The hidden costs of your helpdesk

When an employee experiences a lockout, frustration rises while productivity drops. This downtime interrupts individual workflow as well as IT agent efficiency. Then there are the potential security vulnerabilities that go hand-in-hand with frequent lockouts, password resets, and re-verifications. All of these delays and interruptions can lead to lost revenue.

Where do these costs come from?

According to Statista, 56% of employees reset at least one password every month. As a result, half of all support tickets are just for password resets. When you add multi-factor authentication (MFA) resets to the picture, that number is likely even higher. The large volume of account lockouts can mean significant costs over time.

Long verification processes are another factor. A Forrester study found that companies spend $87 per password reset (adjusted for inflation in 2024), which amounts to a whopping $795 per employee annually. Things get even worse if a manager needs to get involved or if Zoom visual verification is needed for MFA resets: a single visual verification can cost $162 or more and take hours to resolve. These costs must also factor in lost work hours while employees wait to regain access and managers take time from regular tasks to verify employees.

And the more lockouts and re-verifications, the greater the risk that a threat actor will exploit the opportunity. Most authentication methods are actually quite easy to get around, and in many cases were never intended to be security factors. Their innate inflexibility renders these methods useless and exploitable in many cases. If your organization is using any of these methods to verify people at the helpdesk, it’s at risk:

Security questions: At this point, we must assume that answers to security questions — easily obtained via social media (pet’s name), public records (mother’s maiden name), or previous data breaches (last four digits of the SSN) — are already in threat actors’ hands. 

One-time passcodes sent via text message or email: These methods simply push the security burden onto another account. Text messages can be intercepted via malware such as SMS trojan, SIM swapping (an account breaching technique in which fraudsters pay wireless carrier employees to swap a customer’s SIM for one controlled by the threat actor), and OTP interception bots, which can access customers’ one-time-passwords.

Email passcodes and links can be intercepted if traditional MFA factors are in play or if someone has access to the user’s email address, which may only be protected by a username and password (potentially leaked in a previous breach). Plus, if someone is contacting the helpdesk because they’ve lost their phone or are locked out of their accounts, there’s a good chance that they literally cannot receive texts or emails.

Push notifications sent to an authenticator app: This method is vulnerable to push fatigue attacks, a vector that emerged around 2022. It involves bombarding the user’s phone with MFA push requests until the user becomes so “fatigued” that they either knowingly or accidentally click “approve” and let the threat actor in. Alternatively, the fraudster may call the user after repeated MFA prompts, pretending to be an IT employee, to convince them to accept the prompt. In 2022, Microsoft reported more than 382,000 MFA fatigue attacks.

But what happens when a user can’t access their authenticator app? One of the most frustrating aspects of upgrading to a new phone is the risk of being locked out of all accounts linked to that device. Without access to the authenticator app, the only way to regain account access is by calling the helpdesk, which then has to manually verify the user’s identity. This process leaves helpdesk agents vulnerable to manipulation. The inherent risk is that even if you’ve never been locked out, bad actors can exploit the account recovery process to impersonate you, tricking agents into resetting your accounts and gaining unauthorized access to your sensitive information.

Social engineering and deepfakes: Perhaps one of the biggest vulnerabilities for IT helpdesks lies with social engineering, in which fraudsters bypass MFA by tricking IT support into resetting user accounts. The threat is so severe, that the U.S. Department of Health recently issued a sector alert on social engineering attacks against IT helpdesks, like the one at MGM Resorts International last year. Hacker group Scattered Spider impersonated high-value MGM employees, convincing help desk staff to reset their passwords and MFA codes. The hackers accessed MGM employees’ social media and OKTA accounts, which compromised the digital cloud and paralyzed the company’s systems for several days.

Deepfake video calls have also been used to startling effect, costing a Hong Kong company $25 million in February of this year and a UK-based multinational firm over $500,000, after an employee was fooled by a deepfake video reproduction of the CEO.

How to reduce costs

The first step is to identify exposure points, such as user verification, where helpdesk operations grind to a halt. Due to security risks, helpdesks increasingly require a video verification call, and sometimes a manager, which can take hours to complete. Similarly, resetting passwords and MFA tokens is a highly manual process when done by a helpdesk agent, taking several minutes to complete, and can be exploited by a threat actor using social engineering to impersonate a legitimate user.

Once exposure points are found, organizations must adopt stronger, faster verification factors. While visual verification calls are in vogue because security questions, push notifications and one-time passcodes are inflexible and easy for threat actors to exploit, a better type of workforce verification matches a person’s government-issued photo ID to their live selfie in real-time in less than 30 seconds. Products are available that can do this out of the box with a multi-pronged approach that includes facial biometrics, mobile cryptography, and AI. These products also provide a unified console for helpdesk agents to send, manage, and review all types of identity verification requests.

Self-service solutions are another option. A new breed of self-service account recovery (SSAR) enables employees to reset their own passwords and MFA tokens without helpdesk involvement or increased risk. These solutions are possible because identity verification companies have finally developed technology that delivers the level of security and assurance needed for ultra high-risk functions such as resetting MFA. As businesses increasingly rely on and invest in advanced technologies, deepfakes will keep pace, making the IT helpdesk ever more vital. But helpdesk employees cannot be the sole or main line of defense. Advanced purpose-built technologies that can stop deepfake attacks will save helpdesk costs, reduce employee frustration, and protect valuable customer and company assets.