The Threat Landscape Has Changed
For years, two-factor authentication (2FA) was considered the gold standard of personal account security. Enable 2FA, and you were protected — even if your password leaked, an attacker could not get in without your phone.
That assumption is no longer safe to make.
AI-powered fraud has evolved to a point where 2FA is routinely bypassed. Not by breaking the cryptography, but by exploiting the human layer — the person who receives the authentication code and decides whether to share it.
This article explains how these attacks work and, more importantly, what you can do about them.
How AI Makes Fraud More Dangerous
Traditional fraud relied on volume. Send millions of phishing emails, a small percentage of recipients would click the link, and the attacker would collect credentials. The emails were generic, the deception unsophisticated, and trained users could often spot them.
AI changes the economics of fraud in three ways:
Personalization at scale. AI can scrape social media, LinkedIn, and other public sources to build detailed profiles of targets. A phishing email can now reference your actual employer, your manager's name, a real project you're working on. The generic "Dear User" email is being replaced by messages indistinguishable from legitimate internal communications.
Voice and video synthesis. Deepfake technology has matured to the point where real-time voice cloning is accessible with minimal technical expertise. Attackers can impersonate a colleague, a bank representative, or a family member in a phone call with convincing accuracy.
Automated social engineering. AI-powered chatbots can conduct phishing conversations across thousands of targets simultaneously, adapting their approach based on how each target responds. What used to require a skilled human operator can now run at machine scale.
Interested in leveraging AI?
Download our service materials. Feel free to reach out for a consultation.
The 2FA Bypass: How It Actually Works
The most common 2FA bypass in use today is the adversary-in-the-middle (AiTM) attack, often combined with real-time social engineering.
Here is how a typical attack unfolds:
- The attacker sends a phishing link that looks like a legitimate login page (a bank, Microsoft 365, Google, etc.)
- The victim enters their username and password — which the attacker's server captures and immediately replays to the real service
- The real service sends a 2FA code to the victim's phone
- The attacker's fake page tells the victim to "enter the verification code sent to your phone to confirm your identity"
- The victim enters the code — which the attacker captures and immediately uses to complete the login on the real service
- The attacker now has an authenticated session
The entire exchange takes less than a minute. The victim's 2FA code was valid, used once, and is now expired — but the attacker has a live session.
Session Hijacking: When the Cookie Is the Key
A more sophisticated variant of this attack targets session cookies rather than credentials.
When you log into a web service, the server issues a session cookie — a token that identifies your authenticated session. Modern malware (infostealers) is designed specifically to extract these cookies from your browser.
With a valid session cookie, an attacker can access your account without ever knowing your password or 2FA code. The cookie represents an already-authenticated session.
Infostealers have become a commodity in cybercriminal markets. They are distributed through:
- Malicious software downloads disguised as legitimate applications
- Cracked software and game cheats
- Malicious browser extensions
- Phishing attachments
Once installed, they silently harvest browser cookies, saved passwords, and other credentials, sending everything to the attacker.
Deepfakes in the Wild
Voice deepfakes are being used in live fraud calls at scale. Reported incidents include:
- Employees authorizing wire transfers after receiving calls from what sounded like their CEO or CFO
- Individuals sending money to "family members in distress" based on voice calls that were entirely synthesized
- Customer service representatives being socially engineered using cloned voices of account holders
Video deepfakes are less common in real-time fraud due to computational requirements, but they have appeared in targeted attacks — including a widely reported case where a finance employee was convinced to transfer funds after a video call with synthesized versions of company executives.
Concrete Steps to Protect Yourself
Use hardware security keys where available. FIDO2/WebAuthn hardware keys (YubiKey and similar devices) are phishing-resistant by design. The authentication process is bound to the specific website domain — a phishing site cannot relay the authentication even if you click the link.
Never enter a 2FA code on a page you navigated to from an email or message link. Always navigate directly to the service's official URL.
Enable passkeys where available. Passkeys replace passwords with cryptographic authentication that is inherently phishing-resistant.
Keep your devices clean. Use reputable antivirus software, avoid downloading software from unofficial sources, and be skeptical of browser extensions from unknown developers.
Verify unusual requests through a separate channel. If a colleague, family member, or representative calls asking for money or sensitive information, hang up and call them back on a number you know is correct.
Monitor for credential leaks. Use services like HaveIBeenPwned to check whether your email addresses or passwords have appeared in known data breaches.
Review active sessions regularly. Most major services show you where you are currently logged in. Check this regularly and revoke any sessions you do not recognize.
A Note on AI-Powered Defense
The same AI capabilities that power fraud can also power defense.
Email security systems increasingly use AI to detect phishing attempts that evade traditional signature-based filters. Behavioral analytics can flag unusual account activity — logins from unexpected locations, unusual transaction patterns — that may indicate a compromised session.
For enterprises, AI-powered security monitoring is becoming a baseline expectation rather than a premium feature.
The Honest Assessment
Two-factor authentication is still worth using. It raises the cost of account compromise and defeats many less sophisticated attacks. The recommendation to enable 2FA everywhere remains valid.
But 2FA is not a guarantee of security. Understanding how it can be bypassed is essential to using it intelligently — knowing which types of 2FA are stronger, which attack vectors to watch for, and how to layer additional protections.
Security in the AI era requires a more dynamic approach than checking a box and considering yourself protected. The threat landscape is evolving continuously, and your defensive posture needs to evolve with it.