Social Engineering Attacks Are on the Rise

Social engineering techniques like pretexting, vishing (voice phishing), MFA fatigue attacks (bombarding with approval requests), and even SIM swapping are used to manipulate helpdesk staff into resetting credentials or disabling MFA controls. These tactics are no longer theoretical—they have been observed in high-impact breaches.

For example, high-profile attacks on two of the world’s largest casino and hospitality companies in 2023 began with helpdesk impersonation: hackers convinced support to provide password resets or MFA re-enrollment, effectively handing over the “keys to the kingdom.” Even the strongest authentication system becomes irrelevant the moment an unverified caller can trick your front-line staff into overriding security.

The Impact: Bypassing MFA & Escalating to Breach

Recent global incidents underscore how quickly a social engineering foothold escalates into a full-blown breach. Once attackers obtain valid credentials or force a password reset, they can bypass MFA and roam freely across systems. In the case of one of the 2023 attacks, a well-known hacker group used social engineering to obtain account credentials and one-time MFA codes, leading to days-long business outages and a ransom demand. One of the organizations in the 2023 incidents reportedly paid millions in ransom after a similar helpdesk-focused attack.² These are not isolated events: the international cyber criminal network responsible for these attacks has single-handedly infiltrated over 100 organizations since 2022 across hospitality, cloud services, telecom, retail, aviation and more. They and similar groups leverage tactics that even mature security programs struggle to defend.

The bigger picture is that no industry or geography is immune. In 2024, social engineers hit companies from U.K. retail to North American airlines. Often the initial entry is an outsider masquerading as an insider, a fake employee or vendor convincing support to “temporarily” disable MFA, remove a phone number, or issue a new login link. Once inside, attackers initiate lateral movement expanding their access horizontally across systems to escalate privileges, exfiltrate data, deploy ransomware, or all of the above.

A single helpdesk lapse can lead to regulatory fines, reputational damage, and huge business disruption in critical sectors. The financial implications can be devastating; for example, the May 2025 cyber attack on a prominent U.K. retailer resulted in the loss of millions of dollars due to operational disruption, legal liabilities, and recovery costs.¹

Evolving Attacker Tactics: AI Impersonation & Multi-Vector Deception

Today's social engineers are raising the stakes with AI-powered impersonation and multi-vector attacks. Deepfake voice cloning is a reality: in one documented case, fraudsters targeted a global firm's CEO via a fake WhatsApp chat and a deepfaked voice on a conference call. The attackers used a voice clone and repurposed video footage to pose as the CEO in a virtual meeting, attempting to trick an executive into a bogus deal (fortunately, that attack was foiled).

This example highlights how scammers now mix techniques: they created a fake account with the CEO's photo, set up a video meeting, and used AI-generated voice — a multi-channel deception blending messaging, video, and audio.

Such sophisticated impersonation is no longer rare. Over the past year, deepfake voice scams have defrauded banks and financial firms out of millions and forced security teams to stay on high alert. Attackers also combine traditional methods with new tools. For instance, they might send a phishing email and then follow up with a convincing phone call (vishing), referencing the email to appear legitimate, thereby exploiting multiple channels of communication simultaneously. Studies note that criminals increasingly mix phishing, vishing, and smishing (SMS phishing) in a single campaign to maximize credibility.³

With generative AI, bad actors can instantly craft personalized phishing lures, or even generate fake documents and voices, lowering the cost and effort of highly targeted attacks. One analysis found that automating such attacks can reduce the cost of spear-phishing by up to 99%, enabling threat actors to operate at previously impossible scale.⁴ In short, the barrier to entry for convincing social engineering has dropped, and the sophistication has spiked.

Beyond Helpdesks: Other Common Identity Exploits

While helpdesk impersonation is a glaring weak link, attackers exploit many other identity vulnerabilities in enterprises today.

Every link in the identity chain — from telecom providers and user devices to security admins — has become a target.

Attackers will seek out the weakest link, whether it's a helpdesk agent without proper verification tools, an employee tired of MFA prompts, or a phone company representative tricked into a SIM swap. A broadened defense must address all these angles.

Strategic Response: Identity-Centric, Layered Defense

To counter these adaptive threats, organizations need to shift to an identity-centric defense model (visualized in Figure 1 below). In traditional security, we spoke of defense-in-depth with multiple layers (network, endpoint, application, etc.). Now, identity is the new perimeter, so our layers must reinforce identity assurance at every step. This means combining people, process, and technology defenses such that if one control fails, others stand in the way of an attacker.

1. Strengthen Identity Verification & Access Controls (Inner Layer)

Start by moving beyond simple shared secrets or one-time tokens for identity proof. Implement strong, contextual identity verification, especially for any manual processes like helpdesk calls.

