IT helpdesk scams are on the rise, with adversaries using increasingly sophisticated techniques to target users. The consequences for companies are significant, with fake IT helpdesks enabling attackers to quickly gain entry to firms’ systems to deploy malware and steal data.
Threat actors know the value of tricking employees into falling for helpdesk scams. Recently, adversaries were observed ramping up phishing campaigns involving fake helpdesk domains to target the legal, financial services and accounting sectors in the US, according to researchers at EclecticIQ.
Sometimes cyber-criminals trick organizations' actual help desks. IT help desk workers at the Co-op and M&S were conned into giving hackers access to their companies' systems to allow them to carry out the recent cyber-attacks, reports have suggested.
So, what new and sophisticated IT helpdesk scams are targeting firms and what can be done to stop them?
Evolving IT helpdesk scams
Helpdesk scams have been around for decades, but in the past, they primarily targeted individual consumers. However, they are now evolving towards targeting high-value organizational users, according to experts.
“The premise is that you are being contacted by your company’s, or a supplier’s IT helpdesk, in order to handle an important issue, or to make some kind of upgrade,” explains Matt Aldridge, principal solutions consultant at OpenText Cybersecurity.
Attackers previously lured victims via direct phone calls, but they are now increasingly using a multichannel approach including email, SMS, instant messenger, social media and voicemail, says Aldridge. “Enticing users to make the call themselves is a key tactic.”
The aim of this type of scam is clear. Adversaries focus on gaining remote control of the user’s system, and once they have done so, they will steal data, deploy malware and make financial transactions.
Making things worse, attackers are learning to be more convincing to avoid arousing suspicion, according to Bharat Mistry, field CTO at Trend Micro. “The person on the other end of the phone will spend 30 to 45 minutes being super-patient and friendly, slowly gaining your trust. Eventually, they'll convince you to install legitimate programs such as AnyDesk or TeamViewer. These tools are used for real tech support, but in this case, they give attackers full access to your computer without you even realising it.”
One threat group using IT helpdesk scams is Luna Moth, which is known to send “highly convincing initial lure emails” that imitate legitimate services or internal communications, Mistry says. “These emails often create a sense of urgency or fear, pushing victims to act quickly, without thinking.”
Common pretexts include fake subscription renewal notices, security warnings about suspicious account activity, and internal IT alerts. “They might also use typo-squatted domains, registering slightly altered website addresses such as [company]-helpdesk.com to impersonate real IT portals,” Mistry adds.
Attackers using IT helpdesk scams
A number of different types of attackers are using IT helpdesk scams as a means to gain entry into organizations’ systems. Conning users in this way is a favored tactic for both nation state threat groups and financially-motivated cybercriminal gangs, says Richard LaTulip, a field chief information security officer at Recorded Future.
For example, nation state groups including Russia-linked APT29 have used this method to gain access to government and corporate email accounts, he says.
Meanwhile, cybercriminal crews such as Scattered Spider have taken advantage of the tactic in high-profile ransomware operations, including the 2023 breach of MGM Resorts. “In that case, attackers posed as helpdesk personnel over the phone, exploiting publicly available employee data to induce password resets and multi-factor authentication (MFA) approvals, bypassing security controls,” warns LaTulip.
Attackers are increasingly zeroing in on industries where the stakes and potential payoffs are high, experts say. The legal sector is a prime target due to its access to confidential client information, intellectual property and details of mergers and acquisitions, says Mistry.
Meanwhile, financial services firms are attractive for their direct access to financial systems, customer accounts and market intelligence.
Attacks often target IT professionals themselves, as seen in the M&S and Co-op breaches. This is because compromising an IT worker can “provide direct access to critical IT infrastructure, administrative privileges and the ability to disable security controls”, says Mistry.
AI and the future of IT helpdesk scams
IT helpdesk scams are certainly developing quickly but in the future, attacks could become even more convincing as adversaries exploit generative AI to increase their scale and plausibility.
Even now, AI “makes it child’s play” for attackers to craft believable phishing hooks, which also blend in “highly persuasive language” to maximise the chance of the target falling for the scam, says Aldridge.
AI can also be used to create human-sounding voices, with accents regionalised to make them seem realistic, LaTulip adds.
Meanwhile, AI can help adversaries effectively harvest information about the employees they are targeting. “This allows the supposed member of IT support staff to talk convincingly about colleagues and workplace situations,” LaTulip warns. “The attacker will lace conversations with anecdotes, day-to-day references and namedrop colleagues to build trust and confidence.”
And things are getting even scarier as attackers use AI chatbots within their lures. Mistry explains how threat groups such as Luna Moth are leveraging legitimate platforms such as Reamaze to “deploy bots that can mimic human conversation, engage multiple victims at once, and operate around the clock”.
As IT helpdesk scams gain pace, there are a number of key steps firms can take to protect themselves. The human element is an important factor, so staff education is integral, says Aldridge.
“Since these attacks can bypass almost any security control, it is critical that users are regularly trained and that simulations are run against high-risk user populations to ensure it’s effective.”
Mistry concurs. Companies need to implement “regular and realistic” security awareness training that “specifically highlights callback scams and stresses the importance of independently verifying all unsolicited requests for IT support”, he advises.
Fostering a culture where employees feel comfortable reporting suspicious interactions quickly is “vital”, says Mistry.
In addition, the traditional advice of ensuring that users don’t have admin rights and that they cannot install unsanctioned software is “paramount”, Aldridge says. “Any remote control software that is not required by the organization’s own support teams should be completely blocked.”
-
MSP security confidence remains high despite rising breaches, research findsNews CyberSmart's annual MSP Survey has revealed that 69% of MSPs were hit by multiple breaches over the last year
-
Infrastructure modernization has come on leaps and bounds, but there’s still a long way to goNews Enterprises have work to do, but some progress is better than none
