Human beings can be tricked. This fact is a hard-to-patch vulnerability in many systems. And that is the tl;dr version of a notice from the FBI that recently hit industry groups.
According to the Private Industry Notification, criminals are bypassing two-factor authentication with a combination of well-known techniques including social engineering and man-in-the-middle attacks.
In addition to reminding organizations of the dangers of SIM-swapping exploits, the notice points to two new hacker tools: Mureana (named for a family of eels), which automates phishing attacks, and NecroBrowser, which helps to hijack a legitimate authentication session. Together, the tools can turn a victim's browser into a credential-stealing zombie that gives no notice to the legitimate user.
The FBI recommends that companies continue to educate users on phishing techniques and, for especially high-value accounts, use a variety of different authentication methods with tokens that regularly change.