How Fake IT Support is Driving the Shift to Zero Trust
The corporate help desk used to be a relatively safe haven—a place to fix a locked account, request software, or troubleshoot a stubborn VPN. Today, it is arguably the most lucrative attack surface in enterprise cybersecurity.
As software vulnerabilities become harder to exploit, threat actors are taking the path of least resistance: human decision-making. By using AI-generated deepfakes and sophisticated social engineering, attackers are successfully posing as legitimate employees to trick IT into handing over the keys to the network. This surge in credential compromise is forcing a rapid, industry-wide pivot away from traditional perimeter defenses and toward a strict Zero Trust architecture.
The Help Desk as the Path of Least Resistance
In recent years, the cybersecurity landscape has been reshaped by groups like Scattered Spider (also known as UNC3944)—a highly organized cybercriminal collective responsible for catastrophic breaches at MGM Resorts, major UK retailers like M&S, and several global SaaS providers. They don’t typically break in by hacking firewalls; they log in by manipulating people.
Their playbook relies on highly coordinated social engineering:
-
Help Desk Impersonation: Attackers research the IT procedures of a target company, call the help desk posing as an employee in distress, and successfully request password resets or Multi-Factor Authentication (MFA) token transfers to devices they control.
-
MFA Fatigue (Push Bombing): Threat actors bombard an employee’s phone with MFA approval requests. Out of annoyance or confusion, the employee eventually taps “Approve,” granting the attacker access.
-
AI-Enabled Deepfakes: Using generative AI, attackers clone the voices of executives or familiar colleagues. The 2026 Global Cybersecurity Outlook highlights that AI has industrialized social engineering, making impersonations highly culturally authentic and almost indistinguishable from reality over a phone call.
Once attackers convince the help desk to reset a credential, they bypass the outer defenses entirely.
The new reality: In 2025, identity weaknesses played a material role in almost 90% of major cyber incident investigations. Attackers no longer hack in—they log in.
Why the “Castle and Moat” Model Failed
Historically, corporate security relied on a perimeter defense model—often called the “castle and moat.” The assumption was simple: anyone outside the corporate network is untrusted, and anyone inside the network (having passed through the VPN or firewall) is trusted.
The fake IT support epidemic destroyed this assumption. When an attacker successfully social-engineers the help desk, they are granted legitimate credentials. In a traditional perimeter model, those credentials give the attacker broad lateral movement across the network. They can quietly map the internal infrastructure, escalate privileges, and eventually deploy ransomware or exfiltrate sensitive data.
Because the attacker looks like an authorized user, legacy security systems rarely raise an alarm until the damage is done.
Interact with the simulator below to see exactly how lateral movement differs between these two architectures when an insider credential is compromised.
Key insight: Under a traditional model, a single compromised help desk password grants the keys to the kingdom. Under Zero Trust, that same password is functionally useless without the corresponding trusted device and behavioral context.
Operationalizing Zero Trust
Zero Trust flips the security paradigm. Its core philosophy is “never trust, always verify.” It assumes that the network is already hostile and that a breach is inevitable. Therefore, trust is never granted implicitly, regardless of whether a request originates from a corporate headquarters or a coffee shop.
To combat the threat of fake IT support, large and emerging companies are rapidly operationalizing Zero Trust through three critical pillars:
| Pillar | Legacy Perimeter Defense | Zero Trust Architecture |
| Identity | Passwords and SMS OTPs | Phishing-resistant MFA (FIDO2) |
| Devices | Corporate vs. Personal | Continuous posture checking |
| Access | VPNs grant broad network access | App-specific micro-segmentation |
| Trust | Implicit after initial login | Explicitly verified at every step |
1. Phishing-Resistant Identity Security
Instead of relying on passwords or SMS-based MFA—which Scattered Spider easily circumvents via SIM swapping—companies are adopting FIDO2 passkeys and hardware security keys. These methods mathematically bind the credential to a specific physical device, making it impossible for a remote attacker to use a stolen password, even if they trick the help desk.
2. Continuous Device Posture Checking
A valid username and password are no longer enough. Zero Trust systems continuously evaluate the health and context of the device making the request. If a help desk technician is tricked into giving access to a hacker in another country, the Zero Trust architecture will block the login attempt because the device lacks the required corporate certificate, has an unexpected IP address, or fails behavioral biometrics checks.
3. Micro-Segmentation and Least Privilege
If an attacker does manage to breach an account, Zero Trust severely limits the blast radius. Access is granted on a Just-In-Time (JIT) basis and restricted solely to the specific application the user needs. Lateral movement is blocked by default, trapping the attacker in a micro-segment and preventing them from reaching the broader network or critical data vaults.
The Bottom Line
You cannot perfectly patch human psychology. As long as there is a help desk staffed by empathetic humans, threat actors armed with AI and highly convincing scripts will find ways to exploit them. The future of enterprise security relies on accepting this reality. By adopting a Zero Trust architecture, companies ensure that even when social engineering succeeds, the attacker remains locked out of the critical systems that matter most.
