Helpdesk Social Engineering: How to Prevent It

by
Nametag Team
Nametag console showing a successful verification result

Enable Self-Service Account Recovery

Nametag sends MFA and password resets to self-service while protecting your helpdesk against social engineering.

Introduction

This year’s data breaches and ransomware attacks have revealed a clear trend: attackers are focusing on IT helpdesks. They use clever social engineering to trick support agents into resetting accounts, effectively bypassing multi-factor authentication (MFA) and other security measures. The threat is so great that in April 2024, the U.S. Department of Health issued an entire Sector Alert warning of social engineering attacks against IT helpdesks.

This article explores the nature of social engineering, provides real-world examples, examines how generative AI (genAI) and deepfakes give “social engineering superpowers” to fraudsters, and offers specific strategies for preventing these attacks. You can also read our white paper, Helpdesk Social Engineering Attacks in the Health Sector: Threat Overview and Remediation Strategies, for an industry-focsued viewpoint.

What is Social Engineering?

Social engineering is a tactic used by cybercriminals to trick individuals into revealing sensitive information, such as login credentials or personal data. These attacks can be done through various means, such as phishing emails, fake websites, or phone calls. 

Some experts estimate that 50-90% of attacks involve social engineering. Organized hacker groups like Scattered Spider have become extremely adept at using social engineering to take over employee accounts. Once inside, they exfiltrate data and deploy ransomware. 

Both the United States Cybersecurity & Infrastructure Security Agency (CISA) and Health Sector Cybersecurity Coordination Center (HC3) have specifically warned against Scattered Spider, and against social engineering attacks targeting helpdesks. In addition, the American Hospital Association recently warned its members that it had been made aware of a “validated IT help desk social engineering scheme”.

Meanwhile, cybersecurity firm Mandiant has been tracking Scattered Spider (threat cluster UNC3944). In June 2024, Mandiant issued a new report which specifically highlights the sophistication of Scattered Spider's helpdesk social engineering.

"Mandiant has observed UNC3944 in multiple engagements leveraging social engineering techniques against corporate help desks to gain initial access to existing privileged accounts.

Additionally, it has been noted that they already possessed the personally identifiable information (PII) of its victims to bypass help desk administrators' user identity verification."

How Does Helpdesk Social Engineering Happen?

Helpdesk social engineering attacks trick agents into giving the attacker access to systems and data. Often, an attacker pretends to be an employee who has changed their phone and is now locked out of their accounts. 

  1. An attacker contacts a company's internal employee helpdesk, saying they're an employee who's lost their MFA device and needs a reset. Often, they create a false sense of urgency, like claiming they're working on a tight deadline.
  2. The attacker uses information gathered from social media, the dark web, and other sources to impersonate their victim and answer security questions. Increasingly, attackers use AI-generated voice clones, fake selfies, and even live deepfake video feeds to make their voice and appearance indistinguishable from their victim.
  3. An unsuspecting agent resets the victim’s MFA, enabling the attacker to reroute MFA codes to a device they control. The attacker combines this access with credentials leaked in a previous breach to take over the victim employee's account, granting them access into corporate systems.

Attackers often use sophisticated social engineering techniques, but on the whole these attacks aren’t particularly complicated. An bad actor simply researches a victim, contacts your support team, and impersonates that person to steal their account. The problem is that helpdesk agents can't tell these attacks apart from real requests from legitimate users.

"UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset.

By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections."

Social engineering attacks are particularly dangerous because target the weakest link in any security chain: humans. Even if you have strong security measures in place, such as phishing-resistant MFA, social engineering attacks can still be successful because they effectively bypass those measures.

Anatomy of a Helpdesk Hack

A striking example of helpdesk social engineering is the MGM Resorts attack. A threat actor, impersonating an employee, convinced helpdesk staff to reset the victim's multi-factor authentication (MFA). With this access, the attacker was able to deploy ransomware, ultimately costing the entertainment giant over $100 million​​​.

