Offcanvas Logo

Menu

  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us

Contact us

  • 1 Executive Dr Suite 100 #123 Marlton NJ 08053
  • 856-282-4100
  • info@xitx.com

Menu

  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us

Contact Us

  • 1 Executive Dr Suite 100 #123 Marlton NJ 08053
  • 856-282-4100
  • info@xitx.com

info@xitx.com
856-282-4100
1 Executive Drive Suite 100 Marlton, NJ 08053
+1 856-282-4100
Facebook-f X-twitter Instagram Linkedin-in Youtube
Xact IT Solutions
Let’s Talk
  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us
Xact IT Solutions
  • IT Support
  • Cybersecurity
  • IT Compliance
  • AI Services
  • Blog
  • Why Us
Let’s Talk

Multi-Channel Identity Attacks: Social Engineering Has Moved Well Beyond the Phishing Email

Multi-Channel Identity Attacks: Social Engineering Has Moved Well Beyond the Phishing Email

Multi-channel identity attacks have quietly become the defining threat pattern of 2024 and 2025 – and the data leaves no room for debate. Attackers are no longer betting everything on one deceptive email. They chain together email, phone calls, text messages, and fake IT support callbacks into coordinated sequences engineered to defeat the one defense small businesses rely on most: “I would have caught that.” The evidence from the Verizon Data Breach Investigations Report (DBIR) and a growing body of public breach disclosures tells a story every business leader needs to understand – before their employees become the next case study.

  1. The Threat Landscape: What the Numbers Actually Say
  2. The Anatomy of a Multi-Channel Attack Chain
  3. Who These Attacks Target – and Why SMBs Are the Bullseye
  4. Real-World Examples from Public Breach Disclosures
  5. Why Single-Channel Verification Is Already Defeated
  6. A Practical Defense Posture for 2025
  7. What to Ask Your IT Firm

The Threat Landscape: What the Numbers Actually Say About Multi-Channel Identity Attacks

The 2024 Verizon DBIR analyzed over 30,000 security incidents and confirmed more than 10,000 breaches. The finding that matters most here: social engineering remains the dominant way attackers get in when no malware is involved, and the percentage of breaches with a human element – meaning an employee was manipulated rather than a system directly exploited – held above 68%. That is not a rounding error. It is a structural reality about how attackers have chosen to operate.

More telling is the shift in technique. The DBIR specifically called out pretexting – fabricated scenarios like fake vendor calls, fake IT support, and fake executive communications – as surpassing basic phishing in frequency among social engineering incidents for the second consecutive year. Pretexting works because it does not rely on a link or an attachment. It relies on a story. And a story delivered across multiple channels is exponentially more convincing than one delivered in a single email.

The FBI’s Internet Crime Complaint Center 2023 annual report (the most recent full-year data publicly available as of mid-2025) recorded losses from business email compromise and related social engineering schemes exceeding $2.9 billion. The report also flagged a notable rise in “callback phishing” – a hybrid technique covered in detail below – as a vector growing faster than traditional email fraud in complaint volume.

CISA’s threat advisories throughout 2024 repeatedly highlighted voice phishing and SMS phishing as components of coordinated intrusion campaigns – not standalone nuisances. The language in those advisories shifted: CISA stopped treating these channels as secondary threats and started treating them as primary vectors that happen to be set up by email.

The Anatomy of a Multi-Channel Identity Attack Chain

multi-channel identity attacks - Wide shot of a person in an office setting with a confused or concerned expression, surrounded by multiple communication devices (phone, computer monitor, headset) with visual emphasis on the chaos of simultaneous incoming alerts across different channels.

Understanding why multi-channel identity attacks succeed requires mapping what a full chain actually looks like. These are not improvised. They are scripted, rehearsed, and often run by organized criminal groups with dedicated roles at each step.

A typical multi-channel identity attack unfolds across four coordinated stages, each channel reinforcing the last.

A typical chain unfolds in four stages:

  • Stage 1 – The Email Primes the Target: A spoofed or lightly altered email arrives – often mimicking a vendor invoice, an IT security alert, or an HR notification. The email itself may contain no malicious link. Its only job is to plant an expectation: “You will receive a call from our security team shortly to verify this transaction.”
  • Stage 2 – The Voice Call Validates the Story: Within hours – sometimes minutes – the target receives a phone call from someone claiming to be from the IT department, the bank’s fraud team, or a known vendor. The caller knows the target’s name, their company name, and often the last four digits of an account number, all scraped from LinkedIn, company websites, or prior data leaks. That “proof” of legitimacy is what tips employees into compliance.
  • Stage 3 – The SMS Adds a Second Verification Layer: A text message arrives appearing to come from the target’s IT system or financial institution. It contains a one-time code. The caller on the phone asks for that code – framing it as a “verification step to confirm your identity.” The employee reads it aloud. The attacker uses it to enroll a new device or approve a wire transfer in real time.
  • Stage 4 – The Callback Loop Closes the Circle: In callback phishing variants, the email instructs the recipient to call a phone number to “resolve” an issue. The number connects to an attacker-controlled call center. The employee believes they initiated contact, which overrides their suspicion entirely. No one trained them to distrust a call they placed themselves.

