How to Defend Against IT Helpdesk Social Engineering Attacks

Attacks on big name brands across sectors including aviation, retail and insurance have hit the headlines in recent months.

Many of these incidents share commonalities in the tactics used by threat actors – in particular, the impersonation of third-party IT providers using voice phishing (vishing) for initial access. These third parties include single sign-on services, identity providers and IT support systems.

These fake calls are directed at IT helpdesks and aim to harvest the credentials of high-value users in target organisations, such as system administrators, CFOs, COOs and CISOs.

The attackers also attempt to bypass multi-factor authentication (MFA) measures by convincing helpdesk services to add unauthorised MFA devices to compromised accounts.

This access provides attackers with the means to conduct significant post-compromise, from data theft to ransomware deployment activity, without being detected.

Cybercriminal groups Scattered Spider and ShinyHunters have been linked to numerous attacks which leverage helpdesk exploitation as the initial compromise.

Both groups are believed to be affiliated to The Com, a loosely organised online criminal network involving thousands of English-speaking individuals.

Reported victims of Scattered Spider include UK retailers Marks & Spencer (M&S), the Co-op and Harrods in the UK. Attacks linked to ShinyHunters, in which victims are typically targeted with vishing for logins to their Salesforce accounts, include retailers Chanel, Pandora, Adidas and Australian airline Qantas.

During an interview at Infosecurity Europe 2025, Will Thomas, senior threat intelligence advisor at Team Cymru, explained that the tactics observed by Scattered Spider are highly effective because no malware or other tooling is used for initial access, putting the activity outside the visibility of endpoint detection and response (EDR) systems.

“They get valid credentials, log in as a privileged user and then pivot and target a system that’s unprotected by EDR, launching ransomware, encrypting hundreds of thousands of virtual machines on ESXi hypervisors,” he explained.

Given the significant successes of the helpdesk vishing technique, it is likely that Scattered Spider, ShinyHunters and other groups will continue expanding these operations.

It is vital that organisations across all sectors are aware of this pervasive threat and establish additional security controls to mitigate it. Here are three strategies to help secure your organisation.

Guidance from the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) has urged organisations to review their IT helpdesk password reset processes.

Companies should review how the helpdesk authenticates staff members credentials before resetting passwords, especially those with escalated privileges.

Given the availability of deepfake tools that can accurately impersonate voices, Thomas advised companies to introduce policies where individuals requesting a credential reset must go on camera and show their ID – with the helpdesk holding a picture of that employee to verify them in person.

An even more stringent approach would be to require individuals to go in person to the helpdesk to verify their identity before a credential reset is granted.

Organisations should continuously monitor for potential account misuse resulting from compromised credentials. For example, the NCSC noted firms should check for risky logins within Microsoft Entra ID protection, where sign-in attempts have been flagged as potentially compromised due to suspicious activity or unusual behaviour.

“Pay specific attention to Domain Admin, Enterprise Admin, Cloud Admin accounts, and check if access is legitimate,” the NCSC warned.

Security teams should also focus on identifying logins from atypical sources such as VPN services in residential ranges through techniques like source enrichment.

In its June advisory on the tactics used by ShinyHunters, Google advised implementing IP address restrictions to mitigate threat actors’ use of commercial VPNs.

The tech giant recommended setting login ranges and trusted IPs, thereby restricting access to defined enterprise and VPN networks. 

Threat actors often use tools like remote monitoring and management (RMM) to access networks and web services such as Mega Sync for data exfiltration.

The use of these legitimate tools helps attackers avoid detection, facilitate lateral movement and exfiltrate data once inside a network.

Thomas advised organisations to review its internal use of such services. “If they’re not being used, pre-emptively block them,” he said.

It is vital that organisations look beyond the headlines of some of the most high-profile cyber-attacks of 2025 and understand the highly effective tactics deployed by actors like Scattered Spider and ShinyHunters that have been linked to some of these data breaches.

The threat actors’ approach of impersonating third-party IT firms and using voice phishing to acquire the credentials of high value users has proven difficult to prevent and firms must update their approaches accordingly.

Helpdesks facilitating password reset requests are particularly vulnerable to this type of social engineering attack.

More stringent and potentially burdensome authentication methods may need to be deployed to keep up with ever-evolving attack techniques.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?