The Recent Wave of Vishing Attacks on Help Desks Has Not Slowed

The pattern of help-desk intrusions that gained attention with the MGM and Caesars incidents in 2023 has not slowed. Multiple reported breaches in the last month began the same way: a phone call to internal IT support, a plausible story about being locked out, and a password reset granted on the strength of information that turned out to be public.

What has changed is the sophistication of the calls themselves. Attackers are now arriving with accurate manager names, recent project references, and convincing background noise that suggests an office or a job site. The cost of preparing this kind of pretext has dropped sharply, and the open-source intelligence required is mostly free.

The defensive answer is not to make help desk staff more skeptical, which is asking them to absorb the entire risk personally. It is to redesign the verification step so that the hard work is done by the workflow rather than the human. Out-of-band confirmation, video verification with a known coworker, and mandatory delays for sensitive resets all reduce the burden on the person answering the call.

Help desks that still allow voice-only verification for password resets are operating on borrowed time. The reset process is the most common path into the network, and it is also one of the easiest to harden.