Many businesses may not know what device code phishing is – but it may be time to learn. Research has shown that this type of cyberattack is on the rise, with Barracuda’s threat analysts having detected more than 7 million device code phishing attacks in four weeks.

Device code phishing attacks are successful for a reason – they can easily slip through security gaps. For smaller organisations without regular and updated cybersecurity training for staff, this risk is especially prevalent. Smaller businesses also can lack dedicated cybersecurity personnel to find, investigate and remediate breaches, leading to downtime and high recovery costs.

What is device code phishing?

Device code authentication is a login method that lets users sign in on one device by entering a short code on another, trusted device. Unlike traditional phishing, device code attacks do not use fake websites, but rather trick victims into entering a code generated by an attacker on a legitimate login portal (e.g., a Microsoft login).

These attacks often target employees by creating a sense of urgency. For example, they may receive an email stating their account requires a security update, or that their password is about to expire. They are then asked to enter a code into a legitimate login portal, that has, unbeknownst to them, been generated by a hacker.  This gives the attacker persistent, authorised access to their Microsoft services.

Why cyber attackers love device code phishing

Device code phishing has several advantages over traditional credential phishing with fake login pages — particularly in terms of stealth, persistence and evasion.

• It relies on legitimate links, not suspicious URLs: Traditional phishing needs a convincing fake website, which can be easy for email filters to spot. Device code phishing uses official authentication URLs, making it difficult to identify malicious activity.
• It bypasses multifactor authentication and any conditional access policies: Because the victim authorizes the new device themselves, the attacker gains a valid access token that passes these security checks.
• Persistent, long-term access: Once the victim enters the code, the attacker receives a refresh token that allows them to maintain access to the user’s account for days or weeks, even if the user changes their password.
• It takes advantage of user trust and familiarity: People are used to entering a 6 to 8 character code to link their devices.
• Stealthier lateral movement: The attacker hijacks the session without raising any alarm.

How can small businesses protect themselves?

All threats rely on the same weakness: a momentary lapse in visibility, verification or judgment. A modern, layered defence closes those gaps by combining technology, process and people. Here are four best practice approaches that will help organisations not only block attacks but also build resilience when prevention fails.

1. Advanced email security solutions 

Modern threats are designed to outpace traditional spam filters. You need an advanced email protection platform, whether cloud-based or a secure email gateway, that uses AI and behaviour analytics to detect attacks that signature-based filters can’t identify.

Key capabilities to look for include attachment sandboxing, real-time URL protection and phishing and impersonation detection.

2. Conduct regular security awareness training

Ongoing training reinforces how to secure IT systems at the human layer, turning your employees into a proactive line of defence rather than a point of failure. Regular, structured security-awareness training transforms your workforce from a target into a human firewall. This training must go beyond an annual slideshow; it should include brief, interactive sessions and simulated phishing exercises that test real-world reactions.

3. Continuous monitoring

Device code phishing attacks don’t all come via email – they can also come through text or even Teams meeting invites. With so many points of entry, small businesses must actively monitor their entire environment for ultimate protection.​ Opt for AI-powered, cloud-based tools with 24/7 managed services (SOC-as-a-Service). This allows SMBs to access enterprise-grade threat detection, incident response, and vulnerability management without building in-house security teams.

4. Maintain an incident response (IR) and recovery plan

Everyone says, “It’s not if but when,” and for once, they’re right. But that doesn’t mean it has to be chaos when it happens. A practiced response plan turns panic into procedure. Define who does what, how incidents are escalated and how communication flows when a device code or email becomes the attack vector.

• Contain: Disable compromised accounts, revoke sessions and isolate affected systems immediately to stop the spread.
• Eradicate: Trace how the attacker got in, remove malicious messages, revoke stolen credentials and patch exploited flaws.
• Recover: Restore clean data from verified backups and watch for signs of reinfection.

Device code phishing is a subtle yet increasingly effective approach that small business owners need to be aware of. By combining trusted communication channels, multistep redirection and encrypted client-side logic, attackers can guide victims through a process that appears entirely normal but leaves them compromised.

Layered security controls, including advanced email filtering, identity protection mechanisms and continuous monitoring can significantly limit exposure. Additionally, enforcing strict controls around device authorisation flows and raising awareness about entering verification codes only in trusted contexts can help prevent such attacks from succeeding.

Want more? Get our newsletter delivered straight to your inbox! Follow Business Builders on Facebook, Twitter, Instagram, and LinkedIn.