Strengthen your service desk with cybersecurity safeguarding

How organizations can dramatically strengthen their security posture by rethinking identity authentication at the service desk — and why your MSP has a responsibility to lead that conversation.

Thomas Grosso professional photo

Tom Grosso

Executive Director, Service Desk

banner image

Threats have changed—has your service desk?

Today, modern companies sit at the intersection of two disciplines that used to isolate from one another: service desk operations and cybersecurity. This dual perspective gives us a view of the enterprise attack surface that few providers can claim. For years, cybersecurity conversations centered on firewalls, endpoint protection, multi-factor authentication (MFA), and zero-trust architecture. These are still critical controls, and organizations have invested heavily in them.

But adversaries are adaptive, and what we are witnessing across our client base should concern every organization that relies on an IT service desk as part of its operations. As the technical perimeter hardened, sophisticated threat actors shifted their attention to something far more difficult to patch; the human beings who answer the phone at your IT service desk.

The service desk exists to help employees quickly resolve problems, regain access to systems, and keep the business moving. That culture of helpfulness is now one of the most exploited vulnerabilities in modern enterprises. When an attacker calls your well-researched service desk and impersonates a locked-out executive, they are not hacking your systems in the traditional sense. They are exploiting your processes.

Cyber-attacks on service desks are not a hypothetical risk. It is happening today to organizations of every size and sector. As an MSP that operates service desks for clients across industries, the first solution to these issues is being committed to transparency about what we are seeing, and what needs to change.

The threat landscape in detail

The data from 2024 and into 2025 tells a clear and urgent story. Social engineering has overtaken malware and software exploitation as the leading initial access vector in enterprise cyberattacks. According to Palo Alto Networks' Unit 42 Global Incident Response Report, 36% of all cyber intrusions between May 2024 and May 2025 began with social engineering tactics — surpassing both malware deployment and vulnerability exploitation.

36% of all cyber intrusions between May 2024 and May 2025 began with social engineering tactics, surpassing malware as the leading initial access method. (Palo Alto Networks Unit 42, 2025)

More alarming still is what happens once an attacker successfully manipulates a service desk agent. In a documented Unit 42 case, an attacker impersonated a locked-out employee, passed the organization’s identity verification checks, and gained access to over 350 gigabytes of sensitive data—without deploying a single piece of malware. In another case, a threat actor moved from initial service desk access to full domain administrator rights in under 40 minutes, using only built-in system tools and the credentials obtained through social deception.1

These attacks follow a recognizable pattern that modern security teams have observed repeatedly:

  • Reconnaissance: The attacker researches the target individual using LinkedIn, corporate websites, social media, and dark web data. They learn the person's name, title, manager, recent activities, and enough personal details to sound credible.
  • Impersonation: The attacker calls the service desk posing as the target employee. Typically, they claim to be locked out, traveling, or experiencing an urgent issue that requires immediate account access.
  • Credential reset: The attacker pressures the service desk agent to reset the target's password, reset MFA, or provision a new authentication device. They often invoke urgency, authority, or frustration to accelerate compliance.
  • Lateral movement: With valid credentials in hand, the attacker logs in as the legitimate user, pivots through connected systems, escalates privileges, and begins exfiltrating data or deploying ransomware—often remaining undetected for hours or days.

The AI escalation: When you can no longer trust your ears

What was already a serious threat has been fundamentally transformed by generative AI. Voice cloning technology can now replicate a person's voice with as little as a few seconds of audio. This audio is often freely available from earnings calls, conference presentations, LinkedIn videos, or social media. Deepfake video technology has advanced to the point where real-time visual impersonation is a realistic attack vector.

This has profound implications for securing service desk authentication. Any verification process that relies on voice recognition, familiarity with the caller, or video confirmation is no longer a reliable control. An attacker impersonating a CFO no longer needs to sound like the CFO. Easily available AI tools can make them indistinguishable from the real person. Research from Deepstrike found that AI can construct a sophisticated, targeted phishing campaign in under 5 minutes — a task that previously took a human expert 16 hours.2 There is no reason to expect this trend to reverse.

~40% of executives reported experiencing a deepfake impersonation attack in 2024/2025, with voice cloning now a mainstream tool in corporate social engineering campaigns. (Ponemon Institute / BlackCloak, 2025)3

What weak authentication looks like—And why it persists

MSP service desk agents are authorized to reset credentials, provision accounts, modify access rights, and perform administrative functions across dozens of client networks. Scattered Spider and similar threat groups have been documented targeting MSPs specifically to exploit this one-to-many access model.4

In our work across client organizations, service desks and security teams regularly encounter authentication practices that were reasonable controls five or ten years ago but are dangerously inadequate today. The following authentication methods remain in widespread use despite being routinely defeated by well-prepared attackers:

  • Knowledge-based verification (KBV): Asking callers to confirm their employee ID, date of birth, manager's name, or office location. All this information is frequently available through OSINT — LinkedIn profiles, corporate directories, social media, and dark web data dumps. An attacker who has spent 20 minutes researching a target can answer these questions as convincingly as the real employee.
  • Single-factor confirmation: Requiring only one piece of identifying information before proceeding with sensitive account actions such as password resets or MFA modifications. A single factor, regardless of what it is, provides insufficient assurance of identity.
  • Verbal authorization: Allowing managers or colleagues to verbally authorize access restoration for another employee. With AI voice cloning, the voice on the phone claiming to be the manager may not be the manager.
  • Inconsistent application: Having strong authentication policies on paper that are waived under pressure — when a caller claims to be a senior executive, expresses frustration, or asserts that a business-critical process is stalled. Policies that bend under social pressure are not policies; they are suggestions.

