Key Takeaways
- Vishing attacks have surged dramatically, with organized groups industrializing social engineering to gain initial access through help desks.
- Attackers quickly pivot from compromised human accounts to persistent machine identities like OAuth tokens and service accounts.
- Most organizations lack governance and visibility over non-human identities (NHI), creating a major security blind spot.
- Effective readiness depends on correlating identity signals and treating machine identities as high-risk assets.
- True resilience requires the ability to detect and roll back unauthorized privilege changes before attackers establish persistence.
Your help desk staff just got a phone call. The caller knew the employee’s name, their manager, and the last four digits of their badge number. They asked for a password reset. Standard procedure. The IT rep complied.
That call was a fraud. And the attacker is now inside.
Voice phishing – vishing – jumped 449% in 2025. Adversary groups have turned social engineering into a scalable operation: recruiting callers, writing scripts, and paying $500 to $1,000 per successful help desk impersonation. They’re not looking for your data. They’re looking for a foothold.
Once inside, attackers don’t linger on the human account. They move laterally – stealing OAuth tokens, creating new administrative service accounts, embedding access in machine-layer credentials that nobody watches. Unlike human passwords, those credentials are rarely rotated. They don’t trigger login alerts. They can survive a full remediation of the original compromised user.
By the time your security team closes the ticket on the help desk incident, the attacker may have been quietly persistent in your environment for weeks. The governance gap makes it worse.
Fewer than 25% of organizations have formal policies for creating or decommissioning NHIs – the service accounts, API keys, and OAuth tokens that now outnumber human users by 144 to 1. Nearly all of them carry permissions far beyond what their function requires.
Most organizations have almost no confidence in their ability to detect an attack targeting this layer. That’s not a prevention failure. It’s a recovery planning failure.
What Readiness Looks Like
Prevention at the help desk matters – training, callback verification, out-of-band confirmation. But it isn’t enough on its own. Attackers are industrializing faster than awareness programs can keep pace.
Readiness means correlating the signals: A help desk interaction followed immediately by a multi-factor authentication (MFA) reset or a new token creation is a high-probability indicator of compromise.
It means treating machine identities as Tier 0 assets – governing their creation, scoping their permissions, and monitoring for unauthorized escalation. And it means having the ability to detect and roll back malicious privilege changes quickly, before they become the new normal.
Explore how Commvault identity resilience supports rapid detection, rollback, and recovery of your identity environment.
FAQs
Q: What is a vishing attack in the context of enterprise security?
A: Vishing (voice phishing) uses phone calls to impersonate employees and manipulate IT help desks into granting access – typically through password or MFA resets. It’s increasingly industrialized, with organized groups recruiting callers and using pre-written scripts to maximize success rates.
Q: Why do attackers pivot to machine identities after a vishing entry?
A: Human accounts get remediated. NHIs – OAuth tokens, service accounts, API keys – are more persistent and rarely rotated, often invisible to traditional monitoring. Migrating access to the machine layer allows attackers to maintain that persistence long after the original human credential breach is detected and closed.
Q: What does “identity resilience” mean in practice?
A: It means your organization can help detect unauthorized privilege changes in near real time and help restore the identity environment to a trusted state quickly. Detection alone isn’t sufficient – the ability to roll back malicious activity and verify that machine identities haven’t been tampered with (or if tampered with, to be rolled back to a prior good point in time) is what separates readiness from exposure.
Vidya Shankaran is Field CTO at Commvault.