This could include requiring a helpdesk agent to initiate a live identity proofing step with the user (e.g., sending a push notification the user must confirm or requiring a brief live video check for high-risk actions). Leverage biometric checks, government ID document verification, or face recognition liveness for resets, these methods are far harder to fake than security questions or employee IDs. Enforce multi-factor checks combining something the user has (an ID or device), something they are (biometric), and contextual risk signals.

For example, if an account lockout reset is requested, require not just HR or directory info verification, but also a matching face or fingerprint and presence of a known device. The goal is to ensure the person seeking access is the legitimate identity: a Zero Trust approach of “never trust, always verify” applied to user identity recovery. In parallel, organizations should begin laying the foundation for cryptographically-backed, verifiable credentials–digital attestations that cannot be forged and can provide strong, privacy-preserving identity proof during recovery workflows.

2. Implement Workflow Controls and Two-Person Integrity (Process Layer)

Just as financial transactions often require dual approval, sensitive identity actions should not be left to a single agent’s discretion. Introduce peer or supervisor approval for high-risk changes.

For instance, if an employee calls to reset MFA, the system could automatically involve a second authority, perhaps a pre-designated peer or the user’s manager to co-authorize the request before it’s executed. This peer-assisted workflow creates a “two-person rule” barrier that vastly reduces the chance of one person’s error compromising security. (Not even an attacker with a perfect deepfake can simultaneously fool two independent people who verify in person or via a secondary channel.) In fact, advanced identity recovery models now allow a pre-registered “helper” user to participate in the authentication journey on behalf of the user. If the user loses access to all their factors, require two helpers so they cannot collude (one helper’s approval alone wouldn’t be enough).

These orchestrated workflows can be automated with policy, like blocking the helpdesk from directly changing a user’s password, instead of triggering a secure self-service flow or manager approval queue. By embedding checks and balances into identity processes, you make social engineering much harder to scale for attackers. Given the criticality of identity recovery workflows, organizations should consider embedding these functions within the security organization. Doing so ensures stronger oversight, faster alignment with security posture, and less risk of procedural bypasses during high-pressure events.

3. Layer Continuous Monitoring & Identity Threat Detection (Outer Layer)

Even with strong up-front controls, assume some attacks will slip through. This is where detection and response become critical. Deploy tools and processes for Identity Threat Detection and Response (ITDR): think of it as Security Operations Center (SOC) monitoring for identity systems.

For example, monitor for anomalies like rapid account resets, atypical login locations, or multiple failed MFA attempts across many accounts (which could signal a broader phishing or MFA fatigue attack in progress). Leverage AI/ML to establish a baseline of normal user behavior and trigger step-up authentication when something deviates. For example, if someone from Finance suddenly logs in from a new device in a different country and immediately attempts to access HR files, that should raise flags and prompt a reauthentication challenge or verification call-back.

Modern identity platforms and security analytics can correlate signals from endpoints, network and user behavior to produce a risk score for each session.⁵ When high risk is detected, dynamic step-up challenges should kick in: for instance, requiring biometric re-verify, an additional one-time code, or even revalidating identity via security questions with an operator. Conversely, low-risk activities can proceed without added friction, to avoid burdening legitimate users unnecessarily.⁵

By layering robust preventive controls with active monitoring and rapid response, organizations create an identity defense that is resilient. If one layer fails (say an attacker tricks a helpdesk agent), the next layer (anomalous activity detection) can still catch and contain the threat before damage is done.

Identity-Centric, Layered Defense Model

Figure 1: A visualization of the “Identity Centric, Layered Defense Model”

A Phased Roadmap: Immediate to Future-Ready Strategies

Enhancing identity security and recovery is a journey. Enterprises should adopt a phased approach to modernize their defenses without disrupting business. Below is a Now, Mid-Term, Long-Term Roadmap that is industry-agnostic and globally applicable.

Immediate Enhancements (Now): Minimal Lift, Maximum Impact

Start by closing the helpdesk gap with solutions that are easy to implement but have a significant impact right away.

In many organizations, helpdesk functions are outsourced to third-party providers or managed service partners. While these arrangements can scale support and reduce cost, they introduce a new risk dimension: outsourced agents are often less emotionally invested in the organization’s people, brand, and data protection ethos. This distance can lead to lapses in judgment or failure to detect subtle red flags during identity recovery calls.

By contrast, peer-based recovery workflows where employees pre-select trusted colleagues or managers to assist in account recovery help close this gap. These internal actors are more familiar with team dynamics and less likely to be manipulated through urgency, voice spoofing, or internal jargon. Embedding peer verification options strengthens the human trust layer that outsourced helpdesks may lack.

1. Enable Peer-Based Recovery

Let users pre-enroll one or two trusted colleagues or managers as “account recovery helpers.” If a user is locked out, helpers verify their identity through secure, out-of-band workflows video, corporate chat, or even in person and approve via magic link, push notification, or QR scan, ensuring distributed trust.

