Two-Factor Authentication (2FA) is designed to protect you by sending you a text message or calling you when you are logging into a website. It is a minor annoyance, requiring you to take and extra step beyond just entering your username and password.
A hacker might obtain your username and password through one of the frequent data breaches we read about, but a hacker doesn't have your phone. 2FA foils hackers by requiring you to enter a code you receive on your phone.
Unfortunately, you can still be tricked by a skillfully faked email into clicking a link to a bad website that imitates a good one. You'd think the hackers would be stymied because they don't have your phone, but they can fool you into entering the 2FA code into their fake login page. From there, they can log into your account on the real website.
Kevin Mitnick, now a good guy / white hat hacker for KnowBe4.com, published a techie video explaining how this is done. He demonstrates the hack using a LinkedIn account as the target, but it works against just about any website - your bank, your email webpage, your Office 365 account or Google services.
Essential to the hack is tricking you into clicking a link in an email. Hackers use web addresses with subtle typo's, for example, login.microsoffonline.com is available for anyone to purchase. It is easy to overlook the "ff" in place of "ft" when you see the link. Once you click on it, everything will look normal but be fake and malicious!
Backups Even More Critical
Despite our best security measures, users can still be fooled. Having in place a backup system is your best fail-safe defense to permanent loss of your emails and files. A cloud backup system can be insulated from whatever havoc may play out in your online accounts and local files.
The people in your office need effective training and practice so that they won't fall victim to the ever-evolving hacker tricks and tools.