Your Bank Thinks You're Safe. The Math Says 7 in 10 Aren't.
You turned on two-factor authentication (that's the extra step your bank sends you — a code, a push notification, a text — to confirm it's really you logging in). You felt good about it. You should have. That was the right move. But here's the thing nobody told you: there are different kinds of that extra step, and most of what banks have deployed right now can still be beaten by a halfway-decent scammer with a fake website and a little patience.
Most banks have turned on extra login security, but a new report found only 28% of it is truly "phishing-resistant" — meaning 7 in 10 banks are running protection that attackers already know how to bypass, while 82% of those banks think they're covered.
That disconnect — between feeling protected and actually being protected — is what a new industry report is calling out this week. And if you've ever just tapped "Approve" on a banking notification without really thinking about it, this one's for you.
The Number That Should Keep Bank Executives Up at Night
A survey by identity security firm Secret Double Octopus, published this month as the 2026 State of Identity Security in Financial Organizations, found something genuinely alarming: 94% of financial institutions surveyed reported an increase in phishing attacks (phishing — that's when a criminal tricks you into handing over your login by pretending to be someone you trust). Yet only 28% of the multi-factor authentication — the extra login step — those same institutions use is what experts classify as truly phishing-resistant.
Read that again. 82% believe they're protected. 28% actually are. That is not a small gap. That is almost everyone at the table believing they're holding a winning hand while the cards tell a very different story.
The deeper problem is a split between new and old technology inside the same bank. According to the same report, modern cloud-based software tools (think: the sleek app your bank just launched) have about 74% multi-factor authentication coverage. But the older, behind-the-scenes systems — the ones that actually move money, store account data, and run the real infrastructure — sit at just 50% coverage. And here's the kicker: those legacy (older) systems still make up the majority of the environment, with 54% of organizations running at least half their applications on this older infrastructure.
So the shiny front door has a decent lock. The back door — where the really sensitive stuff lives — is half the time wide open. This article is part of a series — start with Meta Smart Glasses Facial Recognition What It Means For You.
What "Phishing-Resistant" Actually Means — and Why Your Text Code Isn't It
Here's where we need to pause on language, because it matters a lot. When your bank texts you a six-digit code, or sends you a push notification that says "Approve this login?" — that IS a form of multi-factor authentication. It IS better than just a password alone. Full stop.
But it can be beaten. And in 2026, it's being beaten regularly.
SMS codes (the text message kind) can be intercepted through something called SIM swapping — where a criminal calls your phone carrier, pretends to be you, and gets your phone number transferred to their device. Now your texts go to them. Push notifications — the "Approve or Deny" pop-ups on your phone — are vulnerable to a different attack: researchers at Security Boulevard tracked a 217% year-over-year rise in what's called "MFA fatigue" attacks, where criminals simply bombard your phone with approval requests — ten, twenty, forty in a row — until you tap Approve just to make it stop. (Sound familiar? You're tired, it's late, your phone won't stop buzzing.)
Truly phishing-resistant multi-factor authentication — the gold-standard kind — uses physical hardware keys or a technology standard called FIDO2. These work differently: the confirmation is cryptographically tied to the specific website you're actually on. A fake site simply cannot complete the handshake. There's no code to steal. There's no notification to approve. The fake portal gets nothing. When security firm Cloudflare was targeted by the same attack that hit Twilio in a major 2022 breach, their use of FIDO2 hardware keys stopped the attack cold — while other companies got compromised.
"Strong-sounding MFA is not the same as phishing-resistant MFA, and partial coverage leaves the most sensitive systems exposed." — Expert analysis, Secret Double Octopus
That sentence is doing a lot of work. "Strong-sounding" is the trap. Banks can say they have multi-factor authentication and be telling the complete truth — while running systems that attackers have already mapped out and practiced defeating.
The Attack You Haven't Heard About — But Should
Forget the image of a hoodie-wearing hacker typing furiously. The most active threat group targeting financial services right now, tracked by CrowdStrike and detailed by VentureBeat, never bothered to steal a single password. Instead, they called the bank's IT help desk. On the phone. Pretending to be an employee. They convinced the support staff to reset the employee's multi-factor authentication — then registered their own device on the network as the "new" trusted device. Previously in this series: Your Brain Sees Faces Differently Than Everyone Elses And Yo.
Think about that for a second. They didn't hack anything. They just talked their way past the one control that was supposed to make hacking unnecessary. This group — researchers call them Mutant Spider — turned the human on the other end of a help desk line into the vulnerability.
