Most people are familiar with the clumsy IT support call scams that claim to be from major tech firms like Microsoft. These scammers typically target personal devices, persuading the recipient to divulge personal details or give the caller remote access to their computer. They are usually quick to hang up if challenged by more tech-savvy users and prefer to target older and more vulnerable people.

However, a more dangerous and sophisticated attack targets corporate users by pretending to be the official IT help desk; these calls are slicker, and the attacker can be armed with convincing details about the caller and organisation. Using sophisticated social engineering, they can persuade the target to reveal corporate passwords, divulge OTPs, or even authorise logins via MFA apps. These calls can cause serious damage to the organisation if successful, allowing accounts to be taken over, intellectual property to be stolen, and even ransomware to be planted.

One recent scam started with the target being flooded with large amounts of spam emails. Immediately after this inconvenience, they get a helpful call from IT who asks for remote access to their machine to fix the issue. While their guard is down, they likely agree to this request and let the hacker loose on the corporate IT system.

Until now, it has been impossible for employees to authenticate such callers, indeed, IT security processes are focused on the helpdesk identifying the employee and not the other way around. Scammers are also using fake accounts on Microsoft Teams that are close enough to legitimate corporate identities to fool the target and use those to launch their attacks.

Agent Verify from Trusona, part of the ATO Protect Suite, can stop such attacks in their tracks. The legitimate IT helpdesk agent can generate a one-time, time-limited code that they share with the caller at the start of their interaction. Before proceeding further, the caller goes to a verification page on their corporate intranet and enters the code. If genuine, they will instantly see the agent details and can proceed with confidence.

Training employees to use this simple step with Agent Verify should become a standard part of your organization’s cybersecurity training

To see Agent verify in action, sign up for your free trial here at try.trusona.com.