Social engineering, MFA bypass, and the identity gap teams miss

TL;DR: Recent UK retail breaches show how social engineering, SIM swapping, and help-desk compromise can still bypass traditional MFA and expose customer data, with Marks & Spencer losing more than $80 million in profit and $1.3 billion in market value, according to 1Kosmos and the BBC. The lesson is that identity programmes built on credentials and devices alone cannot withstand impersonation-driven access theft.

NHIMG editorial — based on content published by 1Kosmos: Social engineering and MFA bypass in recent retail attacks

By the numbers:

• One 2025 survey found that 70% of consumers would stop shopping with a brand that suffered a security incident.

Questions worth separating out

Q: How should security teams reduce social engineering risk in identity recovery workflows?

A: They should treat recovery as a privileged control path, not a customer service process.

Q: Why do traditional MFA controls fail against help-desk and SIM swap attacks?

A: Traditional MFA often trusts channels that can be redirected, such as SMS delivery, carrier changes, or support-assisted resets.

Q: What breaks when attackers gain access through impersonation rather than malware?

A: Impersonation bypasses many perimeter assumptions because the session begins with valid credentials or a valid recovery action.

Practitioner guidance

• Harden help-desk recovery workflows Require step-up verification for password resets, device rebinds, and MFA changes, and make support staff validate identity with independent proof rather than caller-supplied details.
• Lock down telecom-based recovery paths Add carrier-level safeguards for SIM swap and number port requests, and monitor for changes that can move the second factor onto an attacker-controlled device.
• Replace code-only MFA on sensitive accounts Use phishing-resistant authentication for privileged and high-impact accounts, especially where account recovery can be socially engineered through help desks or mobile providers.

What's in the full analysis

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step breakdown of how SIM swapping and help-desk manipulation were used to bypass identity controls
• Specific details on liveness-based biometric verification and how it binds the person to the authentication event
• Implementation context for integrating stronger authentication into privileged access and existing enterprise login flows
• Operational examples of where traditional MFA breaks down in real support and recovery processes

👉 Read 1Kosmos's analysis of social engineering, MFA bypass, and enterprise identity risk →

Social engineering, MFA bypass, and the identity gap teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →