Introduction
Numerous breaches have revealed a clear trend: attackers are focusing on IT helpdesks. Organized threat groups like Scattered Spider use clever social engineering tactics to trick support agents into resetting account access, effectively bypassing multi-factor authentication (MFA) and other security measures. The threat is so great that the U.S. government has issued an entire Sector Alert warning. But successful helpdesk hacks continue, inclduing high-profile breaches at major UK retailers May 2025. Most recently, a Chief Analyst at the Google Threat Intelligence Group warned that threat actors bearing the hallmarks of Scattered Spider are now targeting the insurance sector.
As helpdesk social engineering attacks continue, organizations need new and better strategies to prevent them. This article explores the nature of social engineering attacks on helpdesks, provides real-world examples, examines how generative AI (genAI) and deepfakes give “social engineering superpowers” to fraudsters, and offers specific strategies for preventing these attacks.
What is Social Engineering?
Social engineering is a tactic used by cybercriminals to trick individuals into revealing sensitive information, such as login credentials or personal data. Social engineering can take many forms, including phishing emails, fake websites, and phone calls to IT helpdesks.
Some experts estimate that 50-90% of attacks involve social engineering. Organized hacker groups like Scattered Spider have become extremely adept at using social engineering to take over employee accounts. Once inside, they exfiltrate data and deploy ransomware.
Both the United States Cybersecurity & Infrastructure Security Agency (CISA) and Health Sector Cybersecurity Coordination Center (HC3) have specifically warned against Scattered Spider, and against social engineering attacks targeting helpdesks. The American Hospital Association explicitly warned its members of a “validated IT help desk social engineering scheme”. John Hultquist, Chief Analyst at Google Threat Intelligence Group, recently posted on LinkedIn warning insurance companies to be "on the lookout for social engineering schemes targeting their call centers".
Meanwhile, cybersecurity firm Mandiant has been tracking Scattered Spider (threat cluster UNC3944). One Mandiant report specifically highlights the sophistication of Scattered Spider's helpdesk social engineering.
"Mandiant has observed UNC3944 in multiple engagements leveraging social engineering techniques against corporate help desks to gain initial access to existing privileged accounts.
Additionally, it has been noted that they already possessed the personally identifiable information (PII) of its victims to bypass help desk administrators' user identity verification."
How Does Helpdesk Social Engineering Work?
The goal of a helpdesk social engineering attack is to trick a support agents into giving the attacker access to systems and data. Often, an attacker pretends to be an employee who has changed their phone and is now locked out of their accounts. The attacker, who has already found the victim's password in a prior data breach, convinces the helpdesk agent into resetting the victim's multi-factor authentication (MFA), then enrolls a new MFA device that they control. Once complete, the attacker has full access to the victim's accounts and their employer's systems.
Anatomy of a helpdesk social engineering attack
- An attacker contacts a company's internal employee helpdesk. They claim to be an employee who's lost their MFA device and needs a reset. Often, the attacker creates a false sense of urgency by claiming that they have an urgent meeting and need to log in to a video conferencing platform.
- The attacker uses information gathered from social media, the dark web, and other sources to impersonate their victim. Increasingly, attackers use AI-generated voice clones and even live deepfake video feeds to make their voice and appearance indistinguishable from their victim.
- The unsuspecting helpdesk agent resets the victim account's multi-factor authentication, enabling the attacker to reroute MFA codes to a device they control. The attacker combines this access with credentials leaked in a previous breach to take over the victim employee's account, granting them access to corporate systems.
Attackers often use sophisticated social engineering techniques, but on the whole these attacks aren’t particularly complicated. An bad actor simply researches a victim, contacts your support team, and impersonates that person to steal their account. The problem is that helpdesk agents can't tell these attacks apart from real requests from legitimate users.
"UNC3944 operators employed consistent social engineering tactics across various victims, often calling service desks to claim they were receiving a new phone, warranting a multi-factor authentication (MFA) reset. By interacting with service desk administrators, UNC3944 could not only reset passwords for privileged accounts but also bypass associated MFA protections."
Social engineering attacks are particularly dangerous because they target the weakest link in any security chain: humans. Even if you have strong security measures in place, such as phishing-resistant MFA, social engineering attacks can still be successful because they effectively bypass those measures.
Real-World Examples of Helpdesk Social Engineering Attacks
A striking example of helpdesk social engineering is ransomware attack which took down MGM Resorts in August 2023. A Scattered Spider threat actor, impersonating an MGM employee, convinced helpdesk staff to reset the victim's multi-factor authentication (MFA). With this access, the attacker was able to deploy system-encrypting ransomware, ultimately costing the entertainment giant over $100 million.
More recently, British retail giants Marks & Spencer and Co-op Group were both breached in attacks which began at an IT helpdesk, according to Reuters. The BBC reports that the attack will cost over $400 million. According to BleepingComputer, the attack on M&S is believed to be attributed to Scattered Spider. This shows that, a year and a half after the MGM incident, helpdesk social engineering attacks are still effective.
The Role of Deepfakes in Social Engineering
The advent of generative AI and deepfakes has escalated the sophistication of social engineering attacks. Deepfakes (hyper-realistic, AI-generated audio, images, or video) can be used to impersonate victims much more easily. These tools significantly enhance the effectiveness of social engineering by making it much, much harder to distinguish bad actors from legitimate users.
Learn more about deepfake attacks
How to Prevent Helpdesk Social Engineering
Preventing helpdesk social engineering requires a multifaceted approach:
- Education: Train employees to recognize social engineering tactics and understand the importance of following protocols without exception.
- Procedures: Implement strict verification procedures for helpdesk interactions, deprecating one-time passcodes and security questions.
- Technology: Employ advanced identity verification technologies that leverage AI and cryptography to prevent the use of deepfakes.
- Response: Develop and maintain a comprehensive incident response plan to quickly address any breaches or attempted social engineering attacks.
How to Prevent Social Engineering Attacks with Nametag
Nametag offers an easy-to-deploy solution for secure helpdesk verification. Through our agent console, helpdesk staff can quickly and securely verify employees and customers when they call for password and MFA resets, access grants, account changes, and other tickets which require identity verification (IDV). Nametag verification is far more secure and versatile than traditional methods like security questions, one-time passcodes, and push notifications.
For a helpdesk agent, verifying someone with Nametag is as simple as 1, 2, 3:
- Send the user a Nametag link
- Wait for them to verify themselves
- Review the results, proceed with confidence
First-time users verify themselves in under 30 seconds using only their smartphone and their photo ID. Returning users can re-verify in seconds using just a selfie. Behind the scenes, our Deepfake Defense™ identity verification combines Cryptographic Attestation, Adaptive Document Verification, Spatial Selfie and other technologies to prevent injection attacks and deepfakes.
Prevent helpdesk social engineering attacks with Nametag →
Conclusion
Social engineering attacks are a critical threat that have already taken down major organizations. With the rise of generative AI and deepfakes, the need for robust security solutions is more critical than ever. Investing in such technologies, combined with rigorous training and strict protocols, can significantly reduce the risk of social engineering attacks and enhance overall cybersecurity resilience. Nametag provides a comprehensive, easy-to-implement defense against social engineering attacks, streamlining your helpdesk operations and protecting your customers, employees, and company.