Why hackers are targeting agency help desks and key employees to bypass cyber defenses

Government agencies have spent billions building digital fortresses. A new generation of threat actors, however, is circumventing those investments by exploiting the most persistent vulnerability: agency employees.

According to a new report from Scoop News Group and Proofpoint, attackers are bypassing agencies’ technical defenses by targeting employees directly through sophisticated social engineering. What’s causing growing concern: Agency help desks have emerged as a “high-value target.”

The report, “Hacking Humans: How to Defend Against Your Biggest Cyber Risk,” argues that traditional security measures are increasingly ineffective against attackers who use deception and impersonation to penetrate agency IT systems. That’s prompting agency officials to adopt a “human-centric” defense strategy, acknowledging that people are now the primary battleground for protecting sensitive government data and services.

The threat is no longer limited to generic phishing emails. Attackers now conduct detailed reconnaissance on employees, using information from data breaches and social media to craft highly convincing impersonations. The report details an instance where a threat actor, posing as an oncologist, nearly tricked a help desk specialist at a health institution into resetting a caller’s credentials. The attempt failed because the specialist was savvy enough to sense something was amiss about the call. That level of intuition, the report warns, is not scalable across an entire workforce.

The stakes are immense for government agencies, which safeguard vast amounts of personally identifiable information (PII), classified documents, and critical infrastructure data. The report notes that traditional verification methods, like asking for the last four digits of a Social Security number or a mother’s maiden name, are now “dangerously obsolete” due to the widespread availability of this information on the dark web. The rise of AI-powered deepfakes further complicates verification, making it possible to spoof a person’s voice and likeness in real-time.

The report notes that service desk agents have become especially high-profile targets. Once an attacker successfully impersonates an employee and cons a help desk agent into providing new credentials, it’s often just a matter of clicks before a hacker gains the legitimate tools needed to escalate privileges, move laterally across networks, exfiltrate data, or deploy ransomware.

Defending against human-centered attacks.

The report highlights several factors driving the shift in cyberattacks, steps agencies should consider to realign their cybersecurity strategies, and examples of government agencies and institutions that reduced their risks utilizing human-centric defense strategies. The report argues:

1. The primary threat vector has shifted to people, not systems. Technical defenses like firewalls are still essential, but attackers are actively circumventing them. The report finds that social engineering is the dominant tactic, with 60% of data breaches involving a human exploitation. Help desks, which hold the power to reset passwords and manage multi-factor authentication (MFA), have become a focal point for these attacks because they offer a direct path to high-level access. “A service desk agent can change a password, reset credentials, manage multi-factor authentication (MFA) devices, and troubleshoot access issues,” says Pablo Passera, vice president of product management at Proofpoint. “So, the service desk is a very valuable target for threat actors right now.”
2. Current training and technology are insufficient for this new threat. The report stresses that most employees, including specialized help desk staff, are not adequately equipped to identify and thwart these sophisticated impersonation attempts at scale. This capability gap represents a critical failure point for agency security. “Not all help desk individuals have that sixth sense or have the level of training needed to thwart attacks,” states Ryan Witt, vice president of industry solutions at Proofpoint. “Nor do they have the level of technology and authentication capability built into their infrastructure right now to stop these types of attacks at scale.”
3. A “human-centric” defense must complement technical defenses. To counter these threats, agencies must move beyond a purely technical mindset. The report recommends a layered, human-focused strategy that includes: assessing which employees are most at risk (e.g., public-facing or highly privileged users); implementing specialized, practical training for help desk staff; deploying advanced analytics to monitor for anomalous user behavior; and re-evaluating identity verification processes to be more resilient against deepfakes and PII exposure. The core of this strategy is to understand and protect the human layer as the first and last line of defense.

The report concludes that the challenge for agencies is implementing human-centric defenses at scale. To address that challenge, it highlights advanced solutions from Proofpoint, a “Leader” in Gartner’s 2024 Magic Quadrant for email security platforms, designed to intercept and remediate malicious emails and related threats before employees become victims.

Download the full report.

The article was produced by Scoop News Group for StateScoop and sponsored by Proofpoint.