finish line.
The common gap is inconsistent enforcement and authentication methods that can still be tricked by modern phishing.
How to add it:
- Make strong authentication mandatory for every account that touches sensitive systems.
- Remove “easy bypass” sign-in options and outdated methods.
- Use risk-based step-up rules for unusual sign-ins.
Device Trust & Usage Policies
Most IT systems manage endpoints. Far fewer have a clearly defined and consistently enforced standard for what qualifies as a “trusted” device or a defined response when a device falls short.
How to add it:
- Set a minimum device baseline.
- Put Bring Your Own Device (BYOD) boundaries in writing.
- Block or limit access when devices fall out of compliance instead of relying on reminders.
Email & User Risk Controls
Email remains the front door for most cyberattacks. If you are relying on user training alone to stop phishing and credential theft, you are betting on perfect attention.
The real gap is the absence of built-in safety rails which are controls that flag risky senders, block lookalike domains, limit account takeover impact and reduce the damage from common mistakes.
How to add it:
- Implement controls that reduce exposure such as link and attachment filtering, impersonation protection and clear labeling of external senders.
- Make reporting easy and judgement-free.
- Establish simple and consistent process rules for high-risk actions.
Continuous Vulnerability & Patch Coverage
“Patching is managed” often really means “patching is attempted.” The real gap is proof, clear visibility into what is missing, what failed and which exceptions are quietly accumulating over time.
How to add it:
- Set patch SLAs by severity and stick to them.
- Cover third-party apps and common drivers/firmware rather than just the operating system.
- Maintain an exceptions register so exceptions don’t become permanent.
Detection & Response Readiness
Most environments generate alerts. What is often missing is a consistent and repeatable process for turning those alerts into action.
How to add it:
- Define your minimum viable monitoring baseline.
- Establish triage rules that clearly separate “urgent now” from “track and review”.
- Create simple and practical runbooks for common scenarios.
- Test recovery procedures in real-world conditions.
The Security Baseline for 2026
When you strengthen these five layers of phishing-resistant authentication, device trust, email risk controls, verified patch coverage and real detection and response readiness, you turn your business' security into a repeatable and measurable baseline you can be confident in.
Start with the weakest layer in your business environment. Standardize it. Validate that it is working. Then move to the next.
If you would like help identifying your gaps and building a more consistent security baseline for your business, contact us today for a security strategy consultation. We will help you assess your current stack, prioritize improvements and create a practical roadmap that strengthens protection without adding unnecessary complexity.
Article summary: Removing local admin rights reduces support tickets by preventing “quick fixes” and unauthorized changes from turning each PC into a unique troubleshooting case. A modern least-privilege approach keeps users productive by using exception-based and time-limited elevation instead of permanent admin access. This makes endpoints more stable, limits the damage from bad installs or malware and gives IT a predictable baseline that is easier to support.
Read more
Article summary: Domain hijacking is business identity theft that can redirect your website, disrupt email and undermine customer trust by manipulating your domain or DNS settings. A Domain Lock, strong registrar account security and a registry lock reduce the chance of unauthorized transfers and DNS changes. Protecting DNS also protects email credibility through SPF, DKIM and DMARC and helps your messages reach inboxes and makes your domain harder to spoof.
Read more
Article summary: Ghost subscriptions waste budget dollars and increase access risk when unused SaaS seats, abandoned tools and former-user accounts keep billing and keep access alive. A SaaS spend audit fixes this by inventorying what you pay for, proving real usage and access and right-sizing subscriptions with simple guardrails to prevent relapse. This reduces monthly spend, limits forgotten access paths and keeps your software stack cleaner and easier to manage.Read more
Article summary: QR code scams (like Quishing) are increasingly targeting front desks because scanning feels routine and the real destination link is hidden. A scan-smart playbook reduces risk by treating QR codes like links, previewing URLs before opening, avoiding unexpected codes and keeping mobile devices protected. These habits help prevent credential theft, malware exposure and disruptive incidents that can start with one quick scan.Read more
For years, enabling Multi-Factor Authentication (MFA) has been a cornerstone of account and device security. While MFA remains essential, the threat landscape has evolved which has made some older methods less effective.
The most common form of MFA (four- or six-digit codes sent via SMS) is convenient and familiar and it is certainly better than relying on passwords alone. However, SMS is an outdated technology and cybercriminals have developed reliable ways to bypass it. For organizations handling sensitive data, SMS-based MFA is no longer sufficient. It is time to adopt the next generation of phishing-resistant MFA to stay ahead of today’s attackers.
SMS was never intended to serve as a secure authentication channel. The reliance on cellular networks exposes it to security flaws and particularly in telecommunication protocols such as Signaling System No. 7 (SS7) which is used for communication between networks.