2. Harden Helpdesk Workflows Against Social Engineering

Instead of relying on insecure OTPs sent via SMS or email, use live verification triggers during helpdesk interactions. These steps ensure the helpdesk agent confirms who is making the request, not just what they know:

• Ask the user to complete a live selfie with a liveness check, paired with a trusted reference such as a pre-enrolled biometric template or validated ID record, to confirm not just human presence but the identity being claimed.
• Trigger a secure in-session challenge (e.g., biometric or device-bound confirmation).
• Require the user to respond to a push notification sent to a previously enrolled, verified device.

3. Deploy Government ID Verification for High-Risk Use Cases

Where feasible, embed ID verification steps (government-issued document scan + real-time selfie match+identity correlation / data matching) into your support and recovery flows. These add a high-assurance identity checkpoint to ensure the integrity and security that prevents impersonators from succeeding even with inside knowledge.

4. Train the Human Firewall

Launch a helpdesk-specific training program on social engineering, deepfakes, and spoofing tactics. Equip agents with escalation protocols and the authority to pause or deny requests when something feels suspicious.

Identity correlation matching extracted attributes (e.g., name, DOB, document number) against authoritative sources like HR systems or identity registries should be mandatory in these high-assurance flows to ensure the identity being verified aligns with the system-of-record.

5. Security Bubble

Consider creating a "security bubble" around high-risk helpdesk operations, isolating recovery functions with enhanced verification, monitoring, and escalation safeguards.

Mid-Term Enhancements: Layered Verification & Integrated Signals

In this stage, your focus should be on scalable defense. Deploy layered verification frameworks for identity recovery and high-risk access. This means combining multiple identity checks: government-issued photo ID scan + realtime liveness check + matching against HR records, for example.

To further strengthen assurance, organizations can enrich this process by comparing biographic attributes (name and address) extracted from the government-issued ID with external, trusted data sources such as credit bureaus or national identity registries. This biographic match adds another signal to validate the legitimacy of the identity request, helping to triangulate confidence across internal and third-party records.

If one factor is missing or fails (e.g., user’s ID is expired or their face doesn’t match), have alternate routes: maybe answering an HR security question plus a manager’s approval in the admin portal. The verification process should gracefully escalate, for instance, automatically invoking a secure video chat with a security officer if standard methods fail.

At the same time, integrate diverse signals into your identity workflows. Link your identity platform with HR systems, endpoint detection & response (EDR) tools, and threat intel feeds. For example, if HR flags a user as terminated, auto-trigger step-up auth on that account (or lock it). If your EDR or browser isolation tool detects a malware incident on a device, force re-authentication and verification on any accounts from that device.

By the mid-term, automation should handle the majority of identity recovery cases safely—with only edge cases needing human intervention. Orchestration tools (identity workflow engines) can enforce policies in real time. For example, if the user is requesting MFA reset and device posture is unverified, then require additional manager approval. This reduces reliance on memory and manual steps. Also, implement phishing-resistant MFA for user logins enterprise-wide, such as FIDO2 security keys or mobile authenticator apps with number matching, to neutralize credential theft and MFA fatigue attacks.

Overall, the mid-term goal is comprehensive, context-based authentication and recovery that adapts to risk. Users get a smoother experience when low-risk (no unnecessary hurdles), but any anomalous or sensitive scenario triggers multiple validations before trust is granted.

Long-Term Enhancements (Strategic Evolution): Decentralized & Continuous Identity

Looking long term, organizations should embrace cryptographically verifiable digital credentials sometimes called decentralized identity and advanced automation to stay ahead of attackers. In the future model, employees may carry verifiable digital credentials (e.g., in a mobile wallet) issued by the company. Instead of asking security questions or juggling verification codes, the helpdesk (or system) could prompt the user to present a cryptographically signed credential proving their identity and employment status. Because these verifiable credentials (VCs) are signed by the organization and tied to the user’s biometrically-secure device, they are extremely difficult to falsify.

An identity recovery in this scenario might look like: helpdesk initiates a “credential request,” user taps their phone to send a signed proof from their wallet, and the system validates the signature and identity attributes without any human sharing of passwords or IDs. This not only improves security, but also privacy, since the user controls their credential release. In parallel, adopt an “always-on” identity threat analytics engine.

Future identity systems will continuously evaluate trust, using AI to spot subtle indicators of compromise, for instance, comparing the user’s current behavior and digital “exhaust” (e.g., typing patterns, geolocation, access times) to their historical baseline. If something seems off, the system could automatically impose step-up challenges or even revoke active sessions in real-time (for example, if an employee’s account suddenly behaves like an administrator at 3am, it gets flagged and blocked pending investigation). The long-term strategy also involves global information sharing and collaboration.

