MFA doesn’t stop voice-call scams, here’s what does

A staff member receives a string of automated voicemail calls on both her work mobile and a backup number she’d recently added to her Microsoft 365 account. Each call is the same: press 1 to confirm a sign-in. She ignores them. The attacker fails.

But the unsettling part isn’t the calls themselves. It’s how the attacker knew about that backup number in the first place. It was new, never published, never shared outside the business. Almost certainly, the attacker had old login credentials from a previous breach somewhere else on the internet, tried them against Microsoft 365, and got in long enough to see which phone numbers were registered on the account. Then came the barrage of fake approval calls, hoping she’d either crack under the pressure or tap 1 without thinking.

She didn’t. The MFA did its job. But it was one person, one time.

The problem with voice and SMS codes

Microsoft’s own security documentation is direct about this: voice-based MFA and SMS codes are vulnerable to social engineering. The NCSC (the UK’s National Cyber Security Centre) says the same in their MFA guidance: attackers have adapted the same tricks that once stole passwords to now bypass weaker MFA methods.

This isn’t MFA failing. It’s the wrong type of MFA being used. An attacker who can call someone pretending to be IT support, or flood them with fake prompts until one gets approved, can often get past voice and SMS. The technology isn’t the weak point; the phone call is.

What actually holds up

Stronger options are straightforward to set up:

• Phishing-resistant MFA using passkeys or FIDO2 security keys. These can’t be bypassed over the phone because the approval is tied to the device and the website, not a code someone can read out or a button someone can press.
• Number matching in the Microsoft Authenticator app, where instead of just tapping “approve”, the user has to type a specific number shown on the login screen. Stops blind approvals cold.
• App-based authentication rather than voice or SMS. Harder to fake, though still beatable if an attacker is on the phone at the same time. For a business in Conwy, Denbigh, or Ruthin using Microsoft 365, the sensible starting point is to turn off voice-call MFA entirely and make the authenticator app the default. Then add conditional access rules that only prompt for MFA when someone logs in from somewhere new, and set up monitoring for repeated failed sign-in attempts.

Longer term, moving toward passkeys and passwordless login is the direction the whole industry is heading. The NCSC’s guidance on passkeys is worth a read if you want to understand what that looks like in practice.

One more reason this matters: cyber insurance claims are being rejected when MFA isn’t set up to the right standard. Voice and SMS no longer count as adequate for many policies. If you handle client money, legal files, or personal data, it’s not just good practice, it’s becoming a condition of your cover.

Getting off voice and SMS, using app-based or passkey MFA, and having monitoring in place stops the vast majority of what attackers actually try. Dragon Digital sets up phishing-resistant MFA and conditional access for businesses across North Wales, including the monitoring that catches repeated failed sign-ins before they turn into something worse. If your current setup still relies on voice calls or text codes, it’s worth a conversation.