90% of ransomware incidents begin with stolen credentials, and most come through password resets. Help desk social engineering has become the preferred entry point for attackers.
Your IT help desk just reset a password for someone who does not work at your company.
This is not a hypothetical scenario. According to IBM X-Force research, 90% of ransomware incidents begin with stolen credentials, and the majority originate from IT help desk password resets. The coordinated attacks on UK retailers followed exactly this playbook: impersonate an employee, request a password reset, escalate to multi-factor authentication credentials, deploy ransomware.
When I spoke with Hubert Behaghel, Chief Product Officer at Veriff, on my podcast Beyond the Algorithm, we unpacked why help desk social engineering has become one of the most exploited attack surfaces in enterprise security. The vulnerability lies in the trust we place in our colleagues.
Why IT help desk social engineering is so effective?
The help desk operates on an assumption that no longer holds: that the person calling is who they claim to be.
Voice clones now require less than 10 seconds of audio to generate a convincing replica. That sample can come from a LinkedIn video, a conference presentation, or a company podcast, all publicly available through basic open-source intelligence. Once a help desk agent believes they are speaking to the right person, they will reset every authentication layer without question.
As Hubert explained during our conversation, “Once you have accepted that you are talking to the right person, it does not really matter how much you have piled on your multi-factor authentication. You are going to accept that this is a genuine person.”
The help desk is vulnerable because it sits at the intersection of trust and access, the precise point where social engineering thrives.
Why does multi-factor authentication fail to prevent help desk attacks?
Multi-factor authentication protects the wrong moment.
MFA secures the login process. But if identity has not been verified at the point of request, if the help desk agent has already accepted they are speaking to a legitimate employee, every authentication layer built on that broken chain of trust becomes irrelevant.
The problem is not the number of factors. The problem is that identity itself was never confirmed.
This distinction matters. Organisations stack authentication layers believing they are building security when they are actually building a false sense of protection. Identity verification and authentication are not the same thing. Authentication confirms you have the right credentials. Identity verification confirms you are the right person.
When the UK retailer attacks unfolded, the attackers did not bypass MFA through technical exploits. They convinced help desk agents to reset MFA credentials entirely. The authentication was never the weak link. The weak link was identity, or rather, the assumption of identity based on trust.
What is the Infrastructure of Trust?
Hubert introduced a framework that reframes how organisations should think about IT help desk security and identity verification more broadly: the Infrastructure of Trust.
Rather than treating identity as a single checkpoint at onboarding, the Infrastructure of Trust positions verification as an ecosystem that operates across the entire employee lifecycle.
It combines multiple layers of validation (biometric liveness, behavioural signals, device intelligence, and environmental context) that cross-validate each other at high-risk moments.
The framework recognises that certain transactions carry elevated risk: password resets, access escalations, role changes, and privileged system requests. Each of these moments requires re-verification, not just re-authentication.
What makes this approach powerful is the concept of a trust profile that strengthens over time. Each authentication builds on previous verifications, creating a cumulative confidence score rather than treating every interaction as isolated. This makes it exponentially harder for attackers to succeed. Even if they can spoof one layer, cross-validation across multiple modalities exposes inconsistencies.
Should employee verification be treated like customer verification?
Organisations invest millions in Know Your Customer (KYC) processes. They deploy sophisticated identity verification, anti-money laundering checks, device fingerprinting, and behavioural analytics to onboard customers.
But what about the people logging into internal systems? The ones answering phones, reviewing code, and resetting passwords?
The fake worker fraud threat makes this question urgent. In July 2025, an individual in Arizona was imprisoned for involvement in a scheme that funnelled over $17 million to North Korea through fake remote workers. These operatives use synthetic or stolen identities, pass interviews using deepfake technology, and gain full access to sensitive infrastructure.
This is not an HR problem. It is a national security threat that belongs in the CISO office.
As Hubert noted, “I would not put it on HR. This is the infosec, the security team that needs to have an identity strategy across all the properties and all the different functions that is robust.”
Know Your Employee (KYE) should be treated with the same rigour as KYC. The same identity verification deployed for customer onboarding (biometric liveness, document verification, background validation) should apply to employees, particularly for roles with privileged access.
What should IT help desk security look like?
Securing the help desk requires acknowledging that voice-based verification is no longer sufficient. A voice clone takes seconds to create. Security questions are easily researched. The traditional help desk authentication model was designed for a threat landscape that no longer exists.
Effective IT help desk security now requires:
Biometric re-verification at high-risk moments. Password resets, MFA changes, and access escalations should trigger identity verification, not just authentication. Face biometrics with liveness detection provide a layer that voice alone cannot.
Multi-modal cross-validation. No single factor is sufficient. Combining face biometrics, device intelligence, behavioural signals, and environmental context creates a verification matrix that is exponentially harder to defeat.
Continuous trust profiling. Rather than verifying once at onboarding and assuming persistent identity, organisations should build trust profiles that strengthen with each verified interaction and can be challenged at any high-risk moment.
Red teaming and social engineering testing. Hubert’s advice to executive leaders was unequivocal: “If you do not test it, you do not know if you have a solution.” Organisations should run social engineering tests against their help desks, confront where vulnerabilities exist, and treat the results as learning opportunities rather than failures.
Key takeaways
- 90% of ransomware incidents begin with stolen credentials, most originating from IT help desk password resets, making the help desk one of the most critical attack surfaces in enterprise security.
- Multi-factor authentication fails to prevent help desk attacks because it protects authentication, not identity. If identity has not been verified at the point of request, every layer built on that broken trust is irrelevant.
- Voice biometrics are no longer sufficient. A voice clone takes less than 10 seconds of audio to generate. Organisations need multi-layered verification combining face biometrics, liveness detection, behavioural signals, and device intelligence.
- The line between insider and outsider is now porous. Deepfake technology and synthetic identities mean someone can gain full employee access without ever being who they claim to be.
- Employee verification belongs in the CISO office, not just HR. Fake worker fraud is a nation-state level threat. Know Your Employee (KYE) should be treated with the same rigour as Know Your Customer (KYC).
- Trust should be verified continuously, not just at onboarding. High-risk moments like password resets, access escalations, and role changes all require re-verification.
- Red teaming is non-negotiable. Executives should not just discuss insider threats. They should run social engineering tests and confront where real vulnerabilities exist.
Sources
- IBM X-Force Threat Intelligence Index
- BBC News: UK retailer cyber attacks
- US Department of Justice: Arizona fake worker fraud case
- Veriff
An attack where criminals impersonate employees via phone to trick IT support into resetting passwords or MFA, bypassing technical security controls entirely.
MFA protects login, not identity verification. If identity was not confirmed at the point of request, all authentication layers built on that broken trust become irrelevant.
A framework that positions identity verification as an ecosystem across the employee lifecycle, combining biometric liveness, behavioural signals, and device intelligence with cross-validation at high-risk moments.
Yes. Know Your Employee (KYE) should match KYC rigour. Fake worker fraud is a nation-state threat that belongs in the CISO office, not just HR.
Deploy biometric re-verification at high-risk moments, implement multi-modal cross-validation, build continuous trust profiles, and run red team social engineering tests.