Each channel alone would raise at least some skepticism in a reasonably trained employee. Chained together, they create a narrative that feels institutional, urgent, and verified. That is the core engineering insight behind these attacks.

Who Multi-Channel Identity Attacks Target – and Why SMBs Are the Bullseye

Enterprise organizations have invested heavily in identity verification infrastructure – hardware tokens, biometric authentication, identity threat detection platforms, and dedicated security teams. None of that is perfect, but it raises the cost of attack significantly. Attackers go where resistance is lowest.

Small and mid-sized businesses are structurally vulnerable for several compounding reasons:

  • Employees wear multiple hats. The person handling accounts payable invoices is also the office manager, the HR contact, and sometimes the de facto IT liaison. One target, multiple access points.
  • IT is often outsourced or lightly staffed, meaning employees cannot quickly verify a “call from IT” – they have limited clarity on who their IT contacts are or how they should communicate.
  • Authentication policies are inconsistently enforced. Phone-based multi-factor authentication is common, but it is specifically the channel attackers now exploit to intercept or relay codes.
  • Security training, where it exists, still focuses primarily on “don’t click links in emails.” That training does not address voice calls, does not address SMS codes, and does not address the psychological impact of a caller who already knows your name and your company’s details.

The Verizon DBIR has consistently found that organizations with fewer than 1,000 employees account for the majority of social engineering victims in its dataset. The 2024 report did not break from that trend.

Real-World Examples from Public Breach Disclosures

Because SMB breaches rarely make the press, the most instructive public examples come from larger organizations – but the attack mechanics translate directly to smaller targets.

The 2022 Uber breach, extensively documented in legal filings and security reporting, was executed almost entirely through social engineering. The attacker repeatedly contacted an Uber contractor via WhatsApp, claiming to be from IT support, and convinced the contractor to approve repeated multi-factor authentication prompts. No software exploit was involved. No advanced malware was deployed. A person was convinced by a persistent, multi-touch story.

The 2023 MGM Resorts breach – with losses publicly estimated above $100 million – began with a ten-minute phone call to the company’s IT help desk. The attacker found employee information on LinkedIn, called pretending to be that employee, and convinced help desk staff to reset credentials. One call. One impersonation. One help desk agent without a verification protocol.

The Scattered Spider threat group, extensively covered in CISA and FBI joint advisories released in 2023 and updated in 2024, specialized in exactly this chain: SMS-based attacks to intercept authentication codes, voice calls to help desks to reset accounts, and layered impersonation of both employees and vendors. CISA’s advisory explicitly noted the group targeted organizations across multiple industry sectors – hospitality, retail, financial services. They did not need sophisticated targets. They needed anyone with credentials.

Scaled down to a 30-person professional services firm, the mechanics are identical. The dollar amounts are smaller in absolute terms but proportionally larger – and recovery is rarely as resourced as it is at a Fortune 500 company.

Why Single-Channel Verification Is Already Defeated by Multi-Channel Identity Attacks

Most small businesses that have any verification protocol at all rely on one of two things: a callback number on file, or a one-time code sent via SMS. Both are now compromised as standalone defenses.

SIM swapping – where an attacker convinces a mobile carrier to transfer a victim’s phone number to an attacker-controlled device – has been documented in hundreds of breach cases. Once it succeeds, every SMS verification code goes to the attacker, not the employee. The employee’s phone simply stops receiving texts. By the time they notice, the window has already been used.

Callback numbers fail when the attacker controls the narrative. If an employee receives an email saying “call this number to verify” and they do, they believe they are in a safe interaction. Their guard is down because they initiated it. Callback phishing was designed specifically around this psychological blind spot.

Phone-based push notification approvals – where an employee taps “Approve” on their authentication app after receiving a prompt – have been defeated by a technique called authentication fatigue. Attackers trigger dozens of rapid-fire approval requests. Employees, confused or annoyed, eventually tap “Approve” to make them stop. This exact technique was used in the Uber breach described above.

None of this means authentication is hopeless. It means that phone numbers and SMS codes alone are insufficient – and that layering channels creates a false sense of institutional legitimacy that must be countered with institutional verification protocols, not just individual employee judgment.

