ATO and Social Engineering: The Rising Threat to Tech Companies

Your Best Defenses Point the Wrong Way

Quick question for the security leaders in the room: where did you spend your last budget cycle?

If you run security or operations at a tech company, the honest answer is probably email, endpoints, identity, and the web. Good instincts. Those are the doors attackers used to knock on.

But here is the uncomfortable part. Attackers know you hardened those doors. So they walked around the building and tried the one you left open: the phone.

The contact center and the voice network have quietly become the soft underbelly of enterprise security. In fact, social engineering was the single leading initial access vector in incident response cases from May 2024 to May 2025, accounting for 36% of all cases, according to Palo Alto Networks Unit 42. And for tech companies, with their high-value accounts, admin access, and help desks that can reset almost anything, that soft underbelly is exactly where account takeover (ATO) attacks begin.

Let's talk about why, and what you can actually do about it.

What Account Takeover Really Is (and How Social Engineering Fuels It)

Account takeover is what it sounds like. An attacker gets control of an account that isn't theirs, then uses it to move money, steal data, or burrow deeper into your systems.

The interesting question is not what ATO is. It's how attackers pull it off. And more and more, the answer is not a clever exploit. It's a phone call.

Social engineering is the art of manipulating a person into doing something they shouldn't. On the voice channel, it usually looks like impersonation:

  • Impersonating a customer to a support agent, to gain access to that customer's account.
  • Impersonating an employee to a help desk, to reset credentials or multi-factor authentication (MFA).
  • Impersonating the help desk or IT to an employee, to harvest passwords and one-time codes.

None of these require breaking encryption. They require a convincing voice and a helpful human on the other end. Tech companies have plenty of both.

Why Tech Companies Are Prime Targets

So why aim at tech companies specifically? A few reasons make them irresistible.

  • High-value accounts. A single compromised account can unlock cloud infrastructure, source code, customer data, or downstream access to other companies.
  • Powerful help desks. Tech support and IT help desks are built to be helpful and fast. They can reset MFA, unlock accounts, port phone numbers, and grant access. That is enormous power sitting behind a phone line.
  • Sensitive data at scale. Tech companies hold data that's valuable on its own and a springboard into supply-chain attacks.
  • A culture of speed. Move fast. Unblock the engineer. Keep the customer happy. Attackers weaponize that urgency.

This is not theoretical. The group known as Scattered Spider has made a specialty of calling IT help desks, impersonating employees (often claiming their phone is broken), passing identity checks with leaked data, and tricking agents into resetting MFA. In one case investigated by Unit 42, attackers went from initial access to domain administrator rights in under 40 minutes, without deploying any malware. In August 2024, Workday confirmed a social engineering attack in which criminals impersonated IT and HR staff to trick employees into resetting passwords.

Here's the rhetorical question worth sitting with: you've spent years teaching engineers not to click suspicious links. How much time have you spent teaching your agents to distrust a friendly voice?

The Voice Channel: The Weak Link Hiding in Plain Sight

The phone is hard to secure for reasons that have nothing to do with your team's talent and everything to do with how the channel works.

Caller ID lies. It was never built to be a security control. Spoofing a number is trivial, so "the call came from a trusted number" proves almost nothing.

Agents are pressured to be helpful. Their entire job, their metrics, their coaching, all point toward resolving the caller's problem quickly. Skepticism feels like bad service. Attackers count on that.

Knowledge-based authentication (KBA) is easy to defeat. You know the drill: last four of the SSN, date of birth, mother's maiden name, recent transaction. In the age of mass data breaches and social media, this information isn't secret. It's searchable. That's exactly how Scattered Spider clears help-desk verification.

How weak is KBA, really? About 30% of fraudulent callers successfully authenticate themselves using knowledge-based authentication (Call Center Fraud / Fraud.net). Nearly one in three fraudsters walks right through your front-door check. That's not a security control. That's a formality.

And the calls hitting your center aren't all friendly. Roughly 10% of calls into businesses and contact centers are negative or nefarious (SecureLogix 2022 Call Security Report). One in ten. Every day.

Vishing and TOAD Attacks Are Surging

If it feels like the phone-based attacks are getting worse, that's because they are.

Voice phishing, or "vishing," works alarmingly well. 37% of all vishing attacks are successful (Dark Reading, 2021). Compare that hit rate to almost any other attack vector and you'll understand why criminals keep dialing.

And the volume is exploding. Vishing attacks jumped 442% from the first half of 2024 to the second half, according to the CrowdStrike Global Threat Report, reported by Security Magazine. The trend didn't slow down: vishing volume in the first half of 2025 already surpassed the total for all of 2024, per the Cloud Security Alliance.

