Blog post: Online security
Hello and welcome to Scam Or Reliable!
Blog post: Online security
Traditional passwords are gradually being replaced by more advanced authentication solutions such as passkeys and multi-factor authentication (MFA). Marketed as more secure, these technologies are not invulnerable. Fraudsters are now developing mirror sites capable of intercepting credentials and multi-factor authentication sessions in real time. This shift marks a turning point in online phishing techniques.
Passkeys rely on asymmetric cryptography and replace passwords with a pair of digital keys stored on the user’s device. They are designed to prevent credential theft via database breaches or brute-force attacks. Meanwhile, MFA systems add a second validation step, such as a one-time code or biometric confirmation.
In theory, these mechanisms block the vast majority of conventional intrusion attempts. However, they remain vulnerable when a user personally approves a fraudulent sign-in on a site that perfectly imitates the real one. The weakness is no longer in the technology, but in real-time manipulation.
New attack campaigns use phishing kits capable of acting as an intermediary between the victim and the legitimate service. The internet user believes they are logging in to their usual account, but their actions are routed through a server controlled by the fraudsters. The attackers then capture the credentials and the active session.
This method, sometimes referred to as a “man-in-the-middle” attack, can intercept even one-time MFA codes. In some cases, biometric validation or smartphone approval is exploited instantly by the attacker to open their own parallel session. The login appears normal to the victim, while unauthorised access is already active.
Passkeys are designed to work only with a service’s official domain. However, if the user is redirected to a fraudulent site whose appearance and address closely resemble the original, they may be led to initiate the authentication process.
In certain scenarios, the attacker is not trying to steal the private key itself, but to hijack the session that has already been opened after approval. The goal then becomes taking control of the account via intercepted session cookies. The technical complexity of the attack increases, but it remains possible against an unwary user.
Even though these attacks are sophisticated, certain clues can give away a mirror site. The differences are sometimes subtle, but they exist. Careful checking should remain a core habit.
Abnormal account behaviour after signing in (messages sent, settings changed) should also raise suspicion. In that case, you should act immediately.
Official bodies emphasise that human vigilance remains decisive. In the National Cyber Security Centre (NCSC) (UK) and in the Cybersecurity and Infrastructure Security Agency (CISA) (US), practical recommendations are published regularly. To report malicious content or fraud, you can use Action Fraud (UK) and the FBI’s Internet Crime Complaint Center (IC3) (US), while consumer protection guidance is provided by the Competition and Markets Authority (CMA) (UK) and the Federal Trade Commission (FTC) (US).
Several practical measures can reduce the risk:
Businesses and public-sector organisations should also train their teams on new forms of real-time phishing. Awareness remains an essential line of defence.
If you still have doubts after a suspicious login, it is advisable to immediately change the security settings of the account concerned. This includes revoking active sessions and resetting authentication methods.
Next, monitor for unusual activity and contact the platform’s official customer support. Reporting to the relevant authorities helps limit the spread of the scam. Additional guidance is available in our dedicated guide to preventing digital scams, including our article on best practices for avoiding online scams.
Passkeys and MFA represent a major advance in digital security. However, the ingenuity of fraudsters shows that technology alone is not enough. Real-time session interception attacks primarily exploit users’ trust and haste.
Adopting simple habits, verifying every authentication prompt, and staying informed about new scam methods remain essential. To go further, also consult our full dossier on how fraud works and what steps to take if you are scammed.
Scam Or Reliable: The independent and free reference for evaluating the reliability, effectiveness, and safety of online products. Our team of experts helps you form an objective opinion through rigorous analysis and authentic testimonials.
Its goal: Contribute to protecting consumers from online scams and misinformation by providing rigorous analyses and objective evaluations of products and services based on real, reliable testimonials from consumers.
Disclaimers: The information presented on this blog is for information purposes only. It is not a substitute for professional recommendations and should not be used to diagnose or treat specific problems. For specific advice, consult a qualified expert. We are not responsible for errors or inappropriate use of the information provided on this site. If you spot an inaccuracy, please notify us.