Sign in Subscribe
ai-security

How Are Hackers Infiltrating Your IT Help Desk?

Your IT help desk is one of the easiest entry points into any company — and hackers know it. By impersonating employees with AI-cloned voices and stolen personal data, attackers are resetting passwords and walking straight through your front door. This is happening right now, at companies of every s

Lucas Oriens Kim

7 min read
How Are Hackers Infiltrating Your IT Help Desk?
Quick Answer
Hackers are calling IT help desks, impersonating real employees using AI-cloned voices and scraped LinkedIn data, and tricking support staff into resetting passwords or disabling multi-factor authentication. Once they're in, the entire company network can be compromised within hours — and most organizations have zero defenses specifically designed to stop this.

The Real Case: MGM Resorts Lost $100 Million From a 10-Minute Phone Call

In September 2023, hackers affiliated with the group Scattered Spider called MGM Resorts' IT help desk. They had found an MGM employee on LinkedIn, gathered enough personal details to sound convincing, and social-engineered their way into a credential reset. The call lasted roughly 10 minutes. What followed cost MGM an estimated $100 million in losses — hotel systems went down, slot machines stopped working, and guests couldn't access their rooms for days.

This wasn't a sophisticated technical exploit. No zero-day vulnerability. No weeks of patient malware deployment. Just a phone call, a confident voice, and a help desk employee following standard procedure.

Caesars Entertainment was hit the same month, same group, same method. Caesars paid approximately $15 million in ransom quietly and didn't make headlines the way MGM did — which tells you something about how often companies pay and stay silent.

The FBI has since warned that Scattered Spider specifically targets IT help desks as a primary entry vector. They're not alone. This technique — called 'vishing' combined with social engineering — is now the fastest-growing initial access method used by ransomware gangs.

How the Attack Works: A Step-by-Step Breakdown

This attack is uncomfortably simple. Here's exactly how it unfolds:

1. **Target research (30–60 minutes).** The attacker searches LinkedIn, company websites, and data broker sites like BeenVerified or Spokeo. They find an employee's full name, job title, department, and sometimes their employee ID format.

2. **Voice preparation (optional but increasingly common).** Using tools like ElevenLabs or open-source models like Tortoise TTS, attackers clone the target employee's voice from public audio — a YouTube interview, a podcast appearance, a company webinar recording. Three seconds of clean audio is technically enough to generate a passable clone. Fifteen seconds produces something genuinely alarming.

3. **The call.** The attacker calls the help desk, not the employee's direct line. Help desk staff are trained to be helpful — that's literally the job. The attacker claims to be locked out, traveling, unable to receive their MFA code. They provide the employee's name, department, sometimes a fake employee ID.

4. **The reset.** If the help desk agent follows standard 'verify by knowledge' protocol — asking for name, department, manager's name — the attacker passes every check. Password reset granted. MFA disabled.

5. **Lateral movement begins.** With valid credentials, the attacker logs in through your VPN or Microsoft 365. From there, they hunt for admin accounts, deploy ransomware, or quietly exfiltrate data for weeks before anyone notices.

The entire process from research to access can take under two hours.

Why Help Desk Staff Fall For It Every Time

Here's the part most cybersecurity guides get wrong: they frame this as a training failure. 'Teach your employees to spot social engineering!' Great advice. Completely misses the point.

Help desk employees are structurally set up to fail. Their performance metrics reward fast resolution times. Their job is to restore access quickly so the business keeps running. When someone calls sounding stressed and says they're locked out before a board presentation, the help desk agent's entire professional instinct says: fix this fast.

Add AI voice cloning and it gets worse. A cloned voice doesn't sound robotic anymore. Modern voice synthesis produces natural breathing patterns, slight hesitations, regional accents. The employee isn't hearing a distorted recording — they're hearing what sounds like a colleague they might recognize from company all-hands meetings.

