What happened
Cybercriminals are targeting service desks as an entry point into corporate networks, using social engineering to manipulate agents into granting unauthorized access. Recent ransomware attacks on British retailers, including Marks & Spencer, Co-Op Group, and Harrods, show just how effective and costly these tactics can be. The common thread? Hackers tricked service desk staff into resetting credentials, disabling multi-factor authentication, or granting administrative access.
In many cases, the attackers impersonated employees or executives urgently seeking IT help, triggering widespread data breaches, system outages, and millions in damages. A separate breach at Dior was also confirmed, where customer information was accessed, but financial data remained untouched.
Going deeper
The US and UK-based group Scattered Spider is suspected of being behind several of the incidents. The group previously hit MGM Resorts in 2023 by convincing IT staff to disable 2FA for a senior executive. That breach crippled casino operations and exposed the vulnerabilities of help desks under pressure.
Attackers are increasingly turning to reconnaissance to make their stories believable, mining LinkedIn, company websites, and press releases for personal and internal details. These details are used to build a convincing pretext: a locked-out executive, a missing phone, an urgent deadline. Native English-speaking attackers (and in some cases, AI-generated voice clones) are used to increase credibility during calls.
From there, attackers pressure agents into bypassing MFA or resetting credentials. Once that initial access is granted, hackers move laterally to escalate privileges or launch ransomware payloads. The attack chain often begins with empathy and ends in a multimillion-dollar breach.
What was said
The Verizon 2024 Data Breach Investigations Report revealed that nearly 45% of breaches involve stolen credentials, many of them obtained through service desk exploitation. The report says that it's easier and faster for attackers to exploit people than to break through technical defenses.
The big picture
As cyberattacks increasingly focus on manipulating individuals rather than systems, service desks have become a common point of entry for attackers. While much attention is given to technical defenses, support staff, often operating under pressure and without extensive training, are now frequent targets for social engineering.
To mitigate this risk, organizations must balance operational efficiency with stricter safeguards. Measures such as identity verification procedures, privilege management, and access logging can reduce the likelihood of unauthorized access. While training and simulations are useful, consistent protocols are critical for limiting exposure through support channels.
FAQs
Why are service desks being targeted by hackers?
Because they offer a human entry point that can be manipulated, often without triggering security systems.
What makes social engineering at service desks so effective?
Attackers use urgency, impersonation, and detailed reconnaissance to build trust and pressure agents into bypassing protocols.
What industries are most vulnerable to these attacks?
Any organization with a centralized IT support system is at risk, but retail, healthcare, and hospitality are frequent targets due to high-stress environments.
How can companies reduce the risk of service desk exploitation?
Implement strict identity verification procedures, enforce privilege controls, and ensure all actions are logged and monitored.
Are AI tools contributing to the problem?
Yes, AI-generated voice clones and language models are making impersonation attempts more convincing and harder to detect.
Farah Amod
