For years, the gold standard of cyber advice has been simple: “Enable MFA and you’re safe.” But in 2026, Australian SMEs are finding out the hard way that MFA is no longer a brick wall; it’s a speed bump. According to recent data, BEC attacks in Australia rose over 60% in early 2025, and a staggering number of these breaches occurred in environments where MFA was active.
If your defense strategy starts and ends with a 6-digit code, your business is still at risk. Here is how modern scammers are walking right past your front door.
The “Session Hijack”: How MFA is Bypassed
Attackers no longer need to “crack” your password. They use a technique called Adversary-in-the-Middle (AiTM).
Instead of a fake login page that just steals your password, scammers use a live “proxy” server.
- The Trap: You get an email (perhaps about a “missed invoice”) and click a link to what looks like a standard Microsoft 365 login.
- The Mirror: The scammer’s site mirrors the real login page in real-time. You enter your password and—crucially—you enter your MFA code.
- The Theft: The scammer passes those details to the real site. Once the real site says “Access Granted,” it issues a Session Token (a digital “fast pass” that keeps you logged in). The scammer intercepts this token.
With that token, the attacker doesn’t need your password or your MFA ever again. They are “in” as you, bypassing all identity checks for the next several hours or days.
Why SMEs Are the “Sweet Spot” in 2026
Cybercriminals aren’t just targeting the big banks. Australian SMEs are currently the primary targets for two specific reasons:
1. The “Single Point of Failure”
In a small business, one person (the owner or a senior manager) often has “God Mode” access to everything—email, banking, and payroll. If that one account is compromised via a session hijack, the entire company is exposed instantly.
2. The “Fatigue” Factor
We’ve all seen it: a flurry of “Approve Login” notifications on your phone while you’re busy. Attackers use MFA Fatigue—bombarding a user with push notifications until they click “Approve” just to make the buzzing stop.
Beyond the Code: 3 Ways to Defend Your Business
If MFA isn’t a silver bullet, what is? To protect your cash flow and reputation, you need a layered approach:
- Upgrade to Phishing-Resistant MFA: Move away from SMS codes or “push” notifications. Use FIDO2/Passkeys or hardware security keys (like YubiKeys). These require a physical device to be present and cannot be intercepted by proxy servers.
- Implement “Out-of-Band” Verification: Make it an iron-clad company policy: No bank details are ever changed via email. Any request to change an invoice must be verified by a voice call to a known number.
- Automated Threat Detection: In 2026, the speed of attack is measured in minutes. ViCyber uses AI-driven monitoring to spot “Impossible Travel” (e.g., you logging in from Sydney and 5 minutes later from an IP in Eastern Europe), automatically killing the session before the scammer can act.
The Bottom Line
MFA is still essential—it stops 90% of “lazy” hackers. But for the 10% who are running professional, AI-powered BEC scams, it isn’t enough. Your security must evolve from “checking a box” to “monitoring the behavior.”
Protect Your Cash Flow Today
Don’t wait until a fake invoice drains your account to test your defenses. * On our Website: [Check Your BEC Risk Score] – Use our free tool to see how vulnerable your current email setup is to session hijacking.
● Via Email: Is your team trained to spot an AiTM attack? Book a ViCyber Reality
Check and we’ll run a safe, simulated test for your staff. [Book a Demo]
ViCyber | Simple. Automated. Proactive. Affordable. 📧 Email: info@vicyber.com.au | 🌐 Web: vicyber.com.au