Recent social engineering campaigns, most notably those carried out by the Scattered Spider group, show how a simple phone call to a help desk can bypass even the strongest digital protections. Enterprise security teams that have spent years hardening technical controls now face a threat environment where attackers target identity and the gatekeepers of access control.
Consider the 2023 breach of MGM Resorts. Investigators found that attackers phoned the company’s IT support line, impersonated an employee, and provided just a few personal details like name, employee ID, and date of birth to convince the help desk to reset that employee’s multi-factor authentication (MFA). Once inside the network, the attackers escalated privileges and moved laterally.
This was far from an isolated event. Okta reported a wave of similar attacks in 2023, where callers pretended to be employees who had “lost their phone” and tricked service desks into resetting MFA. In each case, identity-based deception neutralized MFA safeguards and gave threat actors access to privileged accounts.
Scattered Spider has proven especially adept at such multi-step social engineering campaigns, often compromising third-party vendors with weaker controls and using that foothold to infiltrate larger, more secure enterprises.
Why targeting identity works for threat actors
Modern enterprises, from banks to hospitals, have invested heavily in firewalls, encryption, and authentication technologies. Yet call centers often remain a soft target. Agents have the authority to reset passwords, disable MFA, and disclose sensitive information—making them attractive to threat actors.
Call center identity verification is frequently the weakest link. Agents, eager to help, may bend security protocols. Even when verification requires personal details such as an account number, address, or date of birth, attackers can easily obtain that data through online leaks. “Secret” answers are no longer secret in an age where entire personal profiles are sold on the Dark Web. Determined adversaries exploit these knowledge-based authentication systems to make their impersonations more convincing.
One-time passcodes (OTPs) sent via SMS introduce additional vulnerabilities. While they’re designed to confirm user authenticity, attackers can bypass them through SIM swaps, VoIP spoofing, or simply claiming that a device was lost. Without the ability to detect spoofed numbers or dynamically verify identity, call center agents often can’t distinguish a real user from an imposter. Weak fallback procedures like over-the-phone MFA resets without secondary verification, turn a single phone call into an open door.
Compounding these risks is the sheer call volume at large contact centers. Under pressure to resolve cases quickly, agents may make mistakes—something attackers exploit by calling repeatedly until they reach a less cautious agent.
New tools tilt the balance further toward attackers: AI-powered voice cloning can now mimic an individual’s voice with alarming accuracy. Deepfake voice scams spiked more than 1,300% from 2023 to 2024.
Today’s adversaries convincingly impersonate legitimate users. They script responses, spoof caller IDs, and use cloned voices. If an enterprise relies solely on knowledge-based questions and MFA, its call center becomes the path of least resistance. In modern account takeover (ATO) chains, identity—not credentials or firewalls—is the frontline. Attackers assume identities, target humans, exploit procedural weaknesses, and move laterally once inside.
How identity threat detection and response counters account takeover chains
Identity Threat Detection and Response (ITDR) secures interactions across all access points—web, mobile, and call center—by using real-time risk signals and adaptive identity verification to detect and block identity-based attacks.
At the call center, ITDR can assess risk during the Interactive Voice Response (IVR) stage, flagging suspicious callers and issuing identity verification challenges before they reach a live agent. This preemptive filtering reduces social engineering opportunities and minimizes agent exposure.
In most enterprises, identity verification remains fragmented—a patchwork of automated and manual steps. For instance, onboarding workflows may automatically provision access in a directory but still require manual account creation for certain applications. Fewer than 4% of organizations have fully automated their core identity processes; the rest rely heavily on help desks, creating opportunities for manipulation.
Comprehensive ITDR solutions reduce dependence on credentials and increase automation in access decisions. Take login flows as an example:
- In a traditional static flow, entering correct credentials grants access.
- In an adaptive flow, ITDR evaluates contextual risk signals such as:
- Is the device or location new?
- Is user behavior anomalous or matching a known threat pattern?
- Has the account appeared in breach data?
If risk is detected, the workflow escalates identity verification—through biometric checks, verified device confirmation, or additional MFA. Microsoft’s Zero Trust guidance emphasizes that continuous verification and just-in-time elevation of trust are essential for modern defense. Authentication should be an ongoing process, not a one-time event.
Behind the scenes, adaptive security relies on orchestration: directing login requests through risk engines and fraud detection systems before authentication completes. IBM, for instance, describes workflows where a new hire’s first login triggers an MFA challenge after a fraud engine flags it as high-risk.
These orchestration platforms integrate directories, SSO, MFA, and threat intelligence, applying the right security controls dynamically rather than assuming one static process fits all.
Questions? Consult with an identity security expert
Conclusion
Modern account takeover attacks are sophisticated, multi-stage campaigns that exploit human trust. Most breaches now begin not with brute-force hacking but with stolen credentials and impersonation.
To defend effectively, enterprises must treat identity as a critical security endpoint. That means extending protection to every interaction point—including call centers—and deploying adaptive, risk-aware identity workflows.
For CISOs, this requires elevating identity to a top-tier security priority and investing in Identity Threat Detection and Response capabilities that make it far harder for attackers to turn social engineering into a successful breach.
