BusinessCybersecurityNewswireTechnology

How social engineering keeps breaching the service desk

Originally published on: June 25, 2026
▼ Summary

– Service desk social engineering attacks, such as those by Scattered Spider against UK retailers in 2025, remain highly effective for gaining corporate access.
– Attackers target service desks because they provide a human vulnerability, direct access to credential resets, and a way to bypass technical defenses quickly and stealthily.
– An attack typically involves reconnaissance on employees, impersonation via phone or chat, tricking agents into resetting credentials or MFA, then lateral movement and data theft or ransomware deployment.
– Defenses include strict identity verification, MFA that cannot be easily reset, staff training on social engineering, and monitoring for unusual service desk activity.
– Solutions like Specops Secure Service Desk mitigate risk by requiring callers to verify their identity through MFA or challenge questions before any account changes are made.

Social engineering attacks targeting corporate service desks continue to prove alarmingly effective, even as awareness and security measures improve. The 2025 breaches at UK retailers Marks & Spencer, Co-op, and Harrods, orchestrated by the hacking group Scattered Spider, underscored just how vulnerable these frontline support teams remain. These incidents are not anomalies but part of a persistent pattern.

At M&S, Chairman Archie Norman confirmed that attackers impersonated a legitimate employee and successfully convinced a third-party service desk agent to reset credentials, granting entry into internal systems. Shortly after, Carnival Corporation disclosed a similar breach where an attacker used social engineering to trick an employee into granting limited IT access. Around the same timeframe, the FBI issued warnings about Silent Ransom Group, whose members posed as IT support staff and persuaded employees to join remote access sessions using standard administrative tools.

Despite stronger regulations, heightened awareness, and several high-profile arrests, this attack vector remains popular. The reason is straightforward: compromising a service desk is often easier than breaking the technology it protects. Understanding the mechanics of these attacks is the first step toward building effective defenses.

Why attackers target service desks

Groups like Scattered Spider see service desks as a high-leverage, low-resistance entry point. Several factors make them attractive:

  • Human vulnerability: Help desk staff are trained to be helpful, which can make them susceptible to impersonation, especially when attackers sound fluent, urgent, and knowledgeable.In essence, this is the most efficient way for hackers to escalate privileges and blend in as an insider.How a typical service desk attack unfolds1. Reconnaissance and setup: Attackers identify large companies with decentralized or outsourced IT support, such as retailers, casinos, or airlines. They gather information from LinkedIn, company org charts, or data leaks to learn employee names, roles, and ticketing systems like ServiceNow. They set up VoIP services to mimic internal phone numbers and may use SIM-swapped phones or email spoofing.2. Impersonation and social engineering: The attacker calls or chats the service desk, pretending to be a real employee or contractor in urgent need. Common pretexts include being locked out before a critical meeting, losing a phone and needing MFA reset, or claiming an incident requires admin credentials. The tone is friendly, rushed, or slightly stressed to pressure the agent. Attackers use internal slang, reference past interactions, and even mention local events to build rapport.3. Credential reset and MFA bypass: The goal is to trick the help desk into resetting a password, removing or re-registering MFA, or creating a new privileged account. Tactics include spoofing caller ID, using breached HR data to pass verification, calling back as someone else, or escalating to a manager. SIM-swapped phones intercept MFA codes.4. Access and lateral movement: Once logged in as the impersonated employee, attackers elevate privileges via group policy misconfigurations, ticketing systems, or internal tools like Okta, Citrix, or Azure AD. They deploy malware, exfiltrate data, and set up persistence through backdoors or rogue accounts.5. Ransomware or data theft: Depending on the target, attackers deploy ransomware via affiliates like DragonForce, as in the M&S attack, or exfiltrate sensitive data for extortion, as seen in the Caesars and MGM breaches.How to defend against service desk attacksOrganizations can take several key steps to protect against these social engineering tactics:
  • Require strict identity verification for all password resets, including out-of-band confirmation through a known second contact method.Protecting against social engineering with Specops Secure Service DeskSpecops Secure Service Desk helps mitigate these attacks by adding identity verification to password reset and account unlock requests. Callers are verified using MFA, directory attributes, or custom challenge questions before any action is taken. Even if an attacker knows an employee’s name, role, or internal terminology, they still need to prove their identity. The solution also provides audit trails and granular controls over account recovery actions, reducing the risk of impersonation and unauthorized access.Protect your front line. See how Specops Secure Service Desk can harden your help desk against attacks like Scattered Spider’s.Sponsored and written by Specops Software.
(Source: BleepingComputer)

Topics

service desk attacks 98% scattered spider 92% credential theft 90% mfa bypass 87% impersonation tactics 85% human vulnerability 83% attack reconnaissance 81% ransomware deployment 79% identity verification 77% help desk training 75%