[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fmLP3Fk8E3X2aJ6aCAsxKHKFSUDYwDk4wWsnYAiOTHvo":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"f29c71a5-26fe-46d9-b44b-d1cc5905e9ec","Securing the service desk: Why social engineering attacks keep succeeding","securing-the-service-desk-why-social-engineering-attacks-keep-succeeding-26e1bf","Service desks have become a favored target for attackers seeking password resets, MFA changes, and access to corporate accounts. Specops Software breaks down how service desk social engineering attacks work and how organizations can defend against them. [...]","Service desks have become prime targets for attackers seeking unauthorized access to corporate systems through social engineering. Recent high-profile incidents involving Scattered Spider against UK retailers (M&S, Co-op, Harrods) and Carnival Corporation demonstrate how attackers impersonate employees or IT personnel to trick help desk staff into resetting credentials or disabling MFA. The article details reconnaissance tactics, impersonation methods, and defense strategies, noting that service desk compromise is often easier than exploiting technical vulnerabilities.","Service desk social engineering attacks remain highly effective despite regulation and arrests.","Securing the service desk: Why social engineering attacks keep succeeding Sponsored by Specops Software June 24, 2026 10:02 AM 0 Service desk social engineering remains one of the most effective ways for attackers to gain access to corporate systems. The 2025 attacks against UK retailers Marks & Spencer (M&S), Co-op, and Harrods, carried out by the hacking collective Scattered Spider, brought these tactics into the spotlight, but they are far from isolated incidents. In the case of M&S, Chairman Archie Norman confirmed that attackers impersonated an employee and convinced a third-party service desk agent to reset credentials, providing access to internal systems. More recently, Carnival Corporation disclosed a cybersecurity incident in which an attacker used social engineering to deceive an employee and gain access to a limited portion of the company's IT environment. Around the same time, the FBI warned organizations about activity linked to threat actor Silent Ransom Group, whose members reportedly posed as IT support personnel and persuaded employees to join remote access sessions using legitimate administration tools. Stronger regulation, increased awareness, and a number of high-profile arrests have done little to reduce attackers' interest in this route into corporate environments. The continued success of these attacks highlights a simple reality: compromising a service desk is often easier than compromising the technology it protects. Understanding why attackers target service desks, and how these attacks are typically carried out, is the first step toward defending against them. Why do attackers target service desks? Scattered Spider and hackers with a similar modus operandi target service desks because they’re a high-leverage, low-resistance entry point into corporate networks. Here's why attackers continue to target service desks successfully: Human vulnerability: Help desk staff are primarily trained to help, even if they’ve had some training with regard to social-engineering attacks. This can make them susceptible to impersonation attempts, especially when attackers sound fluent, urgent, and knowledgeable. Access to credentials and resets: Service desk agents usually have the ability to reset passwords, provision accounts, or disable multi-factor authentication. This gives attackers a direct path to legitimate access. Bypass of technical defenses: Instead of breaking through firewalls or exploiting unpatched software, social engineering lets attackers walk through the front door using trust and manipulation. Speed and stealth: A well-crafted call or chat can yield access in minutes, often without triggering security alerts, particularly when attackers mimic internal processes or spoof internal numbers. In short, it’s the most efficient way for hackers like Scattered Spider to escalate privileges and blend in as an insider, making help desks a soft but critical target. Secure your Active Directory passwords with Specops Password Policy Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches. Effortlessly secure Active Directory with compliant password policies, blocking 6+ billion compromised passwords, boosting security, and slashing support hassles! Try it for free How does a service desk attack play out? 1. Reconnaissance and setup Targets: Identify large companies with decentralized or outsourced IT support (e.g., retailers, casinos, airlines). Info gathering: Use LinkedIn, company org charts, or data leaks to learn employee names, roles, and ticketing systems (e.g., ServiceNow). Spoofing tools: Set up VoIP services to mimic internal phone numbers; sometimes use SIM-swapped phones or Slack\u002Femail spoofing. 