Then there's the rise of TOAD, or Telephone-Oriented Attack Delivery. These are multi-step attacks that lure a victim into making or taking a phone call, where the real damage happens. 81% of U.S. organizations experienced a TOAD attack in 2023 (Proofpoint 2024 State of the Phish), and researchers now estimate roughly 10 million TOAD attacks occur every month. That's not a fringe threat. That's most of the field.

Your customers are feeling it too. 45% of consumers have received a call from someone impersonating a legitimate business (Hiya State of the Call 2024). When impersonation is that common, trust in the voice channel erodes for everyone.

GenAI Poured Gasoline on the Fire

Here's the stat that should get everyone's attention: there has been a 1,265% increase in phone-based attacks since the advent of ChatGPT (Help Net Security / ENEA Mobile Network Security 2024). Deepfake-enabled fraud attempts alone rose roughly 1,300% during 2024.

Generative AI changed the economics of voice fraud. As SecureLogix notes in its own research, bad actors now use AI for automation, target selection, and generating audio deepfakes. Attackers can create realistic voice prints to bypass voice biometrics, potentially leading straight to customer account takeover. They can impersonate executives to pressure staff into urgent actions. Over 10% of banks now report deepfake vishing losses exceeding $1 million each.

The friendly voice on the line may not belong to a person at all. It may not even belong to a real voice.

How This Becomes Help-Desk-Driven ATO

Put the pieces together and you get a repeatable playbook:

  1. An attacker gathers personal details, often from breaches or social media, or by making several small "reconnaissance" calls to piece together one account.
  2. They call the help desk or contact center impersonating a customer or employee.
  3. They spoof a trusted number and clear KBA, sometimes with an AI-generated voice.
  4. The agent, trying to help, resets the MFA, ports the number, or grants access.
  5. The account is now the attacker's. So is everything behind it.

This isn't hypothetical. A global financial institution was habitually targeted for exactly this kind of ATO. Malicious callers spoofed their numbers, gathered account information through repeated social engineering calls, then made one final call to take over the account and commit fraud. After deploying the SecureLogix Call Defense™ System and related services to identify and redirect those spoofed calls, the institution stopped roughly $400,000 in fraudulent transfers in just the first three months (SecureLogix Customer Story #1012).

Different industry, identical pattern. The voice channel is the entry point, and the help desk is the mechanism. It's why the U.S. Department of Health and Human Services and others now urge organizations to require out-of-band verification, like calling an employee back at a known number, before any password change, MFA reset, or sensitive account action.

What Good Defense Looks Like

Here's the encouraging part. This problem is solvable, and it doesn't require slowing down your agents or interrogating your customers.

The fix is to stop asking humans to do a machine's job. Instead of leaning on KBA and gut instinct, you verify the call itself, automatically, before the agent ever picks up.

Strong voice-channel defense should:

  • Authenticate every inbound call rather than sampling or guessing.
  • Detect spoofing so a "trusted" number can't be faked into your center.
  • Score each call for trust using real-time signals, so agents know who they're talking to from the first hello.
  • Reduce reliance on KBA, closing the gap that lets one in three fraudsters through.
  • Keep good calls fast, so legitimate customers get help immediately.

When the call is authenticated before the conversation starts, the whole attack playbook falls apart. Spoofing stops working. KBA stops being the only gate. And your agents can be helpful and safe at the same time.

Where SecureLogix Comes In: Orchestra One™ Call Authentication Service

This is exactly what the Orchestra One™ Call Authentication Service is built for. It delivers automated, cloud-based inbound call authentication and spoofing detection, so your contact center can trust callers before answering.

Orchestra One™ analyzes and orchestrates thousands of call details along with real-time carrier network metadata, including STIR/SHAKEN when present, to assign each call a unique trust score. For your highest-risk calls, it can bring in additional media analysis and fraud detection for multifactor authentication, but only when you actually need those more expensive tools.

The benefits stack up fast for a tech company under pressure on both security and cost:

  • Authenticate every inbound call automatically, in the cloud.
  • Eliminate KBA and the customer friction that comes with it.
  • Reduce agent call duration so agents help customers immediately after answering.
  • Reduce contact center costs by about 20% on average.
  • Decrease the risk of ATO attacks and fraud by shutting down spoofing and impersonation at the door.

That's the whole point: less friction for real customers, less room for attackers, and a lower bill at the end of the month.

Turn Your Softest Attack Surface Into a Strong One

Let's bring it home. Tech companies have done the hard work of locking down email, endpoints, and the web. Attackers noticed, and they pivoted to the phone, where caller ID lies, KBA fails, and helpful agents are exactly the leverage they need.

But the voice channel doesn't have to be your weak link. With automated call authentication and spoofing detection, you can verify trust before the call is answered, take the guesswork off your agents, and close the door that ATO attackers have been walking through.

The threat is real. The good news is it's fixable, and you don't have to figure it out alone.

Speak with a Call Authentication Expert and see how Orchestra One™ can help you shut down voice-driven account takeover.