How MGM Got Hacked in 10 Minutes →

The Role of Deepfakes in Social Engineering

The advent of generative AI and deepfakes has escalated the sophistication of social engineering attacks. Deepfakes (hyper-realistic, AI-generated audio, images, or video) can be used to impersonate victims much more easily. These tools significantly enhance the effectiveness of social engineering by making it much, much harder to distinguish bad actors from legitimate users.

Learn more about deepfake attacks →

Timeline of Recent Social Engineering and Deepfake Attacks

  • November 2023
    • The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issue a joint advisory warning of Scattered Spider social engineering.
  • January 2024
    • The American Hospital Association (AHA) warns its members of a “validated IT help desk social engineering scheme”.
  • February 2024
    • Threat actors use live deepfakes on a video call to socially engineer an employee of a multinational by impersonating the CFO ($25 million lost).
  • March 2024
    • More stories of narrowly-thwarted deepfake attacks impersonating chief executives at password manager LastPass and advertising giant WPP.
  • April 2024
    • In a dire Sector Alert, the U.S. DoH office of information security warns of hackers systematically targeting IT helpdesks in the health sector.
  • May 2024
    • More stories of deepfake attacks: an employee in Hong Kong is tricked into wiring away HK$4 million by a scammer using live video deepfakes.
  • June 2024
    • Mandiant warns that Scattered Spider is shifting to attack companies via SaaS apps, reiterating helpdesk social engineering as a primary vector.
  • June 2024
    • The FBI and the Department of Health and Human Services (HHS) release a joint Cybersecurity Advisory (CSA) warning of social engineering tactics targeting healthcare entities.

How to Prevent Helpdesk Social Engineering

Preventing helpdesk social engineering requires a multifaceted approach:

  1. Education: Regularly train employees to recognize social engineering tactics and understand the importance of following verification protocols without exception.
  2. Robust verification: Implement strict verification procedures for helpdesk interactions, including phishing-resistant multi-factor authentication and stronger identity verification beyond security questions, one-time passcodes, and push notifications.
  3. Use technology: Employ advanced identity verification technologies that leverage AI and mobile cryptography to detect and prevent deepfake and injection attacks.
  4. Incident response plans: Develop and maintain a comprehensive incident response plan to quickly address any breaches or attempted social engineering attacks.

How to Prevent Social Engineering Attacks with Nametag

Nametag is the first end-to-end solution for secure helpdesk verification. Through our agent console, helpdesk staff can quickly and securely verify employees and customers when they call for password and MFA resets, access grants, account changes, and other tickets which require identity verification (IDV). Nametag verification is far more secure and versatile than traditional methods like security questions, one-time passcodes, and push notifications.

For a helpdesk agent, verifying someone with Nametag is as simple as 1, 2, 3:

  1. Send the user a Nametag link
  2. Wait for them to verify themselves
  3. Review the results, proceed with confidence

First-time users verify themselves in under 30 seconds using only what they already have on them: their smartphone, government-issued photo ID, and their face. Returning users benefit from an express re-verification experience that takes under 7 seconds.

Through our unique approach built on facial biometrics, mobile cryptography, and proprietary AI models, Nametag solves many of the problems of traditional IDV which leave other tools vulnerable to injection attacks and genAI deepfakes.

How to prevent social engineering attacks with Nametag →

Conclusion

Social engineering attacks are a critical threat that have already taken down major organizations. With the rise of generative AI and deepfakes, the need for robust security solutions is more critical than ever. Investing in such technologies, combined with rigorous training and strict protocols, can significantly reduce the risk of social engineering attacks and enhance overall cybersecurity resilience. Nametag provides a comprehensive, easy-to-implement defense against social engineering attacks, streamlining your helpdesk operations and protecting your customers, your employees, and your organization.

Secure your helpdesk against social engineering and impersonators.
Decline
Accept All Cookies