IT Social Engineering

The Helpdesk Call at 8pm

IT is calling about suspicious activity on your account. They need your MFA code.

Role: All Staff·Attack type: IT Social Engineering

Documented loss

Estimated $4.88M average breach cost + regulatory exposure

In this scenario or comparable documented case

The story

Jennifer Larson is the VP of Sales at a fast-growing enterprise software company. She's security conscious, attended every training session, and has never clicked a phishing link. She answers the call at 8:04 pm on a Wednesday.

The voice is professional and measured — the kind of tone that reads as IT. The caller ID shows the company's internal IT support number. The caller identifies themselves by name, mentions a specific ticket number, and explains that they've detected anomalous login attempts against Jennifer's account from an Eastern European IP range.

The caller explains that they need to temporarily bypass MFA to lock out the unauthorized session before the attacker can escalate. Standard procedure. They've already sent a code to her registered phone — could she read it back to confirm her account ownership before they proceed?

Jennifer reads the code. The code was a legitimate Microsoft Authenticator prompt that the attacker triggered by initiating a login attempt with Jennifer's credentials — purchased from a credential breach database for $12. The code Jennifer read out completed the MFA challenge. The attacker is now authenticated as Jennifer.

At 8:12 pm, an export job is initiated from the company's CRM. 47,000 customer records — names, emails, company affiliations, and deal pipeline data — are exported to an external endpoint. At 8:17 pm, the attacker's session ends. The export job completes at 8:23 pm.

The breach is not detected for 19 days, when a client calls to report receiving suspicious phishing emails clearly sourced from the company's customer database. The subsequent investigation determines the attack vector, triggers GDPR notification obligations, and opens a regulatory inquiry that takes 14 months to resolve.

The Verizon DBIR reports that voice phishing accounts for 67% of social engineering-initiated breaches. IT helpdesk impersonation — specifically the pattern of requesting MFA codes under the cover of security incident response — is the most documented vishing technique.

What happened

Full CRM database exfiltrated. GDPR notification required. Regulatory fine investigation opened.

What stops it

A verification culture where staff expect code confirmation for any IT request makes vishing attempts immediately recognizable.

What this scenario teaches us

  • Caller ID can be trivially spoofed to display any number, including internal corporate extensions. Internal caller ID is not evidence of internal origin.

  • Legitimate IT departments never need you to read them a code — they can reset authentication on their end without it. Any request for a live authentication code from someone calling you is a scam.

  • The emotional lever in this attack — 'your account is compromised right now' — is designed to accelerate compliance and suppress deliberation. Real incidents create urgency; so do fake ones. Verification protocols should be applied consistently regardless of urgency framing.

  • A company-wide verification culture — where staff expect and request code confirmation for sensitive actions — creates immediate recognition when an attacker requests the opposite.

Prevention checklist

  • Train all staff: real IT never asks for a live MFA code over the phone

  • Establish a company helpdesk callback protocol: hang up, call the known IT number

  • Enroll IT staff in Real Authenticator so staff can verify real IT requests with a code

  • Add a standing policy: any caller requesting credential or code information is automatically suspect

Frequently asked questions

How did the attacker have Jennifer's credentials?

Credential breach databases containing hundreds of millions of username/password pairs are available for purchase for trivially small amounts. Once an attacker has credentials, the only barrier is MFA — which this attack was specifically designed to socially engineer around.

Would passkeys prevent this?

Passkeys eliminate the password-plus-OTP pattern and significantly reduce this specific attack vector. They do not eliminate social engineering broadly — attackers adapt. Real Authenticator operates at the layer above authentication: verifying the identity of the person making a request, not just their credentials.

Sources & citations

Loss figures are based on documented cases or FBI IC3 reported averages. Individual scenario details are illustrative reconstructions based on documented attack patterns. Real Authenticator is not affiliated with any cited organization.

Your team can't verify.
AI already knows it.

Every week you don't have a verification layer is a week an attacker can impersonate your CFO, your legal counsel, or your vendor — and someone on your team will trust them. Close the gap.

Reply within one business day
30-day pilot, no contract required
Zero-knowledge — nothing to breach
Talk to Our Enterprise Team

Custom pricing · Volume discounts · Annual contracts available