Skip to main content

Increasingly, cyber criminals are targeting individuals and the business processes used to verify identity, reset access, and manage accounts. While deploying security tools to defend against technical vulnerabilities remains essential, the threat landscape has evolved. It is now more important than ever to implement robust identity and access controls that focus on human behaviour and effective business processes, not just technical measures.

As more organisations rely on cloud services, email, remote access, and single sign-on, identity has become a key route into systems. Badly designed or inadequate implementation of identity and access management can give attackers a way in that appears legitimate. Traditional protective measures that detect unusual and anomalous behaviour become useless, and cyber criminals may successfully access your systems and data without it being flagged until it’s too late.

What is Social Engineering & Exploitation of Identity Workflows?

Social engineering is when a person is manipulated into revealing information, approving a request, or taking an action they should not. This can happen by email, phone call, text message, chat, or fake websites.

Identity workflows are the processes organisations use to manage access to systems and data. These can include:

  • Onboarding new starters and giving them access to systems
  • Changing access when someone moves role or department
  • Removing access when someone leaves
  • Password resets and account recovery
  • Registering or changing multi-factor authentication (MFA) methods and devices
  • Approving privileged or administrator access

Abuse of identity workflows happen when criminals exploit these processes to gain access that looks genuine.

How Do Cyber Criminals Use It To Access Systems?

Criminals often combine social engineering with weak identity processes. Common methods include:

  • “Phishing” for usernames, passwords, or one-time codes through fake sign-in pages or messages
  • Bombarding users with MFA prompts until one is accepted by mistake or out of frustration
  • Impersonating staff to the help desk and asking for a password reset or MFA reset
  • Raising support tickets claiming a phone has been lost or replaced so a new device or authentication method can be registered
  • Using publicly available personal information to pass weak identity checks
  • Using SIM swapping or weak SMS-based recovery to intercept authentication codes
  • Targeting privileged users or administrators because a single successful reset can open access to many systems

The Current Threat

Social engineering and identity workflow exploitation are now common features of serious cyber incidents. In many recent cases, criminals did not exploit a technical vulnerability. Instead, they gained access by persuading people or systems to approve access changes that appeared legitimate.

Exploitation of identity workflows can have serious consequences, including:

  • Data breaches, where personal, financial or sensitive business information is accessed
  • Service disruption, caused by account lockouts, system changes or ransomware deployment
  • Financial loss, including fraud, recovery costs and incident response activity
  • Loss of trust, particularly where customers, staff or other stakeholders are affected
  • Regulatory and legal consequences, where personal data or critical services are involved

These attacks can affect organisations of any size. Smaller organisations may be targeted because they have less formal identity processes, while larger organisations can be attractive due to busy help desks and outsourced IT support.

Several trends have increased the risk:

  • More reliance on cloud services and remote access
  • Wider use of single sign-on, where one account unlocks many systems
  • Increased pressure on help desks and support teams to resolve issues quickly
  • Continued use of weak or inconsistent recovery and reset processes
  • Large amounts of personal and organisational information available online

Together, these factors mean that identity has become a key target. Criminals know that if they can bypass identity checks, they may gain access without needing to defeat technical security controls. And because they gained access using a legitimate account, being identified as a malicious intruder may go undetected.

Recommended Actions

Use stronger MFA

  • Move users (particularly those with privileged access) to phishing-resistant MFA where possible, such as passkeys, security keys or trusted platform authenticators.
  • Reduce reliance on SMS, voice calls and email-based codes for important accounts and recovery processes.

Harden password reset and account recovery

  • Treat password resets, MFA resets and new device registrations as high-risk events.
  • Require stronger identity checks before changing access or authentication methods.
  • Verify high-risk requests through alternative channels, such as a call-back to a registered number or confirmation through a known corporate channel.
  • Avoid relying on information that may already be known to an attacker, such as date of birth, job title or manager name.
  • Consider recovery processes that use stronger identity proofing rather than help desk judgement alone.

Improve joiner, mover and leaver processes

  • Make sure staff members, contractors and third parties receive only the access to systems and data they need for their role.
  • Review and update access promptly when staff move role or department.
  • Remove access quickly and completely when staff leave.
  • Where possible, automate joiner, mover and leaver processes to reduce manual error and improve auditability.

Protect privileged access

  • Give administrators separate privileged accounts for high-risk tasks. Do not use admin accounts for routine email or web browsing.
  • Restrict access to admin portals and management interfaces to trusted users, locations and devices.

Monitor identity activity

  • Monitor for unusual sign-ins, repeated MFA prompts, password resets, new MFA registrations and role changes.
  • Ensure identity systems produce logs that can be tied back to the user and activity.
  • Include token revocation, MFA review and authentication change checks in incident response plans for compromised accounts.
  • Consider implementing geofencing of systems and services so that access is only granted to users in authorised locations.