Help Desk Social Engineering: Scattered Spider's Front Door

Your organization may have spent a fortune on multi-factor authentication. Scattered Spider doesn't bother trying to break it. They pick up the phone, call your help desk, pretend to be a locked-out employee, and ask a helpful agent to reset the MFA for them. Minutes later, they enroll their own device and walk straight in. Your technical controls were never even tested.
This is help desk social engineering, and in 2026 it has become the defining tactic of the industry's most disruptive intrusion crews. The help desk — built to be fast, friendly, and accommodating — has become the new perimeter, and it's one that firewalls and MFA tokens can't defend.
How the Attack Works
The playbook is consistent and effective. Attackers who already have an employee's password (often bought from a prior data breach) call IT support and impersonate that user, then steer the conversation toward an account-recovery action:
- MFA reset. "I got a new phone and lost my authenticator — can you reset it?" The agent resets MFA; the attacker enrolls a device they control.
- Push-notification fatigue ("MFA bombing"). The attacker triggers a flood of approval prompts until a worn-down user finally taps "Approve."
- SIM swapping. Hijacking the victim's phone number to intercept SMS codes and recovery messages.
- Recovery-email or device-enrollment changes that quietly hand over long-term control of the account.
Each of these turns the account-recovery process — the very mechanism meant to help legitimate users — into the breach.
Why It Works So Well
Help desks are optimized for the wrong metric in this context: speed. Agents are measured on how quickly they resolve tickets and how satisfied callers are, which creates pressure to be accommodating and to take the caller at their word. Attackers exploit that with confident, well-rehearsed pretexts, urgency ("I'm about to miss a client call"), and just enough personal detail — name, employee ID, manager — gleaned from LinkedIn, prior breaches, or earlier reconnaissance calls.
If your password reset, MFA reset, or device-enrollment process can be completed on the strength of information an attacker can buy or look up, your strongest authentication can be bypassed in a single phone call.
This Is Happening Right Now
This isn't theoretical. Scattered Spider was behind high-profile help-desk-driven breaches at major UK retailers in 2025 and US insurance companies shortly after, and threat-intelligence teams at Mandiant and Unit 42 have warned of the group pivoting to the aviation and transportation sectors. CISA's joint advisory on the group documents these social-engineering techniques in detail and is essential reading for any security team.
How to Harden the Help Desk
Defending this front door requires treating identity verification as a security control, not a customer-service formality:
- Treat MFA resets and device enrollment as high-risk events. Require strong, multi-factor identity proofing before any reset — ideally something an attacker can't obtain from a data dump, such as a manager callback to a known number, a one-time code pushed to a pre-verified channel, or in-person/video verification for sensitive roles.
- Adopt phishing-resistant authentication. FIDO2/WebAuthn passkeys and PKI-based MFA aren't susceptible to push bombing or SIM swaps, removing the very mechanisms attackers target.
- Add friction for high-value accounts. Executives, finance, and IT admins warrant stricter recovery workflows and step-up verification.
- Train your help desk to recognize the pretext. Agents need explicit permission and a clear escalation path to slow down or refuse a suspicious request without being penalized on handle-time metrics.
- Train employees, too. Push-bombing only works if a user eventually approves. Teach staff to deny and report unexpected MFA prompts.
empowsec's security awareness training and vishing simulations let you rehearse exactly these scenarios — testing whether help desk agents hold the line under pressure and whether employees reject rogue MFA prompts — then deliver targeted coaching where verification breaks down.
Key Takeaways
- The help desk is the new perimeter. Attackers bypass MFA by social-engineering agents into resetting it, not by defeating the technology.
- Core tactics include MFA reset fraud, push bombing, and SIM swapping, often backed by a password from a prior breach.
- Defend it by treating account recovery as a high-risk event, adopting phishing-resistant MFA, and adding step-up verification for sensitive roles.
- Train both help desk agents and employees to slow down, verify, and report — and rehearse it with realistic simulations.
For the authoritative technical breakdown, see CISA's Scattered Spider advisory.


