You know those friendly “forgot your password?” prompts? Cyber criminals love them.
In fact, many attacks today don’t begin with a technical breach, they start with a phone call.
Recently, cyber criminals have been impersonating IT help desks to trick staff into handing over credentials. It’s shockingly effective. And with major UK retailers like Marks & Spencer, Co-op and Harrods now caught up in these attacks, the National Cyber Security Centre (NCSC) has issued urgent guidance: review your password reset process today.
How do hackers exploit the password reset process?
They don’t need a hoodie or a dark basement. Just a convincing voice, a bit of research, and a target who’s too busy to question things.
Here’s how it plays out:
- They call your IT help desk pretending to be a locked-out team member (sometimes even a senior exec).
- They know just enough details to sound legitimate.
- They ask for a password reset.
- If your help desk doesn’t follow strict verification steps… access granted.
This technique is called social engineering, and it’s behind some of the most sophisticated breaches in recent years. Hackers have even used it to take down casinos in Las Vegas. Yes, really.
What the NCSC wants you to do
The NCSC’s latest advice makes it clear: the old “what’s your mother’s maiden name?” isn’t cutting it anymore.
If your process is based on trust alone, you’re leaving the door wide open.
Here’s what businesses should be doing:
1. Use layered authentication checks
Don’t just rely on one method to verify identity. Combine things like known phone numbers, job roles, and pre-agreed credentials.
2. Introduce code words
Yep, like spies. Set up unique code words (e.g. “BluePenguin”) for password changes. It sounds silly, until it stops a breach.
3. Monitor for suspicious login behaviour
Check for logins at strange times or from unusual locations. A 2am login from overseas should raise flags.
4. Limit password reset permissions
Not everyone on the help desk should be able to reset admin credentials. Create a clear structure for who can do what and audit it regularly.
5. Train your team to question everything
The best defence is a sceptical mind. Encourage your team to challenge requests, especially those that feel rushed or emotional.
Why reviewing your process matters now
Attackers are getting smarter. Many are young, English-speaking, and incredibly skilled at pretending to be someone they’re not.
They coordinate on platforms like Discord and Telegram, often sharing tips on how to bypass basic security protocols.
You don’t want to be the business that made it too easy.
What does your current process look like?
When was the last time you reviewed it properly? Do your team know what to look out for? If you’re not sure, you’re not alone but that doesn’t make you safe.
Final thoughts
Your password reset process might seem like a small cog in the machine. But it’s often the easiest way in for attackers.
Review it. Test it. Talk to your team. A few simple changes could stop a very expensive problem.
Need a second opinion on your current process?
We help businesses like yours build smarter, safer systems, without the jargon.
