The Data Behind the Deception Proves Legacy MFA Is the Honeypot to Bad Actors

Kevin Surace
3 minute read
The Data Behind the Deception Proves Legacy MFA Is the Honeypot to Bad Actors
The Data Behind the Deception Proves Legacy MFA Is the Honeypot to Bad Actors
5:30

The new Optery 2026 Enterprise Social Engineering Survey Report should make every CISO stop and ask a very uncomfortable question: Are we actually stopping identity attacks, or are we just pretending?

The report surveyed 421 enterprise cybersecurity professionals, mostly senior leaders across large companies. The findings are blunt: 96% report an increase in targeted social engineering attacks over the past year. Nearly 75% report credential compromise resulting from targeted social engineering. 89.8% say recent attacks were highly or moderately personalized.

What are organizations doing about it?

Most are still relying on the same broken defenses attackers defeat every day: SMS controls, legacy MFA, email filtering, phishing simulations, and hiding employee contact data. Seriously?

The report says 56.5% of organizations use SMS or mobile security controls. 49.6% use MFA. 34.2% rely on user training and phishing simulations. And 59.9% are reducing publicly exposed employee data.

At this point, most of that isn't truly useful. Let’s be clear: Removing employee personal data from brokers is smart. It reduces reconnaissance. It makes it harder for attackers to build a convincing profile. It should be part of every security program. But if your entire defense depends on making sure attackers cannot find a phone number, personal email, manager name, home address, or family member, you are already playing from behind. The report itself proves the problem. 83.6% of leaders say home addresses are easy to obtain. 82.2% say personal mobile numbers are easy to find. 77.4% say personal email addresses are accessible. 75.5% say job titles and reporting structures are readily available. 72.2% say family member or associate names are easy to obtain. In other words, the data is already out there.

Now add AI. Add cheap phishing kits. Add spoofed login pages that can be built in minutes. Add voice cloning. Add a teenager with a laptop, a stolen credential dump, and a script. Are we really still pretending that SMS codes and push approvals are enterprise grade security?

The report found that 97.6% of respondents rate data broker and people search data as a significant source of social engineering intelligence. 64.4% call it very significant. That means attackers are not guessing. They are researching. They know who works in IAM. They know who sits in finance. They know who can reset access. They know who approves payments. They know which help desk employee to call and what details to use to sound real.

Who are they targeting? Not just CEOs. The top target is IT and IAM personnel at 80.5%. HR comes in at 44.7%. Finance at 43.9%. Executives at 42.3%. Help desk at 33%. This is not executive protection anymore. This is operational identity warfare. Yet many security leaders still act as if the answer is another phishing simulation, another warning email, another SMS control, another MFA app. Are they blind?

Attackers do not need to break encryption. They do not need to exploit a zero day. They do not need to defeat your firewall. They just need one person to approve a prompt, give up a code, click a fake login page, or convince a help desk agent that they are someone else.

That is why legacy MFA is failing. SMS can be intercepted, relayed, or socially engineered. Authenticator codes can be phished in real time. Push approvals can be abused through fatigue attacks. Help desk resets can bypass everything. Training depends on every human being making the right decision every time, under pressure, across email, SMS, voice, social media, and spoofed websites. That is not a security architecture. That is wishful thinking.

The Optery report is right about moving upstream. Reducing exposed employee data lowers the amount of intelligence attackers can use. But upstream data reduction must be paired with authentication that cannot be phished, relayed, spoofed, or talked around.

Where Biometric Assured Identity Changes the Game

With Token, a stolen password is useless. A phished code does not exist. A push approval cannot be tricked because there is no push approval. The user must authenticate with a live fingerprint on a secure hardware device. The login is cryptographically bound to the legitimate domain. The device must be physically present. If the site is fake, the login fails. If the attacker is remote, the login fails. If the user is being impersonated, the login fails. If the attacker has all the personal data in the world, the login still fails. That is the point.

The future of social engineering defense is not telling employees to be more careful while giving them phishable tools. It is not hoping every data broker removes every record. It is not SMS. It is not legacy MFA. It is not another security awareness poster.

It is reducing attacker intelligence and then making that intelligence worthless.

Optery shows us the deception is data driven. Token makes sure the deception cannot become access. And any enterprise still relying on SMS codes, push apps, and employee judgment as the front door should stop calling that security. It is not security. It is an invitation.

Stay Identity Assured

Subscribe to The Assured Identity Brief for sharp insights on identity security, authentication, and the threats security leaders must stay ahead of.