Picture this: your laptop is experiencing issues that make it difficult to complete your tasks. This prompts you to open a support ticket with your helpdesk or IT team.
Shortly after, you receive a call from “Tech Support,” who seems more than ready to assist you. To resolve your laptop issue, however, they need you to accept a quick push notification, which you unsuspectingly approve. But instead of fixing the problem, the alleged tech support person has begun quietly exfiltrating your company’s sensitive information to sell it online for a profit or even hold it for ransom.
This isn’t hypothetical; it reflects the reality of a new wave of helpdesk scams cybercriminals are leveraging.
In this blog post, we’ll discuss how the scam works and how businesses can stay safe. We’ll also show you how Techmedics can provide IT helpdesk and desktop support services you can always count on.
New research by identity and access management company Okta found that custom voice phishing kits are now being sold on dark web messaging platforms and forums. Designed to target victims’ Okta, Google, and Microsoft accounts, these kits offer real-time assistance to cybercriminals looking to steal users’ login credentials and multifactor authentication (MFA) codes.
According to the report, attackers who purchase these kits impersonate an organization’s helpdesk and pretend to resolve a support ticket or perform a mandatory technical update. Here’s how these kits are used in real attacks:
The scam starts with cybercriminals gathering information about their targets, learning their names, the apps they use, and IT support phone numbers. They collect this data by searching companies’ websites, employees’ LinkedIn pages, and other online sources. They may also use artificial intelligence-powered chatbots to expedite their research.
The threat actor leverages the phishing kit to create a realistic-looking company login page. Next, the attackers call using a spoofed company phone number or support hotline. They pretend to be from the business’s helpdesk, claiming they detected a problem (e.g., “Your account needs verification,” or “Suspicious login attempts were detected on your account.”)
To “fix” the alleged problem, the attacker convinces the target to visit the fake login portal they created. If the user enters their login credentials on the page, these details are forwarded automatically to the attacker’s Telegram channel, giving them valid credentials for the real company sign-in page.
If the victim’s account has MFA enabled, the phishing kit can update the fake login page in real-time to also display an MFA challenge.
If the real system asks for a six-digit code, for example, the phishing site will also ask the user to enter the code they just received. Or if a login approval request is required, the phishing page might display, “Please approve the login from your app.”
According to Okta, the phishing kits can even help attackers circumvent push notifications that use number-matching by prompting the victim to enter the specific number displayed.
At that point, the target has successfully authenticated the attacker’s login attempt, ultimately providing them access to their account and potentially company systems and data.
This scheme highlights three key lessons for businesses:
MFA remains one of the most effective defenses against account takeover as it requires users to present two or more proofs of their identity, such as a one-time code or push notification.
However, cybercriminals are finding ways around this, as demonstrated by the scam. They can now mimic traditional MFA prompts through phishing kits and allay users’ fears that they might be on a fraudulent page. This makes it essential for your business to implement stronger security measures.
For example, phishing-resistant MFA methods like hardware keys and passkeys are a powerful alternative. These use cryptographic authentication tied to the legitimate website domain. Even if the attackers acquire a user’s login credentials, they cannot log in without the victim’s hardware or passkey. The key will also only work on the real domain, not a phishing site.
Traditionally, IT departments have always been the ones verifying users by asking for passwords, providing MFA factors, and approving logins. But with the rise of helpdesk impersonation scams, it’s now essential for users to have a way to verify the IT department.
For starters, businesses can implement a formal challenge/response protocol. Whenever IT calls them, employees must ask for a verification method, like a verification code or a challenge phrase. If the caller can’t provide it, they must hang up immediately.
Alternatively, if someone claiming to be from IT calls and the conversation seems suspicious, employees should double-check by ending the call and dialing the company’s official IT support number. This eliminates the risk of speaking to a scammer.
In the age of sophisticated phishing scams, the helpdesk should no longer be just a support function. If a helpdesk team only sees itself as a group that resolves IT issues, they can easily be tricked into resetting passwords or granting access to systems without detecting suspicious activity.
Instead, they must recognize that cybercriminals are actively targeting their identity and embrace a proactive frontline defender role. Some security-first practices they can apply include:
If your business suffers from ineffective IT support and security gaps, it can lead to lost productivity, reputational damage, and costly disruptions.
With the many challenges of maintaining a strong helpdesk strategy, why not switch to Techmedics? We offer the following solutions that help you provide seamless IT support to your team:
Our IT helpdesk and desktop support team will never ask for your password, read back an MFA code, or accept a push notification you didn’t initiate. Most importantly, we will never direct you to an unofficial login page to address any IT issue.
With us, your helpdesk becomes a catalyst for growth, not a hindrance. Talk to one of our experts today for a FREE consultation.
Experience the power of optimized IT solutions tailored to your business needs. Our team is ready to assess your current setup and provide valuable insights to propel your business forward. Don't miss out on this opportunity to revolutionize your IT infrastructure. Fill out the form to get started.
