All Posts

What Is Helpdesk Fraud? The Most Common Helpdesk Scams in the UK

Enterprise Fraud
13 March 2026

What is Helpdesk Fraud?

Helpdesk fraud is a form of social engineering where criminals impersonate employees, contractors, or IT staff to manipulate support teams into granting access, resetting credentials, or bypassing security controls.

The attacker pretends to be a real employee, claiming to be locked out of their account or dealing with an urgent IT issue. The helpdesk agent, trained to be fast and helpful, complies. Within minutes, the attacker has the access they came for.

Why is Helpdesk Impersonation Fraud Growing in the UK

The UK Government's Fraud Strategy 2026-2029, published by the Home Office in March 2026, sets out the scale of the problem. Fraud now costs the UK economy at least £14.4 billion per year. Over 4 million fraud offences were estimated in the year ending September 2025, accounting for 45% of all crime in England and Wales. 

Businesses face equally serious risks. The same report found that 1 in 4 UK businesses with more than one employee experienced fraud in the previous twelve months, amounting to approximately 389,000 businesses and an estimated 6.04 million instances of fraud.

The strategy also identifies a direct and growing threat from AI. Criminals are now deploying generative AI tools, including deepfakes, large language models, and voice cloning, to improve the sophistication, credibility, and volume of attacks, tailoring them to specific victims and fraud types. This makes helpdesk impersonation fraud significantly harder to detect and significantly easier to execute at scale.

The M&S, Co-op and Harrods attacks: a Defining Moment for UK Business

In April 2025, Marks and Spencer suffered one of the most damaging cyberattacks in British corporate history. As reported by Computer Weekly, the company forecast a minimum £300 million hit to operating profit as a direct result.

It started with a single helpdesk call. According to Cybernews, attackers impersonated an M&S employee and manipulated staff at Tata Consultancy Services, the third-party provider running the M&S helpdesk, into resetting their credentials. With those credentials, they deployed ransomware across critical systems.

Co-op and Harrods were hit using near-identical methods within days. The Cyber Monitoring Centre assessed the combined financial impact at between £270 million and £440 million.

The NCSC confirmed that social engineering targeting IT helpdesks, specifically to perform password and MFA resets, is the technique consistently used by the group attributed to these attacks.

The Most Common Helpdesk Scams in the UK

1. Fake IT department calls targeting employees

The attacker poses as internal IT support and calls an employee directly, asking them to approve an MFA prompt, share credentials, or install a remote access tool. 

Figure Technology in February 2026 is a recent example of this tactic. An employee received a call from someone claiming to be IT support and was directed to a phishing page mimicking their company's Okta login portal. The page acted as a real-time proxy, capturing credentials and MFA codes simultaneously. The attacker registered their own device as a trusted authenticator and gained persistent access. Close to one million customer records were subsequently exposed.

The employee was not at fault. There was simply no mechanism to verify whether the caller was genuine before acting on their instructions.

2. Vishing (voice phishing) targeting helpdesk staff

Vishing uses a live phone call to manipulate a target in real time. The attacker calls inbound to the helpdesk, posing as an employee with an urgent issue. Using a convincing story, internal terminology, and often details gathered from data breaches or LinkedIn, they pressure the agent into resetting a password, removing MFA, or registering a new device without proper verification. 

3. MFA bypass requests

As the Figure breach demonstrates, MFA alone is not sufficient against an attacker who can intercept a session or manipulate an employee into completing a login on their behalf. The NCSC explicitly called out this technique following the 2025 retail attacks and urged all UK organisations to review their helpdesk MFA reset and device registration processes.

4. Third-party and contractor impersonation

External contractors often hold broad access and receive less scrutiny than internal staff. The M&S breach originated through exactly this gap, via credentials held by a third-party IT provider with over a decade of access to M&S systems.

How to Prevent Helpdesk Fraud

  • Verify out of band. Any request involving password resets or MFA changes should be confirmed through a separate, pre-registered channel. 
  • Stop relying on knowledge-based checks. The Fraud Strategy 2026-2029 highlights that criminals routinely exploit data breaches to craft convincing impersonations, making security questions and personal details unreliable as proof of identity.
  • Train specifically for social engineering. Helpdesk teams need scenarios that reflect the pressure of live calls, the exact techniques attackers use, and clear permission to pause a request when something feels wrong.
  • Tighten third-party access. Outsourced IT teams should face the same verification standards as internal staff. As the Cyber Monitoring Centre's assessment confirmed, the level of access held by third-party contractors determines the scale of what can be lost.
  • Use real-time mutual verification. The strongest protection against helpdesk impersonation fraud is confirming both sides of a request in real time, before any action is taken. When both parties must verify, impersonation fails at the point of contact.

