Unexpected MFA Prompts? Stop and Report Them

Multi-factor authentication is one of the best protections a business can put in place. It helps stop an attacker even if a password has been stolen.

But MFA only works when people treat the prompt seriously.

A growing attack pattern is sometimes called MFA fatigue, MFA push exhaustion, or prompt bombing. The attacker already has someone's password. They try to sign in, then repeatedly trigger approval requests on the person's phone until the person taps Approve just to make the notifications stop.

That one tap can give the attacker access.

For busy staff, this can be confusing. The prompt may appear while they are in a meeting, helping a customer, or working through email. It may feel like a normal app notification. That is why the safest habit is simple:

If you did not just try to sign in, do not approve the MFA request.

What an MFA fatigue attack may look like

Be cautious if you see:

• repeated sign-in approval prompts you did not request
• an MFA notification while you are not logging in
• a prompt from an unusual location, browser, or device
• a phone call or message pressuring you to approve a sign-in
• several prompts arriving one after another
• a request to enter or read out an MFA code to someone else

The important point is this: an unexpected MFA prompt usually means something needs attention. It may be a mistake, but it may also mean your password is already known to someone else.

What to do when it happens

If you receive an MFA request you did not start:

1. Do not approve it. Choose deny, reject, or close the prompt.
2. Stop using that account for a moment. Do not keep trying random sign-ins to clear the issue.
3. Report it to your manager or IT support immediately. Include the time it happened and which account or app was involved.
4. Change the account password from a trusted device or trusted sign-in page. If you are unsure, ask IT to help.
5. Watch for follow-up messages. Attackers may call, email, or message pretending to be support staff.

Fast reporting helps IT check sign-in logs, block suspicious sessions, reset the password, and confirm whether anything was accessed.

What not to do

Avoid these risky shortcuts:

• Do not tap Approve just to stop repeated alerts.
• Do not approve a prompt because someone on the phone told you to.
• Do not share MFA codes in email, WhatsApp, chat, or by phone.
• Do not assume the prompt is safe because it came from a real app.
• Do not ignore repeated prompts. They are a warning sign.

MFA is not meant to be a reflex. It is a checkpoint.

Better MFA habits for the whole business

Businesses can reduce this risk by using stronger MFA settings where available, such as number matching, app-based codes, passkeys, hardware security keys, or phishing-resistant sign-in methods. Systems should also avoid over-prompting staff, because too many routine prompts can train people to approve without thinking.

A good office rule is:

Only approve MFA when you personally started the sign-in and the prompt matches what you are doing.

If the prompt is unexpected, treat it like a smoke alarm. You do not need to panic, but you should not ignore it.

If you are unsure

Ask before approving.

It is always better to take one extra minute to verify than to give an attacker access to email, files, finance systems, or customer information. Staff should feel comfortable reporting suspicious prompts quickly, without fear of blame.

Cybersecurity works best when people are given clear habits they can follow during a normal workday. For MFA prompts, the habit is simple: unexpected prompt, do not approve, report it.

Sources: National Cyber Security Centre — Evolving Technical Threat, Not all types of MFA are created equal, and Why MFA matters; Microsoft Learn — How number matching works in MFA push notifications.