Voice phishing and MFA bypass: where identity workflows break down

TL;DR: Voice phishing campaigns now succeed by exploiting helpdesk trust, proxy tooling, and identity recovery flows rather than attacker sophistication, according to HYPR. The real failure is that many identity programmes still treat successful authentication as proof of legitimate intent, even when access is intercepted and reused.

NHIMG editorial — based on content published by HYPR: Your Niece Can Now Launch a 'Sophisticated' Cyberattack

By the numbers:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• Only 5.7% of organisations have full visibility into their service accounts.

Questions worth separating out

Q: How should security teams reduce the risk of voice phishing in identity workflows?

A: Security teams should harden recovery, helpdesk, and factor-change workflows with stronger proofing than routine login.

Q: Why do phishing proxies still succeed even when MFA is in place?

A: Phishing proxies succeed because they relay a legitimate authentication flow in real time and capture the resulting session token.

Q: What do organisations get wrong about identity recovery and helpdesk support?

A: They often treat recovery as an administrative convenience instead of a security boundary.

Practitioner guidance

• Lock down recovery and reset workflows Require stronger proofing for password resets, factor changes, and account unlocks than for ordinary sign-in, and remove free-text exceptions from helpdesk processes.
• Adopt phishing-resistant authentication for high-risk users Prioritise passkeys or other phishing-resistant methods for administrators, service desks, and sensitive business roles where session theft has the highest impact.
• Instrument support channels for abuse patterns Monitor caller ID anomalies, repeated reset attempts, unusual helpdesk approvals, and rapid follow-on access to admin consoles or identity settings.

What's in the full article

HYPR's full blog post covers the operational detail this post intentionally leaves for the source:

• The step-by-step voice phishing workflow showing how social engineering, spoofing, and proxy interception combine into a repeatable attack.
• The operational examples of how helpdesk and recovery-path abuse moves from account reset to persistent access.
• The specific identity assurance measures HYPR recommends for reducing proxyable MFA and recovery misuse.
• The article's framing of why these campaigns are scaling despite not relying on advanced malware.

👉 Read HYPR's analysis of voice phishing and MFA bypass through identity workflows →

Voice phishing and MFA bypass: where identity workflows break down?

Explore further

View Full Forum →  |  NHI Foundation Course →