Enterprise Helpdesk Verification: Real-Time Protection with UnDoubt

  • UnDoubt Workforce covers all internal communications, including IT helpdesk interactions between employees and support staff, ensuring every internal request comes from a verified colleague on an approved device.
  • UnDoubt Verify covers external-facing helpdesk interactions. Depending on the level of risk, it can confirm one side of the interaction, so your customers know they are genuinely communicating with your organisation, or require both parties to verify each other before any sensitive action proceeds.

Together, they close the human verification gap that technical controls leave open. Contact us at undoubt@lastingasset.com to discuss a pilot for your organisation.

Helpdesk Fraud: Frequently Asked Questions

What is the difference between helpdesk fraud and phishing?

Phishing uses deceptive messages such as emails, texts, or links to trick people. Helpdesk fraud uses live phone calls and direct impersonation to manipulate support staff in real time.

What is vishing in cybersecurity?

Vishing is voice phishing: a fraud technique that uses phone calls to manipulate targets. In helpdesk attacks, it is used to impersonate employees and pressure support agents into granting unauthorised access.

Is multifactor authentication enough to stop helpdesk fraud? 

Not on its own. As the Figure Technology breach of February 2026 demonstrated, an attacker who can manipulate an employee over the phone can intercept MFA codes in real time or convince a helpdesk agent to remove MFA protection entirely. The gap is not the technology. It is the human interaction around it.

What should a helpdesk agent do if a request feels suspicious? 

Stop and verify through a separate channel before taking any action. Confirm the request through an internal system that is independent of the call. Any caller who resists this step or escalates pressure when asked to verify their identity should be treated as a warning sign.

Sources:

[1] UK Government, Fraud Strategy 2026-2029, Home Office, March 2026 https://assets.publishing.service.gov.uk/media/69ae77ddc78869bf8eb8a509/fraud-strategy-web.pdf

[2] Computer Weekly, M&S cyber attack disruption likely to last until July, May 2025 https://www.computerweekly.com/news/366624272/MS-cyber-attack-disruption-likely-to-last-until-July

[3] Cybernews, Marks and Spencer hackers used employee login via TCS, May 2025 https://cybernews.com/news/marks-spencer-hackers-used-employee-login-tsc-tata-consulting-scattered-spider/

[4] Cyber Monitoring Centre, Statement on Ransomware Incidents in the Retail Sector, June 2025 https://cybermonitoringcentre.com/2025/06/20/cyber-monitoring-centre-statement-on-ransomware-incidents-in-the-retail-sector-june-2025/

[5] NCSC, Incidents impacting retailers: recommendations from the NCSC, July 2025 https://www.ncsc.gov.uk/blog-post/incidents-impacting-retailers

Keep reading

Enterprise Fraud
27 March 2026

What Are Supplier and Vendor Impersonation Scams and How to Protect Your UK Business

Fake invoices and spoofed supplier emails are now among the most common fraud methods targeting UK businesses. Learn how supplier impersonation works, why even careful teams get caught out, and what you can do to stop a payment going the wrong way.
Social Engineering
19 March 2026

Social Engineering vs Hacking: Why One Is Now Far More Dangerous Than the Other

Hacking gets the headlines, but social engineering is now responsible for the majority of serious fraud losses. Learn how impersonation attacks work, why your helpdesk is a prime target, and what real-time verification looks like in practice.
Enterprise Fraud
09 March 2026

3 Workplace Scams Costing Enterprises the Most Money Right Now

Impersonation fraud is now the biggest financial threat facing UK enterprises. Read about the three most damaging workplace scams, how each one works, and why existing security tools fail to stop them.
View all

Contact us

We normally respond within 24hrs
(perhaps a bit longer over weekends and holidays)

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Join the waitlist

We'll let you know when our new app is ready

Thank you! We'll let you know when the app is ready!
Oops! Something went wrong while submitting the form.