Push-Bombing: What It Is and How to Stop It Happening to Your Business

It is 9am and one of your staff members arrives at their desk, unlocks their phone, and finds six authentication approval requests from your practice management system - none of which they triggered. Confused, they tap one to make it stop. That single tap is all a hacker needed.

This is push-bombing. It is a targeted attack on multi-factor authentication - the extra verification step most businesses now use to protect their cloud accounts. Multi-factor authentication is effective, and that is exactly why attackers have started working around it. They already have a staff member's username and password, often from a previous data breach or a phishing email. They then attempt to log in repeatedly, flooding the user's phone with approval prompts. The hope is that the person on the receiving end gets confused, frustrated, or simply wants the notifications to stop - and approves one.

Once that approval goes through, the attacker is inside your systems as a legitimate user. From there they can read emails, access client files, impersonate staff, and move through your network. For a professional services business handling confidential client information, that is a serious problem - both for your clients and for your obligations under the NZ Privacy Act 2020. A breach involving client data is not just an IT issue; it is a notifiable privacy event that can carry real consequences.

The good news is that push-bombing is preventable. The first step is making sure your team knows what it looks like. Staff who understand that unexpected authentication prompts are a red flag - not a glitch to dismiss - are far less likely to approve one by accident. They also need a clear way to report it when it happens, so the rest of the business can be alerted quickly. Security awareness training most NZ businesses overlook is often what makes the difference between a stopped attack and a successful breach.

Beyond staff awareness, there are practical changes that reduce your exposure significantly. Phishing-resistant authentication methods - which use a physical security key or device passkey rather than a push notification - remove the vulnerability entirely, because there is no prompt to trick someone into approving. Consolidating the number of cloud apps your team logs into each day also helps. Fewer logins means fewer attack surfaces and less password fatigue. Platforms like Microsoft 365 bring a wide range of tools under a single login, which reduces the problem considerably. Adding a single sign-on layer across your remaining systems takes it further, giving staff one set of credentials to manage and giving your IT support one place to monitor and respond. Understanding why most breaches are entirely preventable with strong credential practices puts this in useful context.

The other layer worth having is contextual access controls. These are settings that automatically block login attempts from unexpected locations, unusual times, or devices that do not match normal behaviour. A login attempt from an IP address in Eastern Europe at 2am on a Sunday should not succeed just because the credentials are correct. Good managed IT support includes this kind of configuration as standard, not an afterthought.

If you are not sure whether your current authentication setup would catch an attack like this, ITstuffed can help you find out. A 15-minute IT Fit Check is a practical starting point.