Defending Against Employee Impersonation

Scattered Spider and other cyber crime gangs have shown how easy it is to break in without breaking code. By simply calling the IT help desk and posing as employees, attackers convince staff to reset passwords or grant access—leading to costly consequences.

The game has changed: now, with generative AI and synthetic identities, impersonation is no longer a crude con; it’s becoming slick, scalable, and eerily convincing. It’s like flying in bad weather: pilots don’t trust their gut or their sense of pitch or roll—they trust the instruments. Help desks need the same mindset. Relying on instinct or “does this sound like Bob from finance?” is a recipe for disaster. Strong identity checks can act as the instruments that cut through the fog of deception.

The old identity verification techniques—security questions, employee IDs, even caller ID—just don’t cut it anymore. That information is not even hidden in the dark web—much of it is now on the open internet. What works is shifting the trust model from “what you know” to “what you have” and “who you are.” Imagine this: instead of answering a mother’s maiden name, an employee gets a push notification on their phone or validates with a one-time credential tied directly to their account. An attacker with a fake profile or stolen details can’t fake the actual device in your hand. That small shift turns a soft target into a hardened checkpoint.

But possession alone isn’t enough in the age of AI-generated everything. Possession has to be verified live in the moment. That could mean confirming an employee with a biometric, checking a credential against a government database (like the DMV), or combining risk signals like location and device behavior. Done right, it’s fast, seamless, and barely noticeable to the employee — but it’s a brick wall for anyone trying to bluff their way through. Layered with analytics and anomaly detection, these methods make impersonation nearly impossible to pull off at scale.

The bottom line: impersonation is getting smarter, but defenses can be smarter still. By going beyond common knowledge and embracing device trust and live identity proofing, organizations can transform their help desks from easy prey into a first line of defense.

Cutting Through the Fog

We help our clients navigate the vendor landscape and identify the right fit for their organizations. Here are five key capabilities to look for:

• Device-based authentication – verification via trusted devices, push approvals, or one-time credentials.
• Live identity proofing – biometrics, government ID validation, or real-time credential checks.
• Risk-based signals – analyzing context like location, device behavior, and time of request.
• Seamless employee experience – quick, low-friction verification that doesn’t slow down support.