The 9 Questions Your IT Help Desk Should Be Able to Answer (And the One That’s a Trap)

In 2023, a member of Scattered Spider called MGM Resorts’ IT Help Desk. They claimed to be an employee. They had the right name, the right details, and a convincing enough story. The agent on the other end had no way to verify who was actually calling.

The breach cost MGM an estimated $100 million.

What’s remarkable about that attack isn’t the sophistication. There was no malware, no zero-day exploit, no technical genius at work. It was a phone call. The vulnerability wasn’t in MGM’s infrastructure. It was in their help desk’s inability to answer one basic question: is this person actually who they say they are?

That’s the problem we built the following 9 questions around. If your IT Help Desk can’t answer them, you have the same exposure MGM had. And in 2026, with Gen AI voice cloning costing less than $10 and deepfake tools increasingly available on the open market, that exposure is more dangerous than ever.

First, what is Scattered Spider?

Scattered Spider is a loosely organized cybercriminal group known for social engineering attacks against large enterprises. They don’t break in through the firewall. They call the help desk, impersonate employees, and talk their way past agents who have no reliable way to verify identity.

Their targets have included MGM Resorts, Caesars Entertainment, and dozens of other major organizations. The FBI issued a joint advisory about them in 2023. And despite significant attention from law enforcement, the tactics continue because the underlying vulnerability hasn’t changed: most IT Help Desks are not equipped to detect identity impersonation in real time.

That’s what these 9 questions measure. Not whether your firewall is patched. Whether the human in your help desk can recognize when they’re being manipulated.

The 9 Questions

Question 1: Can your IT Help Desk verify the identity of someone calling in before taking any account action?

Weight: Critical

This is the foundational question, and it’s marked “Critical” for a reason.

Not “ask a security question.” Not “check that the caller ID looks right.” Actually verify that the person on the other end of the call is who they claim to be, against an authoritative source, before resetting a password, unlocking an account, or making any changes.

Most help desks can’t do this. They rely on the caller knowing certain information, which leads us to Question 3. But verification and information-checking are not the same thing. Real identity verification means checking the caller’s identity against government-issued documents or telecom records, not asking them what street they grew up on.

If your answer is “partially” or “no,” everything else on this list becomes harder to protect.

Question 2: Can your agents detect Gen AI deepfake voices or identities in real time?

Weight: Critical

Gen AI voice cloning has changed the threat landscape permanently.

A few years ago, an attacker impersonating an executive over the phone was limited by their own acting ability. Today, tools available for a few dollars can clone a voice from a handful of audio samples, generating a convincing real-time impersonation that most humans can’t detect.

Your help desk agents are on the front line of this. They receive calls. They hear voices. And without technical tooling to help them, they have no reliable way to know whether the person they’re speaking with is the actual employee or an AI-generated copy.

This question isn’t about whether your agents are smart or well-trained. It’s about whether they have the systems to back them up.

Question 3 (The Trap): Do your agents rely on knowledge-based authentication to verify callers?

Weight: Standard

This is the one that catches people off guard, and intentionally so.

If your answer is “yes,” your risk score goes up, not down.

Knowledge-based authentication (KBA), meaning security questions, the last 4 digits of a Social Security Number, mother’s maiden name, and similar approaches, is one of the primary attack vectors for social engineering groups like Scattered Spider. The reason is simple: this information is no longer secret.

Attackers compile personal data from data breaches, social media, and commercial databases. Gen AI can answer KBA questions faster than a human agent can ask them. NIST removed KBA from its Digital Identity Guidelines, explicitly calling pre-registered knowledge tokens a form of weak password. The FFIEC has recommended against relying on KBA for similar reasons.

If your help desk is still using security questions as a primary verification method, you are relying on a defense that the security industry has already acknowledged is broken.

Question 4: Can your IT Help Desk detect a SIM Swap on an employee’s phone number in real time?

Weight: Critical

SIM swap fraud is one of Scattered Spider’s most documented techniques.

A SIM swap happens when an attacker convinces a mobile carrier to transfer someone’s phone number to a SIM card the attacker controls. From that point on, any call or text sent to that number goes to the attacker instead. SMS-based verification codes, call-back confirmation, all of it gets routed to the wrong person.

UK SIM swap cases rose more than 1,000% in 2024. The FBI recorded $26 million in SIM swap losses in the US in the same period. And your help desk has no way to know a swap occurred unless you have a system that checks telecom records in real time at the moment of the call.