This is not a Hollywood scenario. This is a well-documented, active, ongoing attack pattern aimed specifically at financial institutions in 2026. And it works because even when a bank has multi-factor authentication deployed, the process for resetting that protection often relies on exactly the kinds of human judgment calls that criminals have learned to manipulate.
Why This Matters for You, Specifically
- ⚡ Your text-code MFA is not the same as bulletproof MFA — SMS codes and push notifications can be intercepted or exhausted; the 28% figure shows most banks haven't upgraded to the harder-to-beat kind
- 📊 The systems handling your actual money are the least protected — older banking infrastructure has only 50% multi-factor authentication coverage, and that's where account balances and transfers live
- 🧠 Attackers are targeting your impatience, not your password — the 217% rise in "approval fatigue" attacks means the goal is to get you to tap Approve before you think about why the request appeared
- 📞 Your bank's own staff can be the weak link — help desk social engineering (tricking support staff over the phone) is now a primary attack route that bypasses your personal security entirely
The Question You Should Ask Every Single Time
There's a simple habit that costs you nothing and can stop a surprising number of these attacks: when a banking approval prompt appears, ask yourself whether you did anything to cause it. Did you just try to log in? Did you just initiate a transfer? Did you just change a setting?
If the answer is no — if the notification just appeared out of nowhere while you were doing something else — that is a red flag. Don't approve it. Don't dismiss it either. Go directly to your bank's official app or website (type the address yourself, don't click a link) and check your account there.
According to security researchers tracking MFA fatigue attacks, the brain under time pressure tends to complete familiar patterns rather than evaluate them fresh. Attackers know this. They time their approval storms for late at night, or early morning, or right in the middle of a busy workday — exactly when you're least likely to stop and think "wait, did I ask for this?"
That pause — two seconds, one question — is genuinely protective. Not perfect. But real. Up next: Metas New Glasses Can Log Your Face At A Party And Youll Nev.
If you've ever looked at an unexpected message and thought "is this actually from my bank, or is someone pretending?" — that instinct is exactly right, and it's worth trusting. At CaraComp, we think about identity verification from the other direction: helping you confirm that what you're seeing is real before you respond to it. The habit of asking is this legitimate before I act is the same muscle, applied to your own accounts.
Turning on two-factor authentication was the right call — but "I have it turned on" and "my account is protected" are not the same sentence. The protection only works if it's the kind attackers can't bypass, AND if you treat every unexpected login prompt as a potential trap rather than routine background noise to tap through.
Meanwhile, 2026 is the year regulators stopped being patient about this. New York's financial regulator (NYDFS), the international payment card standard (PCI DSS 4.0.1), and European financial rules (DORA — the Digital Operational Resilience Act) are all now in full enforcement mode with zero grace periods remaining, as industry analysts have noted. Banks that are still running text-message codes on their core systems don't just have a security problem anymore. They have a regulatory one too.
The complexity of upgrading 20-year-old banking infrastructure is real. Nobody's pretending that's easy. But when 94% of your industry is reporting more phishing attacks and only 28% of your defenses can actually stop one — "it's complicated" stopped being an acceptable answer a while ago.
Here's the thought that lingers after reading all of this: the banks that got it right — the ones running FIDO2 hardware keys, the ones that stopped Mutant Spider at the help desk, the ones in that 28% — they didn't do it because they had more money or better engineers. They did it because someone decided that sounding secure wasn't the same as being secure. The next time your bank sends you a notification, that gap between 82% confident and 28% protected is sitting right there in your pocket, waiting for you to tap Approve without thinking.
Ready for forensic-grade facial comparison?
Full forensic reports with detailed similarity scoring. Results in seconds.
Run My First SearchMore News
Your Face Is Now Your Train Ticket — and Nobody Asked You First
Facial recognition just moved from airports and border control into the everyday train stations of Japan — and the real question isn't whether this is coming, it's whether you'll have any say when it arrives near you.
biometricsYour Face Just Became the Password Criminals Can't Wait to Steal
A new wave of mobile malware doesn't want your password. It wants your face — and criminals are using it to build deepfakes that fool your bank. Here's the part nobody's explaining clearly.
biometricsYour Car Is About to Watch Your Eyes — and Nobody's Saying Where That Video Goes
New cars could use biometric sensors to detect if you're too tired or impaired to drive — before a crash happens. The tech exists. The trust doesn't. Here's the gap.
