TL;DR: Social engineering groups linked to Scattered Spider are recruiting women for scripted vishing calls that target help desks, with payouts of $500 to $1,000 per successful call and a focus on password resets, MFA changes, and account recovery, according to FastPassCorp. Static verification no longer matches the attacker tradecraft, because trust-based support workflows remain easier to exploit than the credentials they are meant to protect.
NHIMG editorial — based on content published by FastPassCorp: Scattered Spider Pays $1000 to Women for Help Desk Attacks
By the numbers:
- Attackers linked to Scattered Spider style groups are offering women $500 to $1,000 per successful vishing call.
Questions worth separating out
Q: How should security teams stop help desk impersonation attacks?
A: Security teams should move sensitive support actions behind a mandatory verification workflow that is separate from the caller conversation.
Q: Why do static help desk checks fail against vishing attacks?
A: Static checks fail because they prove knowledge, not current identity.
Q: What do organisations get wrong about service desk identity proofing?
A: They often treat the help desk as a convenience layer instead of a security control point.
Practitioner guidance
- Require out-of-band verification for support actions Block password resets, MFA changes, account unlocks, and privileged recovery until the caller has completed a trusted verification step outside the help desk conversation.
- Remove direct reset privileges from frontline support Limit who can execute identity state changes and separate intake from approval wherever possible.
- Retire knowledge-based authentication for high-risk actions Eliminate security questions, employee numbers, and caller ID as primary proof for recovery flows.
What's in the full article
FastPassCorp's full article covers the operational detail this post intentionally leaves for the source:
- The specific recruitment pattern used in public Telegram channels and how the vishing operation was structured.
- The exact help desk requests attackers are using to trigger resets, MFA changes, and account recovery.
- The argument for removing frontline support privileges from password reset workflows.
- The vendor's recommended workforce identity verification approach for support operations.
👉 Read FastPassCorp's analysis of Scattered Spider help desk impersonation tactics →
Help desk impersonation attacks: are your verification controls enough?
Explore further
Help desk impersonation is an identity governance failure, not a call-centre problem. The control gap is that many organisations still treat account recovery as a service workflow instead of a privileged identity event. Once a support agent can change access state on the basis of weak evidence, the organisation has moved the trust boundary into a high-risk human interaction. Practitioners should treat every reset, unlock, and MFA change as an identity governance decision.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: Who is accountable when a help desk reset leads to compromise?
A: Accountability sits with the organisation that allowed a privileged identity change without strong verification and adequate segregation of duties. From an IAM and governance perspective, the issue is not only the attacker’s deception, but the control design that permitted a support action to become an access grant.
👉 Read our full editorial: Help desk identity verification is failing against Scattered Spider