This question is also marked “Critical” because getting it wrong invalidates a lot of other controls. If an attacker has swapped the SIM, phone-based verification becomes their asset, not yours.

Question 5: Can your IT Help Desk determine a caller’s device and IP geolocation in real time?

Weight: Standard

Context matters in verification.

If an employee is calling from a new device, from an IP address associated with a foreign VPN, or from a location that doesn’t match their normal pattern, that’s a risk signal. A help desk with access to device and IP intelligence can flag anomalies and prompt additional scrutiny before taking action.

Without it, your agents are working blind. They’re relying entirely on what the caller says, rather than what the caller’s technology tells you.

Question 6: Can your IT Help Desk acquire a caller’s GPS location even when they’re behind a VPN?

Weight: Standard

Standard IP geolocation is easily defeated by a VPN. Sophisticated attackers know this and will route their connection through a VPN to mask their actual location.

GPS location verified at the device level is harder to spoof and provides a more reliable signal about where a caller actually is. If a caller claims to be working from their home office in Phoenix but their GPS location places them in Eastern Europe, that’s information your agent needs before taking any account action.

Question 7: Have your help desk verification procedures been updated or reviewed since 2022?

Weight: Standard

The threat landscape has changed dramatically since 2022. Gen AI became commercially accessible. Scattered Spider’s tactics were publicly documented. NIST updated its Digital Identity Guidelines. Voice cloning tools became cheap and widely available.

If your help desk playbook hasn’t been reviewed since before all of that happened, it was written for a world that no longer exists. This question isn’t about whether you have procedures. It’s about whether those procedures are still relevant to the current threat environment.

Question 8: Do you have active protection against Session Replay and Man-in-the-Middle (MITM) attacks?

Weight: Critical

Social engineering doesn’t stop at the phone call.

Man-in-the-Middle attacks intercept communication between your help desk and the verification system, allowing an attacker to relay or modify information in real time. Session replay attacks capture a legitimate verification session and replay it later to gain unauthorized access.

If your verification process lacks anti-replay and MITM detection, a successful verification by a real employee can potentially be used as a template for a later attack.

Question 9: Have your agents received training in the last 12 months specifically on social engineering and identity impersonation tactics?

Weight: Standard

Technical controls matter, but so does the human layer.

Help desk agents who understand what social engineering looks and sounds like, who know to be skeptical of urgency, and who recognize the classic patterns Scattered Spider uses are meaningfully more effective than agents who haven’t had that context.

This isn’t a substitute for the technical controls above. Training alone won’t stop a convincing deepfake voice. But it’s an important layer, and if it hasn’t happened in the last 12 months, your agents are working without current intelligence about the threats they’re actually facing.

How to interpret your answers

If you answered “yes” to most of these, you have a stronger posture than the majority of IT Help Desks. Keep reviewing and updating as tactics evolve.

If you answered “partially” to several, the partial coverage may be giving you a false sense of security. Attackers look for the weakest point in your process, not the average strength.

If you answered “no” to the Critical questions (1, 2, 4, and 8), your help desk has meaningful gaps that a skilled social engineer can exploit today, with tools that cost almost nothing.

And if you answered “yes” to Question 3 about relying on KBA, that’s worth addressing immediately, regardless of how you scored on everything else.

What good looks like

Identity verification for IT Help Desk calls should work like this:

• The agent receives a call. Before taking any action, they initiate a verification workflow.
• The caller completes a real-time identity verification check, scanning a government-issued ID against authoritative data sources.
• The system simultaneously checks whether the caller’s phone number has been subject to a recent SIM swap.
• The caller’s GPS location is verified at the device level, not just their IP.
• MITM and anti-replay protections are active throughout the session.

The agent sees a clear result: verified or not verified. No security questions. No relying on information the caller might or might not know. No guessing.

That’s what Trusona’s Identity Impersonation Detection provides. It gives help desk agents real-time signals they can actually act on, without requiring pre-enrollment, without adding friction for legitimate employees, and without relying on the kind of information that attackers already have access to.

See how your help desk scores

We built a free 9-question weighted assessment based on these exact questions. Each answer contributes to an overall risk score broken down by category: Identity Verification, Process Controls, and Infrastructure Defense.

Results are instant and don’t require a form fill to see. If you want a one-pager with your results and specific remediation steps sent to your inbox, you can add your email after you see your score.

Take the assessment at trusona.com/ato-checklist