Human beings can be tricked. This fact is a hard-to-patch vulnerability in many systems. And that is the tl;dr version of a notice from the FBI that recently hit industry groups.
According to the Private Industry Notification, criminals are bypassing two-factor authentication with a combination of well-known techniques including social engineering and man-in-the-middle attacks.
In addition to reminding organizations of the dangers of SIM-swapping exploits, the notice points to two new hacker tools: Mureana (named for a family of eels), which automates phishing attacks, and NecroBrowser, which helps to hijack a legitimate authentication session.