Cyber criminals are constantly looking for the easiest way into your systems, and unfortunately, passwords alone are no longer enough.
Even strong passwords can be compromised through phishing emails, data breaches, malware or social engineering attacks. Once a criminal has your password, gaining access to email, cloud platforms, financial systems and sensitive information can be alarmingly straightforward.
This is where Multi Factor Authentication (MFA) becomes one of the most effective cyber security controls available. Think of it as a second lock on your front door: a stolen password may open the first, but MFA prevents criminals from walking straight in.
What is Multi-Factor Authentication?
MFA, sometimes referred to as Two- Factor Authentication (2FA), requires users to provide two or more forms of verification before gaining access to an account. Rather than relying on a password alone, it adds a second layer of protection through something you know, something you have, or something you are.
Common methods include a mobile phone approval notification, a code from an authenticator app, a fingerprint or facial recognition, or a physical security key. Even if a cyber-criminal obtains your password, they will typically be unable to log in without that second factor.
A Real-World Example: The CEO Fraud Attempt
Consider this scenario. An employee receives what appears to be an urgent email from the CEO requesting payroll information. It looks genuine and creates a sense of urgency.

What the employee does not know is that a cyber-criminal had already stolen their password earlier in the week through a phishing attack.
That evening, the attacker attempts to log in to the organisation's Microsoft Office 365 environment using the employee's credentials. They’re correct. Normally that would be enough.
However, the organisation has MFA enabled.
Instead of granting access, Microsoft sends a sign in approval request to the employee's phone. The employee, not attempting to log in and not expecting a notification, immediately recognises something is wrong. They deny the request and report it to their IT team. The compromised password is reset before the attacker can reach any systems or information.
In this case, MFA didn’t just stop the attacker, it alerted the employee that someone was actively attempting to access their account, giving the organisation time to respond before any damage occurred.
What could have happened without MFA?
Without MFA, the attacker would have gained immediate access to the employee's account.
Within minutes, they could have:
- Read emails and internal conversations
- Accessed payroll or customer information
- Sent convincing emails from the employee's account
- Requested fraudulent payments from Finance
- Reset passwords to other connected systems
- Distributed phishing emails internally to compromise additional staff
What starts as a single stolen password can quickly escalate into financial loss, data breaches, regulatory reporting obligations and lasting reputational damage. Many significant cyber incidents begin with nothing more than a compromised username and password.
Why it matters for your organisation
Every organisation relies on digital systems - mail platforms, cloud applications, payroll, customer databases and collaboration tools all contain information that cyber criminals actively seek to exploit. MFA is one of the simplest, most cost effective security measures available, and the Australian Cyber Security Centre (ACSC) identifies it as one of the most effective controls organisations can implement to prevent unauthorised access.
Whether you’re part of a large organisations, a school, a not-for-profit or a small business, MFA significantly reduces the likelihood of a breach – even when passwords have already been stolen.
Don’t forget your personal accounts
Cyber security is not just an organisational responsibility. Individuals should also enable MFA wherever possible, particularly for:
- Email accounts
- Online banking
- Social media
- Cloud storage
- Government services
- Shopping and payment platforms
Your email account is often the gateway to your digital life. If a cyber-criminal gains access, they may be able to reset passwords across other accounts and commit identity fraud. Enabling MFA takes only a few minutes and make a significant difference.
Setting up MFA with CDF
CDF has developed a practical guide to setting up Multi-Factor Authentication on your CDF Online account. If you haven’t already done so, we encourage you to take this step today.
You may also find these resources helpful:
- Australian Cyber Security Centre (ACSC): Multi Factor Authentication guidance
- Australian Signals Directorate Essential Eight Maturity Model
A single password should never be the only thing standing between a cyber-criminal and your organisation.
If you have any concerns about the security of your CDF accounts or suspect unauthorised activity, please
contact us today.
Share this article:
Related articles


CDPF Limited, a company established by the Australian Catholic Bishops Conference, has indemnified the Catholic Development Fund ABN 15 274 943 760 (the Fund) against any liability arising out of a claim by investors in the Fund. In practice, this means your investment is backed by the assets of the Catholic Archdiocese of Melbourne. The Fund is required by law to make the following disclosure. Investment in the Fund is only intended to attract investors whose primary purpose for making their investment is to support the charitable purposes of the Fund. Investors’ funds will be used to generate a return to the Fund that will be applied to further the charitable works of the Archdiocese of Melbourne and the Dioceses of Sale and Bunbury. The Fund is not prudentially supervised by the Australian Prudential Regulation Authority nor has it been examined or approved by the Australian Securities and Investments Commission (ASIC). An investor in the Fund will not receive the benefit of the financial claims scheme or the depositor protection provisions in the Banking Act 1959 (Cth). The investments that the Fund offers are not subject to the usual protections for investors under the Corporations Act (Cth) or regulation by ASIC. Investors may be unable to get some or all of their money back when the investor expects or at all and investments in the Fund are not comparable to investments with banks, finance companies or fund managers. The Fund’s identification statement may be viewed here or by contacting the Fund. The Fund does not hold an Australian Financial Services Licence.