Attackers know that many businesses still use SMS for MFA which makes them appealing targets. For instance, hackers can exploit SS7 vulnerabilities to intercept text messages without touching your phone. Techniques such as eavesdropping, message redirection and message injection can be carried out within the carrier network or during over-the-air transmission.
SMS codes are also vulnerable to phishing. If a user enters their username, password and SMS code on a fake login page, attackers can capture all three in real time and immediately gain access the legitimate account.
Understanding SIM Swapping Attacks
One of the most dangerous threats to SMS-based security is the SIM swap. In SIM swapping attacks, a criminal contacts your mobile carrier pretending to be you and claims to have lost their phone. They then request the support staff to port your number to a new blank SIM card in their possession.
If they succeed, your phone goes offline and allows them to receive all calls and SMS messages including MFA codes for banking and email. Without knowing your password, they can quickly reset credentials and gain full access to your accounts.
This attack doesn’t depend on advanced hacking skills. It exploits social engineering tactics against mobile carrier support staff and makes it a low-tech method with high‑impact consequences.
Why Phishing-Resistant MFA Is the New Gold Standard
To prevent these attacks, it is essential to remove the human element from authentication by using phishing-resistant MFA. This approach relies on secure cryptographic protocols that tie login attempts to specific domains.
One of the more prominent standards used for such authentication is Fast Identity Online 2 (FIDO2) open standard that uses passkeys created using public key cryptography linking a specific device to a domain. Even if a user is tricked into clicking a phishing link, their authenticator application will not release the credentials because the domain does not match the specific record.
The technology is also passwordless which removes the threat of phishing attacks that capture credentials and one-time passwords (OTPs). Hackers are forced to target the endpoint device itself which is far more difficult than deceiving users.
Implementing Hardware Security Keys
Perhaps one of the strongest phishing-resistant authentication solutions involves hardware security keys. Hardware security keys are physical devices resembling a USB drive which can be plugged into a computer or tapped against a mobile device.
To log in, you simply insert the key into the computer or touch a button and the key performs a cryptographic handshake with the service. This method is quite secure since there are no codes to type and attackers can’t steal your key over the internet. Unless they physically steal the key from you, they cannot access your account.
Mobile Authentication Apps and Push Notifications
If physical keys are not feasible for your business, mobile authenticator apps such as Microsoft or Google Authenticator are a step up from SMS MFA. These apps generate codes locally on the device to eliminate the risk of SIM swapping or SMS interception since the codes are not sent over a cellular network.
Simple push notifications also carry risks. For example, attackers may flood a user’s phone with repeated login approval requests to cause “MFA fatigue,” where a frustrated or confused user taps “approve” just to stop the notifications. Modern authenticator apps address this with “number matching,” requiring the user to enter a number shown on their login screen into the app. This ensures the person approving the login is physically present at their computer.
Passkeys: The Future of Authentication
With passwords being routinely compromised, modern systems are embracing passkeys which are digital credentials stored on a device and protected by biometrics such as fingerprint or Face ID. Passkeys are phishing-resistant and can be synchronized across your ecosystem such as iCloud Keychain or Google Password Manager. They offer the security of a hardware key with the convenience of a device that you already carry.
Passkeys reduce the workload for IT support as there are no passwords to store, reset or manage. They simplify the user experience while strengthening security.
Balancing Security With User Experience
Moving away from SMS-based MFA requires a cultural shift. Since users are already used to the universality and convenience of text messages, the introduction of physical keys and authenticator apps can trigger resistance.
It is important to explain the reasoning behind the change and highlight the realities of SIM-swapping attacks and the value of the protected information. When users understand the risks, they are more likely to embrace the new measures.
While a phased rollout can help ease the transition for the general user base, phishing-resistant MFA should be mandatory for privileged accounts. Administrators and executives must not rely on SMS-based MFA.
The Costs of Inaction
Sticking with legacy MFA techniques is a ticking time bomb that gives a false sense of security. While it may satisfy compliance requirements, it leaves systems vulnerable to attacks and breaches which can be both costly and embarrassing.
Upgrading your authentication methods offers one of the highest returns on investment in cybersecurity. The cost of hardware keys or management software is minimal compared to the expense of incident response and data recovery.
Is your business ready to move beyond passwords and text codes? We specialize in deploying modern identity solutions that keep your data safe without frustrating your team. Reach out and we will help you implement a secure and user-friendly authentication strategy.
Article summary: Digital efficiency in 2026 is a capacity issue rather than a motivation issue. Modern work is fragmented by constant notifications, meetings and tool sprawl. A digital efficiency audit helps small businesses find where time is leaking through rework, unclear workflows and duplicated effort. The audit focuses on mapping high-friction processes, reducing interruptions, simplifying tools, decluttering files and knowledge and automating repeatable tasks. These changes reduce daily drag and make work easier to run. The result is reclaimed time your team can use for higher-value work.