Service desk social engineering remains one of the most reliable ways attackers break into corporate networks. The 2025 attacks against UK retailers Marks & Spencer, Co-op, and Harrods by the Scattered Spider group put these tactics in the spotlight, but they’re anything but new — and they’re not slowing down.
In the M&S case, attackers impersonated an employee and convinced a third-party service desk agent to reset credentials, handing over access to internal systems. More recently, Carnival Corporation disclosed a breach where social engineering fooled an employee into granting access to part of the company’s IT environment.
Around the same time, the FBI warned about the Silent Ransom Group, whose members pose as IT support staff and talk employees into joining remote access sessions using legitimate admin tools.
Why service desks? Help desk staff are trained to be helpful, which makes them vulnerable to impersonation. They can reset passwords, provision accounts, or disable MFA — giving attackers a direct path to legitimate access. A well-crafted call or chat can yield entry in minutes without triggering alerts.
How it plays out: Attackers research targets via LinkedIn, org charts, and data leaks. They spoof internal phone numbers using VoIP. Common pretexts include being locked out before a critical meeting, a lost phone needing MFA reset, or an urgent incident requiring admin access. They use friendly, rushed tones and drop internal references to build rapport.
Once they get a credential reset or MFA bypass, they log in as the impersonated employee, escalate privileges through group policy or ticketing systems, and deploy malware or exfiltrate data. In the M&S case, it led to a DragonForce ransomware deployment.
Defenses: Organizations should require strict identity verification for all password resets, including out-of-band confirmation. MFA that can’t be easily reset without in-person verification or manager approval is essential. Service desk staff need training to spot social engineering tactics, especially urgent or emotional requests. Monitoring for unusual patterns — repeated resets or MFA removals for high-privilege accounts — can catch attacks early.
Outsourced service desk arrangements should be reviewed regularly, with verification procedures and escalation paths tested through red team exercises.
