Email Security Blog

Multi-Factor Authentication: A Good Start, But It Isn’t Enough

Microsoft detects more than 300 million fraudulent sign-in attempts to their cloud services every day.1 Multi-Factor Authentication (MFA) can help make your accounts more secure, but is it enough?

Better than Octoberfest

At INKY, we excitedly await October all year long. Why? To us, ♬ “It’s the Most Wonderful Time of the Year.” ♬ That’s because October is Cybersecurity Awareness Month. If you’re unfamiliar, Cybersecurity Awareness Month was first launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS). It serves as a reminder to us all that internet safety and security are key.

As a 2022 Cybersecurity Awareness Month Champion organization, INKY joins the growing number of companies dedicated to promoting a safer, more secure, and trusted online world. Each week during the month of October, the Cybersecurity Awareness Month team will focus on one of four key behaviors. At INKY, we plan on chiming in. This week’s focus is on enabling multi-factor authentication. That said, Multi-Factor Authentication (MFA) is a great thing, and it can help make your accounts more secure. Sadly, however, there is one huge vulnerability it doesn’t cover.

The Basics of Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a must-have for companies these days and an easy way to protect your passwords, data, identity, and more. That’s because MFA helps prevent Account Take Overs (ATO) by blocking hackers from being able to successfully login to your accounts if they have your passwords. While some may find the extra step inconvenient, it’s a small price to pay for not becoming a victim of theft.

Bad, Better, Best

Like most technology, in the world of Multi-Factor Authentication (MFA) there are different levels of security. Considering how much is at stake for an organization that gets hacked, this is an important distinction to note.

  • BAD – If your organization is not using any form of Multi-Factor Authentication (MFA), you are setting yourself up for disaster.

  • BETTER – Legacy Multi-Factor Authentication (MFA) and one-time passwords (OTP) help a great deal, but more recently, phishers have found ways around them with a “man-in-the-middle” technique. A fake home page (disguised as your bank, for example) is built, as well as a fake credentials and passwords page. When the user signs into the fake page, the hacker captures the login information and plugs it into the bank’s real website, thus prompting an OTP to be sent to the user’s phone. Once that password is entered into the fake login page, the hacker has the MFA code they need to access the user’s bank accounts.

  • BEST – Rather than receiving an OTP on your phone or device, the strongest MFA approaches are password free. In lieu of a password, authenticators provide an access request on the users previously registered mobile phone. Sometimes further verification is solicited, such as a fingerprint on the same device.

Vendor Email Compromise: When MFA Can’t Protect You

Even when you’re taking steps to secure your login credentials with multi-factor authentication, you still have to worry about whether outside connections are as careful as you. A great example is Vendor Email Compromise (VEC), and if your business transacts with vendors to supply products or services, you could become a victim.

Vendor Email Compromise (VEC) attacks start with the vendor. The phisher gains access to targeted email accounts (those who conduct financial transactions) in an Account Take Over scheme. They then monitor their accounts to see how their customers make and receive payments. Then, the attacker sets up email forwarding rules and a fake banking website. From there, the bad actor sends a phishing email to you that asks you to update your records with their new vendor banking information. Before you know it, the phisher has the funds you intended for the vendor, and you look as though you haven’t paid for their services.

INKY Stops Account Take Overs and Other Phishing Attacks

INKY takes the responsibility of recognizing phishing scams away from employees and IT departments. INKY is relentlessly effective and catches pretty much everything from daily spam to the most sophisticated phishing scams. One of the powerful tools in the INKY toolbox is known as stylometry. Your word choices, sentence structure, and even the breadth of your vocabulary are all indicators of who is writing what. That’s stylometry. INKY gets to know her users so that she can keep an eye out for anyone trying to impersonate them with a phishing email or Account Takeover threat. That means the phishing email your employees receive from the vendor’s email address can be signaled out before anyone can fall for it.

Email account compromises accounted for nearly $2.4 billion in losses in 2021, making it the most diabolical, costly phishing threat around.2 During Cybersecurity Awareness Month, and all year long, your company needs a level of protection that only INKY can provide.

Learn more by scheduling a free demonstration today.


INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.


1 Source:

2 Source: