This is a guide I put together for a service desk. Feel free to grab and use within your own security awareness program.

Overview for Personnel

As a Service Desk Analyst, you are the primary gateway to our organization’s data. Because you are trained to be helpful and efficient, you are the #1 target for social engineers. Theydon’t hack systems; they "hack" people.

Common Tactics USED BY ATTACKERS

• The Pressure Tactic: Person sounds aggressive on a call or in a hurry. Caller may say they will escalate if not done quickly, instead of providing answers for validation questions. Caller is in a hurry to complete a task or a critical piece of work related to a priority or change.

• The Distressed Employee: A caller who sounds frazzled or claims a personal emergency, hoping your empathy will lead you to skip security protocols.

• The Tech "Colleague": Someone claiming to be from a different IT branch or a vendor "checking on a ticket" to gain remote access.

Red Flags

• Induced Urgency: They insist that "the system will crash" if you don't act now.

• Request for Exceptions: They ask you to "just this once" bypass the standard MFA or callback procedure.

• Hostility: They become aggressive or condescending when you follow security policy.

• Inconsistent or hesitant responses: Inbound calls is from one person, but during callback validation, the call lands to another person. Caller sounds vague or provides delayed responses

• Suspicious Call Times: Calls landing in wee hours, lean hours, or during weekends, with the caller saying their manager is not available.

The Steps for a Tight Defense

• Listen to your intuition: If something doesn’t feel right it probably isn’t. Run through the process and take detailed notes.• Slow Down: Scammers rely on speed. If a request feels "off," take a breath and consult your lead or manager.

• Trust, but Verify: Never assume the Caller ID is accurate. Always use the official internal directory to verify the user.

• Follow the Script: Security protocols (MFA pushes, manager callbacks, or employee ID verification) exist for a reason. Never skip them.

• If a user cannot be validated follow the scripts:

  • "As per the organization policies, we will not be able to provide any information without verifying your details. Please call us back with valid information."

  • "I would be glad to assist you, however due to lack of information we are unable to proceed with the call and help you today."

• Escalate anything suspicious to your Team Lead or Manager.

What to do if you suspect a scam

• Don't engage: Keep the conversation professional but firm.

• Document: Note the time, the claimed name, and the phone number.

• Report: Immediately notify your cybersecurity team [INSERT EMAIL].