2. Impersonation and social engineering Approach: Call or chat the service desk pretending to be a real employee or contractor needing urgent help. Common pretexts: “I’m locked out of my account before a critical meeting.” “My phone was lost; I need my MFA reset to access payroll\u002Femail.” “We’re having an incident and I need admin credentials to help resolve it.” Tone and language: Friendly, rushed, or slightly stressed to pressure the support agent. Use internal slang or references (“Can you just go into Okta and push through a reset like you did last week for Mike in Ops?”). Mention topical local events (even comment on the weather!) to build rapport and reduce suspicion that the caller is a hacker. 3. Credential reset and MFA bypass Goal: Trick the help desk into: Resetting the password on a real user’s account. Removing or re-registering multi-factor authentication (MFA). Creating a new account with privileged access. Tactics: Spoof caller ID or use breached HR info to pass verification. If blocked, call again as someone else or escalate e.g., “Can I speak to your manager?”. Use SIM-swapped phones to intercept MFA codes or request they be sent to a new device. 4. Access and lateral movement Log in as the impersonated employee. Elevate privileges via group policy misconfigurations, ticketing systems, or internal tools (e.g., Okta, Citrix, Azure AD). Deploy malware, exfiltrate data, or set up persistence (backdoors, rogue accounts). 5. Ransomware or data theft Depending on the target: Deploy ransomware via an affiliate like DragonForce (e.g., in the M&S attack). Exfiltrate sensitive data for extortion (as in the Caesars\u002FMGM attacks). Maintain stealth for further campaigns (especially if targeting multiple orgs in the same sector). How to defend against service desk attacks Here are some key ways organizations can protect themselves against service desk-based social engineering attacks like those used by Scattered Spider: Require strict identity verification for all password resets, including out-of-band confirmation (e.g., a known second contact method). Enforce MFA that cannot be easily reset or transferred without in-person verification or manager approval. Train service desk staff to recognize social-engineering tactics, especially urgent or emotional requests and spoofed internal numbers. Monitor for unusual service desk activity, such as repeated password resets or MFA removals for high-privilege accounts. Limit help desk privileges so agents cannot reset access for admin or IT users without escalation. Review outsourced service desk arrangements regularly, ensuring verification procedures, escalation paths, and approval workflows are clearly documented and tested through tabletop or red team exercises. Use role-based access control and log all credential changes, with alerts for high-risk users. Conduct regular phishing and social engineering simulations focused specifically on phone and chat-based attacks. Protect against social engineering with Specops Secure Service Desk Specops Secure Service Desk can help mitigate social engineering attacks by adding identity verification to password reset and account unlock requests. Callers can be verified using MFA, directory attributes, or custom challenge questions before any action is taken. Specops Secure Service Desk Even if an attacker knows an employee's name, role, or internal terminology, they still need to prove their identity. The solution also provides audit trails and granular controls over account recovery actions, helping reduce the risk of impersonation and unauthorized access. Protect your front line. See how Specops Secure Service Desk can harden your help desk against attacks like Scattered Spider’s. Try it for free today. Sponsored and written by Specops Software.","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fsecuring-the-service-desk-why-social-engineering-attacks-keep-succeeding\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fposts\u002F2026\u002F06\u002F16\u002Fspecops-help-desk-header.jpg","2026-06-24T14:02:12+00:00","2026-06-24T16:00:24.618761+00:00",7,[18,21,23,26,28,31],{"name":19,"type":20},"Scattered Spider","threat_actor",{"name":22,"type":20},"Silent Ransom Group",{"name":24,"type":25},"Active Directory","technology",{"name":27,"type":25},"Multi-factor authentication (MFA)",{"name":29,"type":30},"ServiceNow","product",{"name":32,"type":33},"Specops Software","vendor","2c8f44d4-b56e-47cf-9677-04f22c9ee78d",{"id":34,"icon":36,"name":37,"slug":38},null,"Identity & Access","identity-access",[40,45,50],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"614132b8-5837-4952-b8b5-c6c9a32a1d85","Privacy","privacy",{"category":46},{"id":47,"icon":36,"name":48,"slug":49},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":51},{"id":52,"icon":36,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]