One genuinely surprising reality: attackers don't need perfect impersonation. They need good enough impersonation under time pressure. Studies on social engineering success rates show that adding urgency — 'I'm about to miss my flight,' 'my client is waiting' — increases compliance by over 60%, regardless of how suspicious the request seems otherwise.

That's the trap. The attack isn't beating your technology. It's beating your company culture.

Your Defense Checklist: What Actually Works

If your company's help desk still verifies identity by asking for a name and employee ID, you are one phone call away from a breach. Here's what to implement:

**1. Require hardware MFA for all resets — no exceptions.** YubiKeys or similar FIDO2 hardware tokens cannot be socially engineered over the phone. If someone can't physically tap the key, the reset doesn't happen. Period.

**2. Ban knowledge-based verification for sensitive actions.** 'What's your manager's name?' is not security. That information is on LinkedIn. Replace knowledge checks with out-of-band verification: send a push notification to the employee's registered personal device and require confirmation before any reset proceeds.

**3. Create a call-back verification protocol.** If someone calls requesting an account reset, the help desk hangs up and calls back — using the number on file in your HR system, not the number the caller provided. This single step would have stopped the MGM attack.

**4. Flag high-risk request combinations.** Password reset + MFA disable requested in the same call should trigger an automatic escalation to a security manager, not a routine ticket. Configure your ITSM platform (ServiceNow, Jira Service Management, Freshservice) to flag these.

**5. Run quarterly vishing simulations.** Companies like KnowBe4 and Proofpoint offer social engineering simulation tools that include voice-based attacks. If you're not testing your help desk with fake vishing calls, you don't actually know how they'll perform under pressure.

**6. Implement a company-wide verbal safe word.** For internal calls involving sensitive requests, establish a rotating code word employees can use to authenticate each other. Sounds low-tech. Works.

Key Takeaways

  • MGM Resorts lost an estimated $100 million after hackers social-engineered their IT help desk with a single 10-minute phone call in September 2023 — no malware required.
  • AI tools like ElevenLabs can clone a recognizable voice from as little as 3 seconds of public audio, making phone-based impersonation nearly undetectable to untrained ears.
  • The real vulnerability isn't employee stupidity — it's that help desks are measured on resolution speed, which structurally rewards compliance over caution.
  • Implement out-of-band callback verification today: when someone calls requesting a reset, hang up and call back using the HR-registered number — this one step blocks most vishing attacks.
  • As AI voice cloning becomes free and real-time in 2025 and beyond, phone-based identity verification will become completely obsolete — companies that don't move to hardware token authentication in the next 12 months are accepting a breach as inevitable.

FAQ

Q: How do I know if a call claiming to be from our IT department is real?
A: Legitimate IT staff will never ask you to confirm your password or disable your own MFA over the phone — if someone does, that's an immediate red flag. Hang up and call your IT department back using the number listed on your company's internal directory, not the one the caller gave you.

Q: Can phone companies detect AI-cloned voices and block these calls?
A: Honestly, not reliably — not yet. Voice deepfake detection tools exist (companies like Pindrop offer them for enterprise call centers), but they're expensive, imperfect, and almost no standard help desk has them deployed. The technology gap currently favors attackers, which is exactly why procedural defenses like callback verification matter more than technical detection.

Q: What should my company do immediately if we think our help desk was targeted?
A: Treat it as an active breach: revoke the reset credentials immediately, force a global password reset for the impersonated account, and pull the access logs to see where those credentials were used in the last 24–72 hours. Call your incident response team or a firm like Mandiant or CrowdStrike if you don't have one internally — the window to contain lateral movement is short.

Conclusion

The help desk attack isn't a future threat — it already cost MGM $100 million and it's being used by ransomware gangs right now as a standard opening move. The single most important thing your organization can do today is audit your help desk's identity verification procedure and replace any knowledge-based check with a callback protocol to HR-registered numbers. Do that this week. Everything else can wait.

Sign up for more like this.

Enter your email
Subscribe