The deepfake video call is the dramatic version of this problem, and it makes for a memorable story. The version that is quietly emptying corporate accounts and taking whole companies offline is far less cinematic. It is a phone call. Sometimes to the IT help desk, sometimes from someone claiming to be IT. And in most organizations, the person on the other end has no reliable way to confirm who they are actually talking to.
In September 2023, attackers took down much of MGM Resorts with a single phone call. The group known as Scattered Spider found an employee on LinkedIn, called the company’s IT help desk pretending to be them, and talked the agent into resetting the account. The call reportedly lasted about ten minutes. From there they moved into MGM’s core systems, and the disruption that followed, offline slot machines, dead room keys, guests checking in on paper, cost the company around $100 million in that quarter alone, a figure MGM disclosed to the SEC.
It took a ten-minute phone call to the IT help desk to bring down MGM Resorts. The disruption cost around $100 million.
The same group hit Caesars Entertainment at almost the same time, again through its IT support function, and Caesars reportedly paid about 15 million dollars in ransom. Neither attack relied on a clever exploit or an unknown vulnerability. They relied on the help desk having no dependable way to tell a real employee from someone impersonating one.
This is a repeatable playbook, and in 2025 it arrived on the UK high street. Between April and May, Marks & Spencer, Co-op, and Harrods were all hit in the same wave, attributed to the same group and the same method: social engineering aimed at IT help desk processes, obtaining password or multi-factor authentication resets before ransomware was deployed. For M&S, online orders were suspended for around six weeks, and the company told investors the incident would take roughly £300 millions off its operating profit for the year. The UK’s Cyber Monitoring Centre later assessed the M&S and Co-op incidents together as a single major event, with combined costs estimated between £270 and £440 million.
The M&S and Co-op attacks are estimated to have cost between £270 and £440 million. The way in was a phone call.
The precise entry point at M&S has been reported in more than one way, with some accounts pointing to a socially engineered help desk reset and others to compromised credentials held by an outsourced IT provider. The common thread, and the point that matters, is the same: the identity of the person requesting access could not be reliably verified.
None of this is anecdotal. The independent threat intelligence tells the same story from every direction. CrowdStrike recorded a 442 percent rise in voice phishing between the first and second halves of 2024. Mandiant, drawing on more than 500,000 hours of incident response work, found that voice phishing had become the second most common way attackers gain initial access in 2025, while old-fashioned email phishing fell to a fraction of its former share. Palo Alto’s Unit 42 found that just over a third of the incidents it responded to began with social engineering, and that nearly half of those involved someone impersonating an internal colleague. Verizon’s annual breach report continues to put a human element in around 60 percent of breaches.
Voice phishing is now the second most common way attackers break into an organization, ahead of email. (Mandiant, M-Trends 2026) Voice phishing rose 442% in the second half of 2024. (CrowdStrike)
The reason this works is not that employees are careless. It is that every method we have for verifying a caller has quietly failed. Knowledge-based checks, an employee ID, a date of birth, a manager’s name, are defeated by a few minutes on LinkedIn and the contents of old data breaches. Calling back a known number is defeated by number spoofing and SIM swaps. Recognizing a voice is defeated by AI cloning. Each of these rests on something an attacker can now research, spoof, or synthesize. The help desk agent taking a reset request, and the employee taking a call from someone claiming to be IT, are both being asked to make a trust decision with no reliable way to make it.
It is why help desk and identity verification has become one of the most targeted controls in enterprise security. It is telling that both Mandiant and Unit 42, in the same reports, reach for the same recommendation: stronger, continuous verification of who is really on the other end, rather than more training on how to spot a fake.
This is the gap we built Loxada Verify to close. It addresses both directions of the problem: the help desk confirming an inbound caller, and an employee confirming a call that claims to come from IT or HR. And it works on a different axis from everything that has failed. Rather than relying on something the caller knows, or a voice or face that can now be cloned, Verify provides hardware-backed proof that the other party is genuinely connected through a company-issued device. The requirement that both people are on company hardware is not a limitation. It is the point, because the highest-risk internal moments, a password reset, a payment authorization, an access request, are exactly the ones where both sides should be on managed devices in the first place.
Verify is one control in a process, not a cure-all. It gives the help desk a proof that cannot be talked around, but the organization still has to require that proof before it acts. And it does not solve every part of these breaches. Compromised third-party credentials and lateral movement once an attacker is inside remain separate problems. What it does solve is the specific, well-evidenced gap at the center of every case above: confirming, reliably, that the person you are dealing with is who they claim to be.
Loxada Verify is arriving in 2026, learn more about it our blog post. If the question of how your help desk and your staff verify who they are really speaking to is one you are starting to ask, we would be glad to talk early.