Duo Push Fatigue Attacks

Cybercriminals are doubling down on a tactic known as a Duo Push Fatigue Attack (also called MFA fatigue or MFA bombing). Even with Multi-Factor Authentication (MFA) in place, attackers have learned to exploit human behavior in an attempt to break into accounts. Here’s what you need to know to stay protected.

What Is a Duo Push Fatigue Attack?

Duo Push is a trusted MFA tool that prompts you to confirm logins on your mobile device. In a fatigue attack, a criminal who already knows your username and password repeatedly sends push approval requests to your device—sometimes dozens or even hundreds of times. Their goal is simple: overwhelm or frustrate you until you tap “Approve” just to make the notifications stop.

If even one of those requests is accepted, the attacker gains full access to your account, which can lead to data theft, account takeover, financial loss, or broader organizational compromise.

How to Recognize a Push Fatigue Attack

Be alert for these signs:

• 🔁 Multiple MFA prompts in a row, especially when you aren’t trying to log in.

• 🕒 Requests at odd hours, such as late at night or early morning.

• 🌍 Login requests from unfamiliar locations or devices.

• 📞 Unexpected calls, emails, or messages from someone claiming to be “IT support” urging you to approve a push.

If you did not initiate a login, do not approve the request.

How to Protect Yourself

To minimize the risk of falling victim to Duo Push fatigue attacks:

• Use strong, unique passwords to reduce the chance of credential theft.

• Deny any unrequested push notification and report the incident immediately.

• Enable login alerts, if possible, so you’re aware of unexpected sign-in attempts.

• Keep your devices and apps updated to ensure the latest security protections.

Staying vigilant—especially during this holiday season—helps protect both you and the UR community. Thank you for doing your part to stay Spider Secure.