Guides

CISA urges phishing-resistant MFA as Western Union threat reminder

CISA’s MFA warning lands hard at Western Union, where one bad login can ripple across a network spanning more than 200 countries and territories.

Lauren Xu··4 min read
Published
Listen to this article0:00 min
CISA urges phishing-resistant MFA as Western Union threat reminder
Source: techcrunch.com

As of December 31, 2024, Western Union’s global network included agent locations in more than 200 countries and territories. For a company with that scale, money-movement role, and customer trust, account compromise is a frontline business risk, not just an IT problem. That is why CISA keeps pushing employees and employers toward stronger sign-in habits.

MFA is the baseline, not the finish line

CISA’s core message is simple. Multifactor authentication protects data and applications by requiring a second method of verifying identity, and it is meant to work as a layered control rather than a replacement for passwords. Even complex passwords are not enough on their own, because bad actors still have ways to get past them.

At Western Union, the stakes go beyond an individual inbox. If one employee account is taken over, the fallout can touch internal systems, customer data, operational workflows, and fraud response teams. MFA does not solve every problem, but it is one of the few controls that can stop a stolen password from turning into a broader incident.

Why phishing-resistant MFA now gets the spotlight

CISA has gone a step further and urged organizations to implement phishing-resistant MFA. In 2022, the agency warned that some MFA methods can still be targeted by phishing and other known cyber threats, which is why a generic “we have MFA” approach is no longer enough.

The practical point for employees is that not all second factors behave the same way under pressure. Some methods can still be tricked by a convincing fake prompt, while phishing-resistant approaches are designed to make that trap much harder to spring. Phishing remains effective because attackers do not just spray random messages anymore. They often tailor them, using personal or company-specific details to make a fake message look legitimate.

Phishing is still the employee-level threat that matters most

On October 18, 2023, CISA joined with the National Security Agency, the Federal Bureau of Investigation, and the Multi-State Information Sharing and Analysis Center on phishing-prevention guidance. The joint guidance warns that phishing techniques are commonly used to obtain credentials and deploy malware. A malicious email is often just the first step in a longer chain of compromise.

Employee behavior remains central even when technical controls are in place. Phishing attacks are frequently preventable when employees are trained to recognize suspicious messages and avoid them. The security program is not only about better tools; it also depends on pausing before clicking, typing, approving, or replying.

The newest phishing tactics are often less sloppy than they used to be. Attackers may borrow real names, reference internal projects, or mimic the tone of a vendor or manager. If the message asks for credentials, payment changes, document review, or a quick approval tied to urgency, the safest move is to slow the exchange down and verify it through a trusted channel.

Western Union’s footprint raises the cost of mistakes

Western Union’s reach creates a business advantage, but it also means that phishing, credential theft, or a careless click can travel farther than it would at a smaller company.

For a money-transfer business, trust and speed are tightly linked. Employees work in an environment where identity, payments, and exceptions are routine parts of the job, so fraudulent requests can look like ordinary work at first glance. That is exactly the kind of setting where phishing campaigns try to blend in, because one convincing message can trigger customer support disruption, fraud exposure, and cleanup work across multiple teams.

What Western Union is already doing inside the company

Western Union says its cybersecurity program uses a defense-in-depth strategy. It also says employees receive mandatory annual cybersecurity and data privacy training, plus monthly phishing simulations.

The monthly simulations are especially relevant in a business where speed can create pressure to respond quickly. Repeated practice helps employees recognize the kinds of cues that matter most: unfamiliar sender behavior, odd urgency, link mismatches, document requests that do not fit the workflow, and prompts that ask for sign-in or approval outside normal channels.

The daily habits that reduce the most risk

The best workplace defense is still a set of small, repeatable actions. The habits are not glamorous, but they are the ones that stop most trouble before it spreads.

  • Use MFA wherever it is available, and do not treat it as optional.
  • Slow down when a message asks for credentials, payment changes, file access, or urgent action.
  • Check sender details, links, and the request context before you click or reply.
  • If a sign-in prompt appears out of nowhere, treat it as suspicious until you verify it.
  • Report questionable messages quickly so others are not caught by the same lure.

Attackers depend on a fast response, and security teams depend on a fast report. A suspicious email that is flagged early can stay a nuisance instead of becoming an operational incident.

Western Union’s own fraud guidance points in the same direction

The company’s fraud resources reinforce the same basic discipline for consumers and, by extension, for employees who handle sensitive information every day. Western Union advises people to use strong passwords and not open random links. Its fraud materials also warn that scammers rely on authentic-looking documents, emails, and websites to appear legitimate.

Fake messages borrow the look and feel of real business. Western Union also warns that scammers constantly change their scenarios, including impostor-style schemes.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Western Union News