When Google issued its latest security bulletin this week, the language carried a degree of urgency rarely seen outside major breach disclosures. Hackers, the company warned, are “intensifying their phishing and credential-theft methods,” contributing to an 84 percent rise in infostealer attacks worldwide over the past year.
Researchers say the trend reflects a shift in the cybercrime economy: where once attackers sought passwords, they now harvest entire user profiles—session cookies, tokens, browser histories—enabling them to impersonate victims without ever needing to break encryption.
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
These attacks, Google cautioned, do not simply bypass weak passwords; they bypass the habits users have been trained to trust. At the center of the concern is a familiar tool: the SMS verification code.
SMS Codes Under Fire as a Weak Security Link
For nearly a decade, two-factor authentication has been promoted as one of the most powerful consumer protections against unauthorized access. But the growing sophistication of SIM-swapping operations, telecom-level interception, and phishing schemes has eroded confidence in SMS-based verification.
Google now says plainly that text-message codes can be hijacked, whether by redirecting a victim’s number, tricking users into sharing OTPs, or intercepting unencrypted messages in transit.
The warnings echo those from the National Security Agency, which deemed SMS-based two-factor authentication “not recommended,” saying it is “fairly simple to redirect SMS messaging and defeat the ‘what you have’ factor.”
America’s Cyber Defense Agency has also advised users to avoid SMS-based verification entirely, noting that “a threat actor with access to a telecommunication provider’s network can read these messages.”
Despite these alerts, billions of accounts—from email to banking to social media—still rely on text messages as their primary additional layer of security.
Passkeys and Authenticator Apps Offer a Path Forward
Security researchers emphasize that the answer is not to abandon multi-factor authentication, but to modernize it. A growing number of tech firms are adopting passkeys, an emerging standard that replaces passwords and uses cryptographic keys stored on a user’s device.
Google, Microsoft, Apple, and other major platforms now encourage users to enable passkeys, while simultaneously urging them to shift to app-based authenticators—tools that generate time-limited codes that cannot be intercepted through telecom networks.
But the larger issue, experts say, is that users often leave SMS as an active fallback option, even after setting up stronger protections. “If an account can still be unlocked with a password and an SMS,” one researcher noted, “that account is still vulnerable.”
The industry’s leading password managers and cybersecurity firms are now advising users to explicitly disable SMS authentication whenever app-based codes or passkeys are enabled.
A Five-Step Audit for an Era of Increasing Attacks
Security officials say the current threat landscape leaves little room for complacency. Google’s latest advisory includes recommendations that read less like best practices and more like non-negotiable requirements.
Experts recommend a five-step audit for all key accounts:
- Use a strong, unique password or passphrase managed by a password manager.
- Enable a non-SMS form of authentication, such as a dedicated authenticator app.
- Disable SMS-based 2FA if stronger options are already in place.
- Add a passkey wherever platforms support it.
- Run security or privacy checkups available within account settings.
For everyday users, these steps may feel burdensome, but the message from Google and U.S. cyber agencies is consistent: protections that once felt sufficient no longer are. As attackers escalate their tactics, the burden of vigilance increasingly falls on individuals—one security setting at a time.
