Service desk social engineering remains one of the most effective ways for attackers to gain access to corporate systems. The 2025 attacks against UK retailers Marks & Spencer (M&S), Co-op, and Harrods, carried out by the hacking collective Scattered Spider, brought these tactics into the spotlight, but they are far from isolated incidents.

In the case of M&S, Chairman Archie Norman confirmed that attackers impersonated an employee and convinced a third-party service desk agent to reset credentials, providing access to internal systems.

More recently, Carnival Corporation disclosed a cybersecurity incident in which an attacker used social engineering to deceive an employee and gain access to a limited portion of the company's IT environment.

Around the same time, the FBI warned organizations about activity linked to threat actor Silent Ransom Group, whose members reportedly posed as IT support personnel and persuaded employees to join remote access sessions using legitimate administration tools.

Stronger regulation, increased awareness, and a number of high-profile arrests have done little to reduce attackers' interest in this route into corporate environments. The continued success of these attacks highlights a simple reality: compromising a service desk is often easier than compromising the technology it protects.

Understanding why attackers target service desks, and how these attacks are typically carried out, is the first step toward defending against them.

Why do attackers target service desks?

Scattered Spider and hackers with a similar modus operandi target service desks because they’re a high-leverage, low-resistance entry point into corporate networks. Here's why attackers continue to target service desks successfully:

Human vulnerability: Help desk staff are primarily trained to help, even if they’ve had some training with regard to social-engineering attacks. This can make them susceptible to impersonation attempts, especially when attackers sound fluent, urgent, and knowledgeable.

Access to credentials and resets: Service desk agents usually have the ability to reset passwords, provision accounts, or disable multi-factor authentication. This gives attackers a direct path to legitimate access.

Bypass of technical defenses: Instead of breaking through firewalls or exploiting unpatched software, social engineering lets attackers walk through the front door using trust and manipulation.

Speed and stealth: A well-crafted call or chat can yield access in minutes, often without triggering security alerts, particularly when attackers mimic internal processes or spoof internal numbers.

In short, it’s the most efficient way for hackers like Scattered Spider to escalate privileges and blend in as an insider, making help desks a soft but critical target.

How does a service desk attack play out?

1. Reconnaissance and setup

• Targets: Identify large companies with decentralized or outsourced IT support (e.g., retailers, casinos, airlines).
• Info gathering: Use LinkedIn, company org charts, or data leaks to learn employee names, roles, and ticketing systems (e.g., ServiceNow).
• Spoofing tools: Set up VoIP services to mimic internal phone numbers; sometimes use SIM-swapped phones or Slack/email spoofing.

2. Impersonation and social engineering

Approach: Call or chat the service desk pretending to be a real employee or contractor needing urgent help.

Common pretexts:

• “I’m locked out of my account before a critical meeting.”
• “My phone was lost; I need my MFA reset to access payroll/email.”
• “We’re having an incident and I need admin credentials to help resolve it.”

Tone and language:

• Friendly, rushed, or slightly stressed to pressure the support agent.
• Use internal slang or references (“Can you just go into Okta and push through a reset like you did last week for Mike in Ops?”).
• Mention topical local events (even comment on the weather!) to build rapport and reduce suspicion that the caller is a hacker.

3. Credential reset and MFA bypass

Goal: Trick the help desk into:

• Resetting the password on a real user’s account.
• Removing or re-registering multi-factor authentication (MFA).
• Creating a new account with privileged access.

Tactics:

• Spoof caller ID or use breached HR info to pass verification.
• If blocked, call again as someone else or escalate e.g., “Can I speak to your manager?”.
• Use SIM-swapped phones to intercept MFA codes or request they be sent to a new device.

4. Access and lateral movement

• Log in as the impersonated employee.
• Elevate privileges via group policy misconfigurations, ticketing systems, or internal tools (e.g., Okta, Citrix, Azure AD).
• Deploy malware, exfiltrate data, or set up persistence (backdoors, rogue accounts).

5. Ransomware or data theft

Depending on the target:

• Deploy ransomware via an affiliate like DragonForce (e.g., in the M&S attack).
• Exfiltrate sensitive data for extortion (as in the Caesars/MGM attacks).
• Maintain stealth for further campaigns (especially if targeting multiple orgs in the same sector).

How to defend against service desk attacks

Here are some key ways organizations can protect themselves against service desk-based social engineering attacks like those used by Scattered Spider:

1. Require strict identity verification for all password resets, including out-of-band confirmation (e.g., a known second contact method).
2. Enforce MFA that cannot be easily reset or transferred without in-person verification or manager approval.
3. Train service desk staff to recognize social-engineering tactics, especially urgent or emotional requests and spoofed internal numbers.
4. Monitor for unusual service desk activity, such as repeated password resets or MFA removals for high-privilege accounts.
5. Limit help desk privileges so agents cannot reset access for admin or IT users without escalation.
6. Review outsourced service desk arrangements regularly, ensuring verification procedures, escalation paths, and approval workflows are clearly documented and tested through tabletop or red team exercises.
7. Use role-based access control and log all credential changes, with alerts for high-risk users.
8. Conduct regular phishing and social engineering simulations focused specifically on phone and chat-based attacks.

Protect against social engineering with Specops Secure Service Desk

Specops Secure Service Desk can help mitigate social engineering attacks by adding identity verification to password reset and account unlock requests. Callers can be verified using MFA, directory attributes, or custom challenge questions before any action is taken.

Even if an attacker knows an employee's name, role, or internal terminology, they still need to prove their identity. The solution also provides audit trails and granular controls over account recovery actions, helping reduce the risk of impersonation and unauthorized access.

Protect your front line. See how Specops Secure Service Desk can harden your help desk against attacks like Scattered Spider’s.

Try it for free today.

Sponsored and written by Specops Software.