If you don’t already have multifactor authentication enabled on your online accounts like email, financial, or social media, you should. In the event a malicious actor obtains your username and password, they still have one more hurdle to get through before they are able to access your data. The malicious actor can steal your user name and password, but more than likely they have not taken your phone as well. With multifactor enabled, after the log in screen, there will be a short randomized password that is sent to your phone to make sure it is truly you trying to gain access to your email or financials. The extra three swipes on your phone and entering five numbers is well worth your time. Below is a situation that could happen in a business environment.
A malicious email could be sent to an individual person who runs the financials (Spear Phishing) and through that email the employee inadvertently givens out their user name and password. Without MFA, that malicious attacker now has access to that account and can send an email to all clients informing them they have switched bank accounts and now switch all EFT to this routing ##. Or they can wait and monitor the dialog between two financial institutions for a period of time (1 week, 1 month, 1 year), then when the opportunity arises, they compose a very intricate, well crafted email sent from the valid account requesting the money be sent to another destination. MFA acts as an Indication of Compromise (IoC). So if you are sitting at home watching football on a Sunday, and your email verification pops up and you didn’t initiate the connection, you now know someone has your username and password and they should be changed immediately.