From faaa.au: Scammers are increasingly using techniques to bypass Multi-Factor Authentication, relying on stolen usernames and passwords obtained through methods like Credential Stuffing.

Once they acquire MFA codes, scammers can impersonate victims and access their accounts.

Organisations implementing MFA should never ask users to provide their MFA codes, as these are meant to be kept secure and private.