Weak authentication at the service desk persists for reasons that are understandable, even if the consequences are not acceptable. Customer experience pressure is perhaps the most significant factor. Service desks are measured on call resolution time, first-call resolution rates, and customer satisfaction scores. Rigorous identity verification adds time to every interaction and can frustrate callers. In environments where these metrics drive agent behavior, shortcuts become normalized. Policy inertia is equally common. Many organizations established their current authentication procedures years ago and have not revisited them, even in light of evolving threats. Finally, service desk agents often face a difficult dynamic when senior-sounding callers push back on verification requirements.

Attackers deliberately exploit these things, impersonating executives or invoking urgency to pressure agents into bypassing protocols. Because these are well-known tricks and tactics, if there a service desk call is made with heightened urgency and psychological pressure, that should warrant the process is more careful, not less. But without explicit empowerment and organizational backing to hold the line, agents will frequently yield. This makes clear leadership support for verification protocols an essential component of any effective authentication program.

To improve cybersecurity for service desks, verification must match request risk

Not every service desk interaction carries the same consequence if the caller turns out to be an impersonator. Treating all requests with the same level of scrutiny creates unnecessary friction for users and still leaves the highest-risk actions under-protected. The inverse — applying a single lightweight check across all request types — is precisely the gap that sophisticated attackers exploit.

The right model recognizes that different categories of action demand meaningfully different levels of identity assurance, and that the controls applied to the most sensitive requests (ex. account takeovers, credential resets for privileged users, changes to authentication devices) need to be designed specifically to withstand a determined adversary who has done their research.

One of the most consequential shifts in service desk authentication is that any information a caller provides during the interaction is, by definition, information an attacker could also provide. Names, employee IDs, managers' names, office locations, recent project details are all potentially available through open-source research, previous breaches, or social media. Verification that relies solely on what a caller tells you is not verification; it is a conversation. Prevention of cyber-attacks on service desks requires effective authentication of anchor sources that are authoritative, independent, and outside the attacker's ability to manipulate in real time.

Intelligence-driven operations and conversations we are having

We recognize that strengthening service desk authentication requires conversations that can feel uncomfortable. Clients may perceive stricter verification requirements as an imposition on user experience. They may underestimate their own risk of exposure. They may not have experienced an incident yet, and the threat may feel abstract.

The best approach to these conversations is to lead with data, speak from operational experience, and frame authentication improvement not as a compliance checkbox, but as a fundamental component of a mature security posture. We share what we are seeing across our client base and in the broader threat landscape. It’s clear to us that the cost of a breach driven by a service desk impersonation is significantly higher than the cost of implementing stronger verification.

One of the most distinctive aspects of CAI's service desk model is the direct feedback loop between our cybersecurity practice and our service desk operations. When our security team identifies a new social engineering technique (a new pretexting script, a new impersonation pattern, a new technology being used for voice cloning) that intelligence is immediately incorporated into agent training, verification protocols, and escalation triggers. Our service desk does not operate in isolation from the threat landscape; with custom protocols of cybersecurity for the service desk,it operates in real time with detection measures.

To learn more about how CAI can help improve service desk and cybersecurity innovations and get consultation on a practical road map for your next update, fill out the form below.

Endnotes

  1. paloalto networks "Unit 42 Incident Response Report" Palo Alto Networks, Inc. Global Incident Response Report, February 2026. https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report.
  2. crowdstrike."Crowdstrike 2025 threat hunting report" crowdstrike. June 2025. https://go.crowdstrike.com/2025-threat-hunting-report.html.
  3. Blackcloak. "The Escalating Threat and Financial Impact of Deepfake Attacks" Ponemon Institute press release. April 22, 2025 https://blackcloak.io/news-media/new-study-from-ponemon-institute-spotlights-the-escalating-threat-and-financial-impact-of-deepfake-attacks-on-businesses-and-executives/.
  4. Joseph Avanzato."Scattered Spider: What You Need to Know" Varonis. June 5, 2025. https://www.varonis.com/blog/scattered-spider.

Related resources

Powering the possible with Manufacturing and Retail
Video

Powering the possible with Manufacturing and Retail

Kevin Garbacik, CAI Client Partner, discusses the need for manufacturing and retail companies to adopt modern technology and innovation to keep them competitive in a digital first business world. At the same time, they’re facing supply chain

View this resource →
Using next-gen AI to resolve service desk issues in 7 seconds
Webinar On-Demand

Using next-gen AI to resolve service desk issues in 7 seconds

CAI Learning Series: The 3 Cs of Intelligent Automation. Session 4 - Using next-gen AI to resolve service desk issues in 7 seconds.

View this resource →
Workato Presents: Confessions of a CTO
Webinar On-Demand

Workato Presents: Confessions of a CTO

Watch this webinar replay, Confessions of a CTO, with Matt Peters, sponsored by Workato and CAI, to understand what is coming in next-gen intelligent automation and how it will fuel business productivity.

View this resource →

Let's talk!

Interested in learning more? We'd love to connect and discuss the impact CAI could have on your organization.

All fields marked with * are required.
Please correct all errors below.
Please agree to our terms and conditions to continue.

For information about our collection and use of your personal information, our privacy and security practices and your data protection rights, please see our privacy policy and corresponding cookie policy.