Attackers now phone your help desk, impersonate an employee, and talk their way to an MFA reset. Here is the identity verification playbook that stops the threat.
Your Texas SMB can buy every security tool on the market and still lose an account to a four-minute phone call. Help desk vishing — voice phishing aimed at the people who reset passwords — has become one of the most reliable ways into a small business, because it skips the firewall entirely. The attacker calls your IT desk, sounds like a stressed employee locked out before a client meeting, and asks for a password reset and a new MFA enrollment. If the person on the other end wants to be helpful more than they want to be certain, the attacker now owns an identity inside your tenant. No malware, no exploit, no alert.
Every other control in your stack is built to say no by default. The help desk exists to say yes. Its entire performance culture — fast resolution, happy users, low ticket age — rewards the exact behavior an attacker needs. Add the fact that many Texas SMBs run a small desk where one person covers the phone during lunch, and you have a control that depends on a single human's judgment under time pressure.
Attackers prepare more than most owners expect. Before they call, they collect names, titles, reporting lines, and office locations from LinkedIn and your own website. They know your ticketing tool by name. They may have a real employee's phone number from a data broker or a prior breach dump, and they can spoof caller ID to match it. Some rehearse background noise — an airport, a job site — to justify why they can't use the normal process. The call does not sound like an attack. It sounds like a Tuesday.
The pattern is consistent enough to train against:
This is why MFA bypass attacks so often have no technical component at all. The attacker didn't defeat multi-factor authentication; a helpful person handed it over. The same logic drives many business email compromise schemes, where a single controlled mailbox turns into a fraudulent payment.
The fix is not "be more careful." It is a written standard that removes discretion for high-risk actions. Define which requests are sensitive — password resets, MFA enrollment or removal, phone number changes, privilege elevation, mailbox delegation — and require the same verification every time, for everyone, including the owner.
A workable standard for a Texas SMB looks like this:
Write it down, put it in the ticket template, and make it non-negotiable. A desk that follows a documented process consistently is far harder to social engineer than a desk staffed by experienced people improvising. Those process foundations are the same ones that make a managed help desk operation measurable in the first place.
Verification standards die when an executive gets angry about being asked to prove who they are. If your help desk technician has ever been overruled for slowing down a VP, your standard is decorative. Leadership has to state plainly that no one is exempt and that following the process is never a fireable mistake — skipping it might be.
Train the specific scenario, not the generic lesson. Most security awareness training programs cover email phishing well and voice attacks barely at all. Run live call drills: have a trusted person attempt a pretext reset and see what happens. Debrief blamelessly. The goal is a desk that treats "I can't verify you right now, so I'll call you back at your number of record" as a correct answer rather than a failure of service.
Assume one gets through. What you need then is speed. Configure alerting on the exact actions vishing produces so a successful call becomes a ten-minute incident instead of a three-week breach:
This is precisely the signal set that identity threat detection and response is built to watch. Pair it with credential exposure monitoring so you know which of your users an attacker already has research material on. And make sure the response is rehearsed, not improvised — your incident response plan should name who revokes sessions, who resets factors, and who calls the bank if payment instructions moved.
Pick one afternoon this week and do three things. First, write your sensitive-action list and the callback rule on a single page, and require your help desk to attach that verification to every matching ticket. Second, turn on alerts for new MFA registrations and post-reset sign-ins from new devices — that alert alone catches most of the damage. Third, run one unannounced vishing drill against your own desk and treat whatever happens as data, not blame.
If your desk is small, or your team is stretched thin enough that the phone gets answered by whoever is closest, this is a good place to bring in help. LayerLogix builds verification standards, identity monitoring, and drill programs into our cybersecurity services, and delivers them locally through our Houston cybersecurity team. The control costs almost nothing to implement. The account it protects is worth considerably more.
LayerLogix provides expert cybersecurity solutions for businesses across Houston and nationwide.
Let our team help your Houston business with enterprise-grade IT services and cybersecurity solutions.