When “Hi IT” Becomes a Breach: How to Defend Against AI-Driven Social Engineering

The cyberattacks against MGM Resorts, Marks & Spencer, Co-op, and other high-profile organizations put a spotlight on a growing security challenge: service desk social engineering. In each incident, attackers didn’t need a clever exploit, instead manipulating legitimate account recovery and support processes to gain access. In 2026, those social engineering scams are being made more accessible and scalable with artificial intelligence (AI).

The emergence of AI-powered phishing, voice cloning and impersonation tools are all new challenges that security teams must defend against. But AI is not the root cause of the identity security issues many organizations are facing.

The underlying issue is that identity verification still largely rely on processes that confirm information about a user rather than proving the identity of the person making the request. AI simply gives attackers more convincing ways to exploit that weakness.

Why are service desks a prime target?

Security teams invest heavily in technologies designed to prevent unauthorized access. Strong passwords, MFA, endpoint protection, conditional access policies, and monitoring tools all play an important role in protecting corporate environments.

Attackers know these controls can be difficult to bypass directly. It is often easier to exploit the processes around them, especially the workflows designed to help legitimate users regain access when something goes wrong.

To a service desk agent, requests to reset passwords or onboard a new user may look routine. The request may be genuine. But it may also be an attacker trying to take over an account.

Organizations also support remote employees and contractors, contacting the desk from personal or unmanaged devices. Service desk staff often must make access-related decisions without ever meeting the person requesting help.

That puts service desk teams in a difficult position. Unlike a standard login attempt, there may be no technical signal that independently proves who is making the request. The agent becomes part of the security process and must make a judgement based on the information available.

At the same time, password resets remain one of the most common and costly service desk activities. Forrester has estimated that each help desk-assisted password reset costs organizations around $70. When creating both a security challenge and a significant operational burden.

How is generative AI being misused in social engineering scams?

Generative AI is helping attackers improve on the three elements that social engineering has always relied on: trust, persuasion and credibility. Armed with widely available AI tools, attackers can now generate:

More convincing phishing messages

Large language models can generate polished phishing emails, support requests and chat messages with very little effort. Attackers can then refine and personalize those messages using publicly available information from social media, company websites, conference talks and professional networking platforms.

Voice cloning and real-time impersonation

A few years ago, convincing voice impersonation required specialist skills and resources. Today, recordings from publicly available media may provide enough source material to create a realistic voice replica. Combined with real-time voice conversion tools, attackers can hold live conversations while sounding like the person they are impersonating.

A confident caller who uses the right terminology, references real colleagues and sounds like a legitimate employee may still be an attacker. As these attacks become more convincing, organizations need to assess whether their current verification processes still provide the right level of assurance.

The problem with traditional verification methods

Many organizations still rely on verification methods that were designed for a very different threat landscape. Knowledge-based verification remains common across service desk workflows, where users verify through measures like security questions before a request is approved.

However, information from sources such as data breaches, phishing campaigns or social media profiles can provide many of the details needed to satisfy these checks. In some cases, attackers may already possess a significant amount of information about the employee they are impersonating.

Organizations often supplement verification processes with one-time passcodes delivered through email, SMS, or authentication applications. While these controls are valuable during normal authentication processes, they can become problematic during account recovery scenarios when the user is unable to access the device or account receiving the code.

Callback procedures and manager approvals add additional safeguards, but they still rely heavily on human judgement and remain vulnerable to social engineering, SIM-swapping attacks, and process manipulation.

How to stop AI-based social engineering scams

Rather than relying on information that can be stolen or guessed, service teams need measures that validate the individual behind a request.

For instance, they can match a name to government-issued identity documents for authenticity, while biometric liveness detection helps confirm that a real person is physically present during the verification process. Verified identity attributes can then be matched against organizational records before access is granted.

This approach creates a much higher level of assurance than traditional verification methods because it verifies the person, not simply the information they know.

For organizations operating in regulated industries, critical infrastructure, healthcare, financial services, and other high-trust environments, this additional assurance plays an important role in reducing account takeover risk and strengthening identity security.

Bringing verified identity into service desk

Specops Verified ID helps organizations introduce sophisticated identity verification into password reset, onboarding, and service desk workflows.

Users verify their identity through the Specops mobile app using a government-issued document such as a passport, driver’s license, or national ID card. AI-powered document verification helps validate the authenticity of the document, while biometric liveness detection confirms that the individual presenting it is physically present.

Once verified, key identity attributes can be validated against Active Directory or Microsoft Entra ID records before a password reset or service desk request is approved. The result is a more consistent verification process, and fewer opportunities for attackers to exploit human decision-making during high-risk access requests.

To learn how Specops Verified ID can help protect your organization from modern social engineering attacks, contact us or book a demo today.