ITM is an open framework - Submit your contributions now.

Insider Threat Matrix™

  • ID: PV070
  • Created: 08th September 2025
  • Updated: 08th September 2025
  • Contributor: The ITM Team

Service Desk Caller Verification Process

This prevention mandates a standardized, enforceable identity verification process for all service desk interactions involving password resets, account unlocks, or access changes. It requires the use of multi-factor authentication (MFV), out-of-band confirmation (OOB), and structured workflow enforcement to ensure caller legitimacy. The process reduces susceptibility to impersonation, prevents policy bypass under pressure, and ensures auditability for investigative review.

 

Prevention Measures

All verification must use at least two distinct factors:

  • A knowledge factor (e.g., pre-set PIN or a dynamic question).
  • A possession factor (e.g., one-time passcode sent to a pre-registered corporate channel such as email or SMS).

For high-risk accounts, apply out-of-band confirmation:

  • Perform a callback to a pre-registered phone number.
  • Or request confirmation via an internal messaging platform (e.g., Microsoft Teams or Slack).

Verification steps must be enforced within the IT Service Management (ITSM) platform:

  • Each verification checkpoint is prompted and must be completed before proceeding.
  • Agents cannot override or skip steps manually.
  • All actions must be logged automatically with time, actor, and outcome.

Escalation protocols must be followed when:

  • Verification fails.
  • A request seems inconsistent or suspicious.
  • The subject is flagged in HR systems as inactive, offboarded, or under restriction.

Logs must include:

  • Requestor’s claimed identity.
  • Verifier’s identity.
  • Verification methods used.
  • Outcome of each step.

Service desk staff must undergo regular training and social engineering simulations:

  • Focus on red flags such as urgency, executive name-dropping, or vague justifications.
  • Reinforce the principle: verification is mandatory, regardless of pressure.

Sections

ID Name Description
PR027.005Service Desk Impersonation for Credential Manipulation

The subject deliberately impersonates a member of the organization—typically a colleague, manager, or IT representative—or otherwise misrepresents themselves in order to manipulate service desk staff into resetting a password, unlocking an account, or granting access to a system. These requests are framed to appear legitimate and urgent, often exploiting common support workflows or pressure tactics (e.g., deadline stress, executive impersonation).

 

This behavior is especially dangerous because it abuses internal trust pathways and bypasses traditional authentication, detection, or technical controls. It can occur via phone, email, chat, or in-person interaction and is frequently used in preparation for unauthorized data access, surveillance, or exfiltration.