As cyber threats cross industries and borders, organizations should share anonymized telemetry and attack indicators. Participating in industry ISACs (Information Sharing and Analysis Centers) or global Computer Emergency Response Teams (CERT) bulletins means quicker detection of new social engineering tricks hitting your sector.

Finally, plan for a passwordless future phasing out passwords, which are easily phished, in favor of device-bound credentials and biometrics. This cuts off many attack vectors entirely. The strategic future of identity security is decentralized, intelligent, and ubiquitous: identity proof is embedded into user devices and workflows, trust is continuously evaluated, and security becomes seamless and user-centric.

Visualizing the Identity-Centric Defense Model & Workflows

A resilient identity defense framework must include multiple interlocking controls around the user’s identity. At the core lies identity and access management (IAM), featuring robust authentication, single sign-on (SSO), and least privilege access. Building on that, identity governance and privileged access management (PAM) ensure users hold only the access they require, and that privileged identities receive heightened oversight.

Surrounding these foundational layers is IDTR, continuously monitoring for suspicious behavior, failed authentications, or unauthorized escalations. At the outermost layer sits a Zero Trust security culture where every request is validated dynamically based on contextual risk factors. Even if one control layer is bypassed (e.g., a compromised password), the next layer like anomaly detection or step-up verification prevents the adversary from proceeding further. This defense-in-depth model (as shown in Figure 2 below) treats identity as a multifaceted perimeter, reducing reliance on any single control and strengthening security posture holistically.

Figure 2: A high-level illustration of the “Identity Centric Defense-In-Depth Model”

Peer-Based Recovery & Step-Up Workflow

Peer-assisted account recovery introduces distributed trust into identity recovery. In scenarios where users lose access to their primary MFA device, the workflow allows them to initiate recovery through a pre-authorized peer. The peer receives a secure notification, performs strong authentication, and validates the user’s identity ideally through a secondary channel such as video confirmation or shared knowledge.

The workflow requires active participation: the peer might scan a dynamic QR code, approve via a magic link, or confirm through a push notification or if the authentication risk associated with the peer is too high, enforce ID verification for the peer as well. For added assurance, step-up verification can be enforced at key points. In higher-risk scenarios, approval from two separate peers may be required to reduce the risk of collusion or compromised accounts. Once verified, the system grants temporary access, logs the full interaction, and optionally alerts security teams for oversight.

This process (outlined below in Figure 3) enables secure recovery without relying on centralized helpdesks, dramatically reducing the likelihood of social engineering success and shifting identity assurance closer to those who can personally validate the user’s identity.

Figure 3: An example process flow for enabling secure, helpdesk-less account recovery

Building Resilience & Trust Across the Identity Lifecycle

Identity is the first, and last, line of defense. Whether a hacker is at the gate or already inside the network, a strong identity security posture can contain and neutralize the attack. The enhanced strategies outlined, from fortifying helpdesk processes and training to adopting layered defenses to embracing future innovations like decentralized credentials, all converge on a singular goal: maintaining trust in the identity of every user, every digital moment, and every transaction.

Executives across industries globally should recognize that these threats are not hypothetical or confined to one sector–they are hitting casinos, airlines, hospitals, banks, and governments everywhere. Thus, investing in an identity-centric security model is investing in the very continuity of the business. By adopting a phased roadmap, organizations can garner quick wins now (closing glaring gaps like helpdesk verification), plan mid-term upgrades (integrating intelligent MFA and monitoring), and steer toward a future-ready state where proof of identity is seamless, and privacy-preserving, and cryptographically verifiable.

The payoff is substantial: eliminating the helpdesk as a soft target, blunting phishing and deepfake schemes, and ensuring that legitimate users can always recover and continue their work securely. In a world of AI-driven scams and countless hacker groups, those who reinforce their identity defenses will weave a safety net that attackers cannot easily tear through. In sum, securing identity recovery and beyond is not just an IT project, it's a strategic imperative for resilient, trustworthy operations in the digital age.

References

¹Reuters. "$400 million cyberattack upheaval to linger into July"

²8 News Now. "5 defendants linked to hacker group behind 2023 cyberattacks"

³The National Clo Review. "Smishing and Vishing in the Era of Automated Credibility"

⁴Schneier on Security. "AI Will Increase the Quantity and Quality of Phishing Scams"

⁵Patents Assigned to Ping Identity International, Inc. — Justia Patents Search

Disclaimer: High-profile case studies and threat intelligence were drawn from recent cybersecurity reports and news (e.g., Reuters, CyberScoop, The Guardian) to ensure up to date insights. Best practices and models referenced align with guidance from industry experts and frameworks like Zero Trust and defense-in-depth for identity security.