When MGM Resorts suffered a crippling cyberattack in 2023, forensic teams expected to find sophisticated malware or a zero-day exploit. Instead, they discovered something far simpler: an attacker called the help desk, impersonated an employee, and was handed the keys to the kingdom. Marks & Spencer and Harrods fell victim to similar attacks in 2025.
This pattern reveals a harsh reality – organizations spend millions hardening networks and endpoints while leaving identity, their most vulnerable entry point, completely exposed.
What's changed is not that help desks are vulnerable. Security teams have known this for years. What's new is the convergence of two forces that have turned a known weakness into an urgent crisis.
Help desks make sure that locked-out employees can get back to work as quickly as possible. However, the pressure to restore productivity creates an environment where speed often trumps security.
The typical interaction follows a predictable path: the caller provides basic identifying information, explains why they need access, and receives credentials. For an attacker who has done minimal reconnaissance on LinkedIn or company websites, this is trivial to replicate.
This attack vector is particularly dangerous because it bypasses most security controls like firewalls, endpoint detection, and network monitoring. These measures are blind to an attacker who talks their way through the front door with legitimate credentials issued by your own staff.
Why this old problem demands new urgency
Artificial intelligence has lowered the barrier for social engineering attacks. An attacker just needs the right tools and basic information to create real damage. The U.S. Department of Health and Human Services has warned that adversaries are using AI voice impersonation to target hospital help desks.
Accelerated by AI, phishing and spoofing scams increased by over 85%, and the average financial losses have more than doubled from $1,000 to $2,060.
At the same time, most organizations have embraced zero-trust principles for network access while performing perfunctory security checks to check help desk interactions. An employee accessing a file server goes through multiple verification steps.
An unknown caller asking the help desk to reset that same employee's password may face nothing more than security questions with answers easily found online.
Three best practices for help desk security
The most common pushback to strengthening help desk security is operational. What happens when an executive loses their phone while traveling? What if an employee legitimately cannot access their registered device?
The answer is tiered response protocols combined with three interconnected controls that close the help desk vulnerability gap:
1. Harden identity operations. Every access request should trigger the same verification standards. Multi-factor authentication cannot be optional or easy to bypass.
Implement passwordless, phishing-resistant authentication methods using industry standards. However, even passwordless systems can be compromised if credential recovery and enrollment processes remain vulnerable to social engineering.
Security questions based on static information should be replaced with dynamic verification that is harder to research or guess. Conduct regular identity governance reviews to eliminate stale accounts and ensure no identity has more access than necessary.
2. Tie device enrollment to identity. When you reset credentials or restore access, verify that the receiving device belongs to the legitimate user. Device-bound passkeys cryptographically tie authentication to a specific physical device and cannot be synced or transferred. This provides stronger assurance than synced passkeys, which can move between devices.
An attacker cannot call in, get a password reset, and access systems from an unmanaged device. The device need not be corporate-owned, but it must be registered and verified as part of the user's identity profile. Requiring this device-bound verification for any credential change immediately narrows the attack surface.
3. Use bi-directional verification to keep both employees and help desks secure. Both parties need the ability to verify each other, depending on who initiates contact. When a user contacts the help desk, the agent should verify their identity before taking action.
Before resetting credentials or granting access, use callbacks to registered numbers or send verification codes to registered devices. This protects against attackers impersonating employees, as seen in the MGM and Harrods breaches. When the help desk reaches out to users, employees should have a way to verify the legitimacy of the contact before sharing any information.
This protects staff from scammers posing as IT support. Verification capability in both directions ensures neither help desk personnel nor employees become vulnerable entry points for attackers.
Tiered response
Apply these controls using tiered response protocols. Proceed with standard verification for low-risk requests (password hints, account status checks). For high-risk actions (credential resets, permission changes, device enrollments), require elevated verification.
For truly urgent situations, establish escalation paths that maintain security. A traveling executive who lost their phone should contact their direct manager for verification before support acts. An employee with a broken device should visit IT in person with identification.
These controls are most effective when they work together. Identity verification without device verification leaves gaps, while device verification without hardened identity operations can be circumvented. Both are undermined if help desk workflows bypass these controls in the name of convenience.
Technology only cannot solve a people problem, but it can make the right behaviors easier and the wrong behaviors harder. Help desks will always be targets because they control access.
The question is whether organizations will continue treating them as trusted channels immune to compromise, or recognize them as the critical security control points they have become.
Breaches will continue. Attackers will keep calling. But organizations that recognize help desks as the critical identity control points they are, and secure them accordingly, can finally close the door that's been left open for too long.
We've featured the best endpoint protection software.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit