Help desk scams and MFA resets: are your controls keeping up?

TL;DR: Help desk scams let attackers reset credentials, bypass MFA, and take over privileged accounts, with Scattered Spider-linked campaigns tied to major retail and insurance disruptions according to Push Security. The core problem is that many help desk workflows still assume identity proofing can survive social engineering and high-pressure impersonation.

NHIMG editorial — based on content published by Push Security: Scattered Spider help desk scams and how to protect your organization

By the numbers:

• M&S felt the pain of £300m in lost profits and a share value hit approaching £1b.
• Scattered Spider has heavily relied on identity-based TTPs since they first emerged in 2022.

Questions worth separating out

Q: How should security teams stop help desk scams from bypassing MFA resets?

A: Make MFA resets a high-risk identity event, not a routine service task.

Q: Why do help desk scams work so well against privileged accounts?

A: They work because many organisations use one reset process for everyone, even though a privileged account carries far more blast radius.

Q: What do security teams get wrong about identity verification for support requests?

A: They often rely on static personal data, a return call, or a quick manager check as if that were enough to defeat social engineering.

Practitioner guidance

• Separate admin resets from routine help desk flows Create a distinct approval path for high-privilege account resets, including extra escalation steps and logging for every administrative identity change.
• Require out-of-band verification for risky requests Use a call-back to a known number, device-bound codes, or in-person validation when the reset affects MFA, passwordless access, or privileged roles.
• Freeze self-service when social engineering indicators appear Define triggers that pause automated resets if a user reports a new device, an urgent access problem, or unusual contact from the help desk workflow.

What's in the full article

Push Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A practical walkthrough of how help desk scams are staged against MFA reset workflows.
• Examples of the social engineering patterns used in Scattered Spider-linked campaigns.
• More detail on browser-based verification codes and how they fit into support operations.
• Push Security's own demonstration of identity attack detection and response capabilities.

👉 Read Push Security's analysis of help desk scams and identity takeover tactics →

Help desk scams and MFA resets: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →