The $70 Call: A Help Desk Story About the Math We Ignore

Marcus had been the IT director at a mid-sized financial services firm for six years when he finally sat down to do the math he had been avoiding.

It was a Thursday afternoon in Q3, the kind of quiet stretch between crises where the to-do list gets addressed and the uncomfortable questions get asked. He pulled up the ticketing system and filtered by ticket type. Password resets and MFA changes. One quarter.

The number was 847.

At $70 per call, which is Forrester Research’s widely cited estimate for the average IT labor cost of a single help desk password reset, his team had spent just under $60,000 in a single quarter just to answer the phone and verify that employees were who they said they were.

He stared at that number for a while. Then he asked himself a question he hadn’t thought to ask before.

“How many of those 847 calls were actually from our employees?”

He didn’t have a good answer. And that, it turned out, was the more expensive problem.

The Number Everyone Knows and Nobody Acts On

The $70 figure has been in circulation long enough that most IT leaders have heard it. Forrester Research published it. Gartner added that password resets account for 20 to 50 percent of all help desk call volume. The industry has accepted both figures as conventional wisdom, nodded at them in budget meetings, and largely moved on.

What the industry has been slower to reckon with is what that volume actually represents in aggregate, and what it costs when the math is done honestly.

Start with a straightforward scenario: a company with 10,000 employees. Gartner’s data suggests that 40 percent of help desk calls are password-related. If your help desk handles 2,000 calls per month, roughly 800 of them involve some form of password reset or account recovery. At $70 each, that’s $56,000 per month in IT labor, not for fixing systems or responding to incidents, but for answering verification questions and clicking reset buttons.

Per year: $672,000.

That’s the labor cost alone. It doesn’t count the productivity loss on the employee side while they wait on hold, the second call when the reset doesn’t work, or the supervisor escalation when the situation gets complicated.

Forrester estimated that large organizations spend an average of $1 million per year in help desk costs on password-related issues alone. A separate analysis found that employees lose an average of 11 hours per year to password-related friction. For a 15,000-person organization paying average wages, that translates to $5.2 million annually in lost productivity.

Marcus had stopped questioning it too. Until the Thursday afternoon when he did the math and then asked the follow-up question that changed how he thought about all of it.

The Question Inside the Question

The $70 figure measures the cost of a legitimate transaction. An employee forgets their password. They call IT. The agent verifies their identity. The password gets reset. The ticket closes.

That process costs $70 and accomplishes exactly what it’s supposed to.

But the same process, executed on a fraudulent call, costs something entirely different. The ticket still closes at $70. The agent still did their job. The difference is that the account now belongs to an attacker.

This is the number inside the number, and it’s the one the $70 figure doesn’t capture.

When Scattered Spider breached MGM Resorts in 2023, they started with a call to the help desk. The agent followed the verification process. The reset was granted. The ticket closed, presumably for around $70 in IT labor.

What followed cost MGM an estimated $100 million in damages, remediation, and lost revenue. The breach knocked systems offline for days, disrupted casino operations across multiple properties, and set off months of regulatory and legal fallout.

The $70 call that opened the door to that breach was the cheapest part of the entire incident.

The same pattern repeated at Marks and Spencer in April 2025. Scattered Spider called a third-party IT help desk, impersonated a legitimate employee, and obtained a credential reset. The attack that followed encrypted servers, knocked online orders offline for 46 days, and is estimated to have cost the retailer around 300 million pounds.

Same process. Same $70 transaction. Radically different outcome.

What Makes the Fraudulent Call So Hard to Catch

The reason verification fails in these scenarios is not that the agents are careless. In every documented case, the agents did exactly what they were trained to do. They asked the verification questions. They received correct answers. They completed the reset.

The issue is that the verification questions rely on information that an attacker can obtain before they ever pick up the phone.

Modern social engineering doesn’t require inside access. LinkedIn alone reveals an employee’s name, title, start date, manager’s name, and reporting structure. Company websites, press releases, conference bios, and Glassdoor reviews fill in the remaining gaps. Researchers have found that a skilled social engineer can build a usable impersonation profile from public sources in under 15 minutes.

Add AI voice cloning, which can now generate a convincing voice replica from three seconds of publicly available audio, and the agent on the other end of the phone has no reliable signal to distinguish a legitimate employee from a professional impersonator.

This is the structural vulnerability buried inside the $70 figure. The cost is real and the process is real, but the security assurance the process provides has quietly eroded. Organizations are paying $70 per call for a verification step that, in the cases that matter most, no longer reliably verifies anything.

The Real Cost Model

Marcus eventually built out the full cost picture for his organization, not just the operational line item but the risk-adjusted cost that his CFO would understand.

It looked something like this:

The operational cost, the $70 multiplied out across a year, is large but predictable. The breach cost is low-probability but catastrophic. The problem with treating them separately is that they share the same causal mechanism: the help desk call.

Reducing the volume of legitimate resets through self-service tools cuts the operational cost. But it doesn’t address the fraudulent call, because an attacker doesn’t use the self-service portal. They call the agent, because the agent is where the human judgment call lives, and human judgment is what they’re trained to exploit.

The only way to address both cost centers is to change what happens at the moment of the reset request, whether the call is legitimate or not.

What a Better Process Actually Changes

Out-of-band identity verification, the kind that sends an independent challenge to the employee’s enrolled, verified device rather than relying on verbal answers, changes the economics of the help desk call in two ways simultaneously.

For legitimate employees, it makes the reset faster and less friction-dependent. The verification happens on the device in their pocket rather than through a series of questions they may or may not remember accurately. The call gets shorter. The ticket closes sooner. The per-call cost goes down.

For fraudulent callers, it creates a wall that verbal impersonation cannot climb. Knowing the right answers is no longer sufficient. The attacker would also need physical possession of the enrolled device, which social engineering alone cannot provide. The fraudulent call fails before the reset is granted.

The organizations that have made this shift report two outcomes that their CFOs find compelling: a reduction in average handle time for legitimate resets, and a measurable drop in account takeover incidents originating from help desk social engineering.

Neither outcome is surprising once you understand the mechanism. The verification is doing real work again, rather than going through the motions of a process whose assurance value has quietly declined.

The Questions Worth Taking Into Your Next Budget Conversation

If you are preparing to make the case for investment in help desk identity verification, the math Marcus did is a useful starting point. A few questions that tend to sharpen the conversation:

• What is your organization’s actual annual spend on help desk password resets and MFA changes? Pull the ticket volume, apply the $70 estimate, and surface the number. Most budget owners have never seen it stated as a single annual figure.
• What is your current fraud detection rate on help desk calls? If you cannot answer this with confidence, that is informative in itself. It means the fraudulent calls, when they happen, look identical to the legitimate ones.
• What is the cost of a single account takeover incident at your organization, including investigation, remediation, regulatory exposure, and reputational impact? Most organizations have this estimate somewhere. Compare it to the annual cost of a verification system that prevents it.
• Does your verification process change after hours or on weekends when staffing is reduced? Attackers time their calls deliberately. If the Friday evening protocol is lighter than the Tuesday morning one, that gap is known and exploited.
• What does your current process require beyond verbal verification? If the answer is nothing, the process is asking the agent to make a judgment call that the agent cannot reliably make.

Marcus eventually brought his cost model to the CFO. The conversation lasted about 20 minutes. The number that landed hardest was not the $672,000 annual operational cost, though that got attention. It was the comparison between what the organization was spending per year on help desk labor, and what a single successful fraudulent call had cost MGM.

The CFO had a simple question: “How do we know the fraudulent calls aren’t already happening?”

Marcus did not have a good answer. The ticketing system recorded resets. It didn’t record whether the person who requested them was who they claimed to be.

That gap, between the cost of the call and the cost of what the call enables, is where the real math lives. The $70 is just the door.