Imagine this: the phone rings at a corporate help desk. On the line is someone claiming to be a high-level director—urgent, impatient, and clearly annoyed. "I don’t have time for this. Who am I even speaking to? You’re costing us business."

The help desk agent, caught off guard, scrambles to verify the caller’s identity. They ask for an employee ID or suggest calling back on a known internal number. But the voice on the other end snaps back, brushing off every attempt with mounting pressure and authority.

In a company with thousands of employees, it's entirely possible the help desk worker doesn't personally know every director. And under that kind of heat—confronted with status, urgency, and the fear of slowing down a so-called executive—many employees cave. They reset the password. They make the requested changes. They fall for the scam.

This tactic, a classic example of social engineering, works not because the impersonator is especially clever, but because they know how to manipulate people under pressure. It’s a powerful reminder: without firm protocols and thorough training, even the best employees can be tricked. And in cybersecurity, that single slip can open the door to serious damage.

Understanding the threat: Social engineering and initial access

Threat actors, such as the Scattered Spider collective, heavily rely on advanced social engineering techniques to gain initial access to organizations. A common tactic involves impersonating high-level employees or contractors to deceive IT help desks. Their goal is often to harvest credentials of high-value users, including system administrators, CFOs, COOs, and CISOs.  

These bad actors are known to attempt to bypass multi-factor authentication (MFA), for example, by convincing help desk services to add unauthorized MFA devices to compromised accounts, or other methods such as SIM swapping and push bombing. Once inside, these actors may steal sensitive data for extortion and deploy ransomware.

After gaining access, threat actors will look to establish persistence.  

It is crucial to understand that while everyone should have MFA enabled (and preferably not SMS-based MFA), some organizations still lack it. Furthermore, a solid security stack is essential to detect anomalies, such as impossible travel, where a user account logs in from two geographically distant locations (e.g., Orlando and Frankfurt) within an impossible timeframe, or other forms of irregular IP activity.

Actionable steps to enhance your security

To harden your defenses against these types of attacks, here are critical steps to take:

• Verify your perimeter and basic security hygiene. Ensure your foundational security practices are robust and consistently maintained.

• Implement and enforce strong MFA. All accounts should be protected with MFA, and some platforms now require it. Microsoft, for instance, is increasingly forcing MFA enablement, highlighting its importance.

• Strengthen help desk protocols and training. Your help desk personnel must be trained to always verify identity before making any changes to user accounts or resetting passwords. They should be prepared to push back against demands from individuals, even if they are high-ranking. Establish solid standard operating procedures (SOPs) for your help desk to ensure consistent and secure handling of requests.

• Actively monitor for irregular activities and anomalies. Your security stack should be capable of detecting unusual patterns, such as the addition of new MFA forms to existing accounts;, impossible travel patterns;, and irregular IP activity.  

Keep learning how to secure your network. Watch episodes of the ThreatLocker webinar series 100 days to secure your environment.

Take me to YouTube

‍