CrowdStrike’s 2025 Global Threat Report reveals adversaries are increasingly using identity compromise and social engineering to gain initial access and perform lateral movement.
In 2024, CrowdStrike Intelligence tracked a sharp rise in distinct campaigns leveraging telephone-based social engineering for initial access, including vishing and help desk impersonation tactics.
Multiple adversaries incorporated vishing into their intrusions in 2024, and vishing attacks skyrocketed 442% between the first and second half of 2024.
In most vishing campaigns last year, threat actors impersonated IT support staff, calling targeted users under the pretext of resolving connectivity or security issues.
Several campaigns used spam bombing—flooding inboxes with junk messages—as a setup for vishing attempts, some of which led to Black Basta ransomware deployments. Callback phishing—which involves lure emails prompting victims to call fraudulent support lines—was also a common tactic for initial access.
Multiple threat actors are also increasingly adopting help desk social engineering tactics. In these campaigns, attackers impersonate a legitimate employee and call the targeted organization’s IT help desk with the aim of persuading a help desk agent to reset passwords and/or multifactor authentication (MFA) for the relevant account.
Help desks typically verify employees requesting password or MFA resets by asking for details like their full name, date of birth, employee ID, manager’s name, or answers to security questions. However, cybercriminals conducting help desk social engineering are often able to provide these details correctly because the information is publicly available through social media or data broker sites.
The report notes evidence indicating these kinds of attacks will continue to be a prevalent threat this year:
“Over the past year, several eCrime actors have openly recruited callers on popular eCrime forums. The advertisements are usually for English-speaking callers with knowledge of RMM tooling and experience conducting remote sessions. Some eCrime actors have also sought effective methods for spoofing phone numbers or encrypting calls to ensure caller IDs can be edited and appear more legitimate. This activity suggests phone-oriented social engineering will be a credible threat in 2025 as demand for these capabilities increases.”
To defend against these attacks, CrowdStrike recommends requiring video authentication with government ID for employees requesting password resets, training IT staff to be extra cautious of off-hours password and MFA reset requests, using authentication factors such as FIDO2, and monitoring for multiple users attempting to register the same device or phone number.
Additionally, the recently leaked chat logs from the Black Basta ransomware gang confirm that removing employee personal data from data brokers is critical to reducing the risk of being targeted. Without easy access to employee PII, it is much more difficult for attackers to carry out help desk impersonation, vishing, and other social engineering tactics.
Download Crowdstrike’s full report for more insights.