Help desk vishing is a social engineering technique in which an attacker contacts an organization's IT help desk or service desk while impersonating a legitimate employee over the phone. The goal is to manipulate the help desk agent into resetting a password, disabling multi-factor authentication, or granting access to systems - effectively bypassing all technical security controls through a single voice call..
What is Help Desk Vishing?
Help desk vishing is a social engineering technique in which an attacker contacts an organization's IT help desk or service desk while impersonating a legitimate employee over the phone. The goal is to manipulate the help desk agent into resetting a password, disabling multi-factor authentication, or granting access to systems - effectively bypassing all technical security controls through a single voice call.
How Help Desk Vishing Works
The attacker researches the target organization to learn employee names, email addresses, employee IDs, and organizational structure. They call the help desk, claim to be an employee who is locked out of their account, and request a credential reset. Because help desks are designed to be helpful and resolve access issues quickly, agents are often willing to reset credentials based on minimal verification - especially under pressure.
Why Help Desk Vishing Matters
Help desk vishing was the primary technique used by Scattered Spider to breach MGM Resorts and Caesars Entertainment in 2023 - two of the most high-profile breaches in recent history. The attackers simply called the help desk, impersonated employees, and obtained credential resets. The total cost to MGM exceeded $100 million. These attacks are devastating because they exploit a fundamental tension: help desks must be accessible and responsive, which makes them inherently vulnerable to voice-based impersonation.
How to Protect Against Help Desk Vishing
- Simulate help desk vishing attacks to test your service desk agents
- Implement identity verification protocols that go beyond basic questions
- Use callback verification - never reset credentials on an inbound call
- Train help desk agents on social engineering tactics and red flags
- Monitor for employee data that helps attackers impersonate callers
Frequently Asked Questions
Why is help desk vishing so effective?
Help desks are designed to be accessible and responsive. Agents have no visual confirmation of the caller's identity and limited ability to verify identity beyond security questions that attackers can answer using public research.
What information do attackers need to impersonate an employee?
Attackers typically need just a name, employee ID or email address, and details about the employee's role. This information is easily found on LinkedIn profiles, company websites, job postings, and through employee social media.
How can help desk teams defend against vishing?
Require callback verification using a known contact number (never the number the caller provides). Use identity verification protocols beyond basic security questions. Train agents to recognize social engineering red flags like unusual urgency or pressure.
What happened in the Scattered Spider attacks?
Scattered Spider used help desk vishing to breach MGM Resorts and Caesars Entertainment in 2023, two major casino companies. They simply called help desks, obtained credential resets, and escalated to full network compromise, costing MGM over $100 million.