Apparently, all you need to breach a Fortune 500 company these days is a convincing voice and a good excuse for losing your phone.
In this publication, we're unpacking the rise of help desk scams—a cunning technique fueling attacks by the now-infamous threat group Scattered Spider. If you think your MFA is enough, think again.
Scattered Spider is tricking help desks into resetting credentials for high-privilege accounts, bypassing MFA and taking over enterprise systems — and they're getting away with it, big time.
How It Works:
Scattered Spider’s playbook is disturbingly simple:
- Call the help desk posing as a legitimate employee using publicly available personal info (like from LinkedIn).
- Impersonate the user convincingly, often saying they’ve “lost their phone” and need their MFA reset.
- Convince the operator to send the reset link to an attacker-controlled email or number.
- Reset the password using tools like Okta or Entra, and take control of the account.
- Repeat for high-value targets — admin accounts, IT staff, or cloud admins — to instantly gain top-tier access.
Who’s Targeted:
These scams target enterprise help desks, especially those:
- Using standardized reset flows for all user types
- Offshored or outsourced, with limited operational context
- Focused on speed and SLA compliance over scrutiny
But the ultimate targets?
High-privilege identities—admins, cloud engineers, IT leads—people whose access opens doors across the digital environment.
Real-Life Examples:
- Marks & Spencer (2025): A help desk compromise is suspected to have led to a breach with hundreds of millions in lost profits.
- MGM Resorts (2023): Attackers used LinkedIn info to impersonate an employee. Outcome? 6TB of data stolen, a 36-hour system outage, and a $100M hit.
- Caesars Entertainment (2023): Impersonation led to credential reset and a $15M ransom after loyalty program data was stolen.
- Transport for London (2024): Help desk attack exposed 5,000 banking records and forced 30,000 in-person ID verifications.
This technique is nothing new—Scattered Spider’s been at it since at least 2022.
Why You Should Care:
This isn’t just about call centers and “bad apples.” Once an attacker bypasses MFA through your help desk, they:
- Own your admin accounts
- Steal customer or internal data
- Deploy ransomware undetected
- Exploit cloud and VMware gaps where traditional security tools are useless
And they do it all before your SOC even sees a red flag.
How to Protect Yourself:
• Don’t trust… verify. All high-privilege resets should go through multi-party approval, no exceptions.
• Add friction. Require in-person or video verification — ideally in a trusted office environment.
• Freeze suspicious resets. If something feels off, delay the process and escalate. A slow help desk is better than a compromised one.
• Segment reset flows. Don’t treat admin and regular user accounts the same — tiered risk requires tiered security.
• Train your teams. Help desks must know they’re being targeted — security awareness starts with empathy and education.
Quick Tips & Updates:
Quick Tip #1: MFA only works if the attacker can’t become you. Guard the reset process like your infrastructure depends on it — because it does.
Pro Tip: Assume voice-based identity claims can be faked. Deepfakes are now capable of spoofing real-time video verifications too.
Update: AiTM (Adversary-in-the-Middle) phishing kits like Evilginx are gaining steam as MFA-bypass tools. These can steal live sessions — rendering MFA almost useless unless you use WebAuthn or FIDO2.
Stay safe, stay informed.
Keywords Defined:
• Help Desk Scam – A social engineering attack where the threat actor impersonates an employee and tricks support into resetting credentials or MFA.
• MFA (Multi-Factor Authentication) – A security system that requires more than one method of authentication from independent categories of credentials.
• AiTM (Adversary-in-the-Middle) – A phishing attack that intercepts login sessions to bypass MFA.
• Scattered Spider – An advanced threat actor group known for sophisticated social engineering and identity attacks.
• Vishing – Voice phishing; using a phone call to socially engineer credentials or access.
To read more, kindly find source article here