Gone Vishing: How to Tackle a Rise in Helpdesk Attacks

Kate O’Flaherty examines how CISOs can mitigate an increasingly popular avenue for initial access

In 2023, the IT helpdesk at US hospitality multinational MGM Resorts received a phone call from someone they thought was an employee. Just 10 minutes later, hackers believed to be part of notorious ransomware outfit Scattered Spider had convinced the helpdesk to provide access to accounts.

It led to a security breach with catastrophic consequences, impacting digital key systems in hotels and causing the shutdown of slot machines on the Las Vegas strip. MGM Resorts later stated that the incident had cost it at least $100m.

In the same year, hackers convinced Cognizant staff working on the helpdesk of a major client to reset user credentials and multi-factor authentication (MFA) without adequate verification. That client, bleach maker Clorox, has now sued the outsourcing provider for $380m. The lawsuit alleges that Cognizant was “not duped by any elaborate ploy or sophisticated hacking techniques”. Instead, attackers simply “called the Cognizant service desk, asked for credentials to access Clorox’s network, and Cognizant handed [the details] right over.”

This year, retail breaches impacting M&S, the Co-op and Harrods were also a result of Scattered Spider’s IT helpdesk scams. Soon afterwards, the UK National Cyber Security Centre (NCSC) issued a warning, outlining a list of measures to help prevent this type of attack.

A natural target

Helpdesks are natural targets for vishing attacks. After all, it’s their job to be helpful, especially in urgent and high-priority scenarios. “They often have access to sensitive information about individual users and the key infrastructure within the target environment,” Andy Swift, cybersecurity assurance technical director at Six Degrees, tells Assured Intelligence.

The helpdesk also controls access to “numerous internal and external systems”, as well as credential and other authentication mechanisms, he points out.

Helpdesk attacks are a key tactic of Scattered Spider, with a recent report by ReliaQuest finding 81% of the gang’s domains impersonate technology vendors to target high-value credentials such as those belonging to system administrators and executives. The group primarily leverages phishing frameworks, such as Evilginx, and social engineering methods, including vishing, to gain initial access into organisations, the report claims.

What to look out for

Common tactics include adversaries impersonating employees, claiming to be locked out and requesting password resets or MFA bypasses. Other scams see criminals impersonating IT. Attackers will persuade staff to “resolve issues” and direct them to phishing sites or convince them to install remote access tools, Bruce Jenkins, CISO at Black Duck, tells Assured Intelligence.

“Design social engineering attacks against your own helpdesk to build up knowledge on what modern vishing looks like” Andy Swift

Initial access typically comes through phishing emails that appear to be legitimate IT alerts, such as password expiry warnings or MFA resets, says Andy Green, partner at Avella Security.

Social engineering is then used to convince the target to call a fake helpdesk number. “Once on the call, human operators – often based in outsourced call centres – pose as IT support, guiding the victim through installing remote management tools such as AnyDesk or ScreenConnect,” Green tells Assured Intelligence.

An increasingly common technique involves email-borne attacks featuring the Cryxos malware. “Once downloaded, Cryxos triggers persistent pop-ups claiming your device has a fault and urges you to call a fake IT support number,” Carl Wearn, head of analysis and future ops at Mimecast, tells Assured Intelligence.

Other campaigns blend tactics, using spoofed caller IDs or targeting actual helpdesk staff to shortcut access controls. “This was the case in recent breaches affecting UK-based companies,” Avella Security’s Green explains.

Using “urgency and authority” is a common tactic, Black Duck’s Jenkins warns. “Attackers may leverage psychological pressure to override verification protocols, posing as an executive with an emergency request.”

AI supercharges attacks

As helpdesk-related attacks surge, the role of AI is becoming a major concern. Deepfake tools can mimic real people with “unsettling accuracy”, allowing attackers to impersonate colleagues or senior staff during live calls, Steve Sandford, partner, digital forensics and incident response at CyXcel, tells Assured Intelligence. “Platforms like Xanthorox AI now automate voice cloning, and when integrated with everyday tools such as Microsoft Teams, these scams blend seamlessly into normal workflows.”

On the back end, AI-driven scripting and automation may help attackers manage multiple social engineering interactions simultaneously, scaling up campaigns with minimal human involvement. For example, chatbots trained on helpdesk scripts could convincingly engage victims in real time before escalating them to a human operator for the critical access step, Avella Security’s Green says.

As defences improve, attackers may also use AI for defensive evasion, modifying behaviour in real-time to avoid triggering detection tools, or dynamically selecting the most effective pretexts based on user responses.

What CISOs can do

Currently, helpdesks are often seen as an easy target, so introducing protocols to increase resilience is a good first step. Verification policies are the first area to review, according to Six Degrees’ Swift. “There should be a robust caller verification process that avoids the use of publicly available data – even if it appears that a call is internal to a company,” he argues.

“Ensure third-party help desk providers follow strict authentication protocols” Bruce Jenkins

Firms can also use unique, employee-specific questions or passcodes to help identify genuine individuals. For more sensitive actions, three-way verification makes sense, Swift advises. That could mean a video call with a line manager to ensure visual and verbal confirmation.

CyXcel’s Sandford agrees, advising that helpdesks require video calls with ID verification, cross-referencing against stored employee photos to counter deepfakes. For high-risk requests, he thinks firms should consider mandating in-person verification at the help desk to reduce the risk of remote exploitation.

CISOs can also tap into training programmes for helpdesk staff and ensure that these contain the latest details on the threat landscape. “It’s important that training is engaging, with real-life scenarios and designing social engineering attacks against your own helpdesk to build up knowledge on what modern vishing looks like,” Six Degrees’ Swift advises.

It’s also a good idea to boost monitoring and detection, says CyXcel’s Sandford. As part of this, keep a close eye on account activity, flag risky logins in Microsoft Entra ID, and monitor for unusual VPN access from residential IP addresses, he advises. Technical defences can help too. “Use advanced call screening to detect spoofed numbers and deepfake audio and ensure endpoint protection is logging and alerting on unauthorised remote access attempts,” Sandford says.

At the same time, run regular audits on cloud platforms such as Salesforce and enforce least-privilege access, he suggests.

With third providers such as Cognizant also being targeted as a route into larger organisations, mitigating the helpdesk threat requires managing vendor risk, says BlackDuck’s Jenkins. “Ensure third-party helpdesk providers follow strict authentication protocols, include security clauses in contracts, and conduct regular audits,” he concludes.