The Concept of Push-bombing and how to prevent it

The Concept of Push-Bombing and How to Avoid It

The Concept of Push-Bombing and How to Avoid It: In today’s blog post, we are going over the concept of Push-Bombing and how to avoid it. Cloud account takeover has grown to be a serious issue for businesses. Consider how much work your business does that requires a username and password. In one workday, an employee can log into numerous cloud apps or systems.

Hackers employ a variety of techniques to obtain these login credentials. The objective is to gain access to company data. They will also use these credentials to carry out sophisticated attacks and send insider phishing emails.

The account breaching problem has nearly tripled in the last two years.

Can Multi-Factor Authentication Stop These Attacks?

All businesses and individuals should be using Multi-Factor Authentication (MFA). It serves as an extra layer of defense against attackers who are able to obtain your usernames and passwords. MFA is consistently very effective in securing cloud accounts.

But because of its success, hackers are developing a workaround. Push-bombing is one of their new tactics to get around MFA.

How Does Push-Bombing Work?

When a user activates MFA on an account, they typically receive some kind of code or authorization prompt. The user types in their login information. To complete the login process, the system then sends the user an authorization request.

Typically, a “push” message of some kind will be used to deliver the MFA code or approval request. There are several ways for users to get it:

  • SMS/text
  • A device popup
  • An alert from an app

These notifications are a normal part of the multi-factor authentication process. The user would be familiar with it.

When a hacker is push-bombing, they start with the user’s credentials. They obtain this information via phishing or from a massive password dump following a data breach.

They benefit from the push notification system. Hackers repeatedly try to log in. And as a result, the real user receives numerous push notifications in succession.

Many people would wonder why they are receiving an unexpected code when they haven’t requested one. But when one is bombarded with them, it can be easy to accidentally approve access.

Push-bombing is simply a social engineering technique aimed to:

  • Confuse the user
  • Wear down the user
  • Trick user into approving MFA request to give hacker access.

How to Combat Push-Bombing at Your Business

Train Employees

Knowledge is always power. A push-bombing attack can be disruptive and confusing for the average user. Employees that receive training beforehand are much more capable of defending themselves.

Explain to employees what push-bombing is and how it works. Give them steps on how to respond if they get a flood of MFA they didn’t ask for.

Give your employees a way to report these attacks. Your IT security team can then warn other users thanks to this. Then, they can take action to protect everyone’s login information.

Remove Access to Unnecessary Apps

On average, employees use up to 36 apps per workday. That is a lot of login information to remember. The likelihood of a password breach increases the more logins a person must do.

Go through how many applications your business uses. Consider combining your apps to lessen the “sprawl” of them. Plenty of platforms are available that offer numerous apps all behind a single login. Take Microsoft 365 and Google Workspace for example. Your cloud environment will run more efficiently, improving your security and productivity.

Use Phishing-Resistant MFA Solutions

You can completely prevent push-bombing attacks by switching to a different MFA solution. A device passkey or physical security key is a phishing-resistant MFA solution to authenticate users.

With this kind of authentication, there is no push notification to authorize. It is more complex to setup compared to text or app-based MFA, but it is way more secure.

Enforce Password Making Best Practices

In order for hackers to even send push notifications, they need to access login credentials. The likelihood of a password breach decreases by enforcing strong password policies.

The following are typical procedures for strong password policies:

  • Making passwords 12-characters;
  • Using a minimum of two case-sensitive letters;
  • Combining letters, numbers, and symbols;
  • Not creating a password using personal information;
  • Saving passwords in a secure way (ex: password manager);
  • Not using the same password across multiple accounts.

Implement an Advanced Identity Management System

Advanced Identity Management tools can help you defend against push-bombing attempts. Typically, they will use a single sign-on to consolidate all logins. Users will only need to handle one login and one MFA prompt instead of several.

Companies can use identity management solutions to install contextual login policies. These policies increase security by adding flexibility to access enforcement. Login attempts outside of a particular geographic area can be automatically blocked by the system. It can also prevent logins during certain times or when other contextual factors aren’t met.

Need Help Increasing Identity & Access Security?

Single-factor authentication is insufficient by itself. To lower the risk of a cloud attack, businesses require multiple layers of security.

Are you seeking help to improve the security of your access? Call us right now and we can chat.


If you’d like to learn more about what’s new in the tech world, follow our blog!

Click here to schedule a free 15-minute meeting with Stan Kats, our Founder, and Chief Technologist. 

STG IT Consulting Group proudly provides IT Services in Greater Los Angeles and the surrounding areas for all your IT needs.

STG Infotech logo - IT Service Company Los Angeles CA

Leave a Reply

Your email address will not be published. Required fields are marked *