Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information. Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA:
https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/
This does not mean we should stop using Two-Factor Authentication (2FA). We should still use 2FA, or Multi-Factor Authentication (MFA) wherever possible. What it does mean is that we need to be even more careful about checking to see that we’re on the correct web site before logging in.
Even with this tool, the most impressive fake site still cannot use the real site’s URL, so please ensure your organization’s cybersecurity training and awareness plan regularly highlights the ever-important task of checking the URL in your browser before inputting any credentials. Of course, tactics like punycode attacks and typosquatting can also be used to complicate verifying the URL; to help ensure your users access safe web sites, consider bookmarking those sites and training your users to only initiate a session with each site by clicking on that bookmark, and not links via other mediums, such as SMS text, other web pages or email.