A Practical Defense Posture Against Multi-Channel Identity Attacks in 2025

A sound defense posture makes the attack chain expensive to complete – inserting friction the attacker cannot easily fake. These are the controls that materially reduce exposure:

  • Phishing-resistant authentication: Hardware security keys (FIDO2-compliant) or passkeys bound to a specific device eliminate SMS interception and authentication fatigue entirely. They are the only authentication method that has not been defeated at scale in documented breach cases.
  • Out-of-band verification protocols: Any request involving a credential reset, a wire transfer, a new payee setup, or a change to contact information must be confirmed through a channel established before the request arrived – never a number or address provided within the request itself. This sounds obvious. It is violated constantly.
  • Help desk identity verification that does not rely on the caller: If your IT help desk resets passwords based on a caller knowing an employee’s name and job title, you have a procedure problem. Verification should require something the attacker cannot find on LinkedIn – a shared secret, a manager callback, or a ticketed request submitted through an authenticated portal.
  • Security awareness training that specifically covers voice and SMS: Training that only covers email links is training for 2015. Employees need to understand that a call they receive and a call they place can both be manipulated – and that urgency is a manipulation tactic, not a legitimate operational reality.
  • Behavioral monitoring on identity systems: Unusual authentication patterns – logins from new devices, new locations, credential reset requests outside business hours – should trigger a review, not automatic approval. Automated alerting on these patterns is a core control, not an advanced one.
  • Documented escalation paths: Every employee should know the answer to: “If someone calls me claiming to be from IT and asks for my credentials, what do I do?” If that answer is not written down and practiced, it will be improvised under pressure – and improvisation loses to a prepared attacker every time.

Defense in depth here is not about adding more tools. It is about closing the procedural gaps that multi-channel identity attacks exploit. The attack chains described above would have failed at multiple stages if any one of these controls had been in place.

What to Ask Your IT Firm About Multi-Channel Identity Attacks

If you are evaluating whether your current IT partner is equipped to defend against multi-channel identity attacks specifically – not just malware and email filtering – these are the questions that separate prepared firms from unprepared ones:

  • Do you have a documented help desk identity verification procedure that does not rely on information the caller provides? What is it?
  • Have you implemented phishing-resistant authentication – hardware keys or passkeys – for any of your clients? What is your recommendation for our environment?
  • What does your security awareness training cover, and does it specifically address voice phishing, SMS-based social engineering, and callback fraud scenarios?
  • If one of our employees receives an urgent call from someone claiming to be from your team and asking for credentials, what should they do? Is that procedure documented and tested?
  • How do you monitor for unusual patterns in our identity and authentication systems – specifically new device enrollments, geographic anomalies, and unusual reset request patterns?
  • Have you reviewed our exposure to phone number hijacking risk – specifically, which of our systems still rely on SMS as a primary authentication factor?

A prepared IT firm will have clear, specific answers to all six. Vague references to “monitoring everything” or “using the latest tools” are not answers. The right cybersecurity posture is built on procedures and controls that are documented, tested, and specific to the attack techniques actually being used against businesses like yours right now. Learn more about how our managed IT services incorporate identity verification controls and multi-channel threat training into every client engagement.

Multi-channel identity attacks represent a maturation of the threat landscape – one where the employee is not an afterthought in the attack plan but the primary target from the start. The data from Verizon, the FBI, and CISA all point the same direction: the organizations that get breached are not failing at technology. They are failing at verification. The organizations that stay clean built verification into their culture, their procedures, and their IT partner relationships – long before the call arrived.

If you want a clear-eyed look at where your verification gaps are, Book a Free Cybersecurity Strategy Call. Twenty minutes. No pressure. We’ll tell you exactly what we see.

Let’s Talk About Your IT Strategy

If anything in this post raised a question about your own environment, the fastest path to an answer is a 20-minute strategy call. We’ll look at your specific situation and tell you what we’d actually do about it.

Schedule a 20-Minute Strategy Call

Recent Posts

  • IT Services Subcontractor Clauses: Who Is Actually Inside Your Systems?
  • AI Proposal Writing for Small Business: Build a Send-Ready Client Proposal in Under 30 Minutes
  • IT Escalation Path: How to Tell a Real Process From a Verbal Promise
  • Session Token Theft: How Attackers Are Walking Past MFA in 2025
  • AI Account Summary: Stop Losing Client Context Between Meetings

Categories

  • AI for Business
  • Backup & Recovery
  • Blog
  • Business
  • Buyer Guides
  • CMMC
  • Compliance
  • Cybersecurity
  • Healthcare
  • Managed IT
  • News & Analysis
  • Threat Intelligence

Share

FRUSTRATED WITH YOUR CURRENT IT PROVIDER? LET’S TALK.

Get a Free IT Consultation
Xact IT Solutions
  • info@xitx.com
  • +1 856-282-4100
  • 1 Executive Drive Suite 100 Marlton NJ 08053

Follow Us

Quick Links
  • Home
  • Partner Program
  • Why Choose Xact IT Solutions | Xact IT Solutions
  • Contact
Services
  • IT Support
  • Cybersecurity Services for SMBs | Xact IT Solutions
  • IT Compliance
Recent Blogs
  • Supply-Chain Ransomware Attack Impacts 60 Credit Unions
  • Comcast Xfinity Data Breach Exposes 36 Million Customers’ Data
  • Crown Equipment’s Cyberattack: Recovery and Lessons Learned
Copyright © 2026. Website Design by Xact IT Solutions
  • Privacy Policy and Terms & Conditions
  • Home
  • Partner Program
  • Why Choose Xact IT Solutions | Xact IT Solutions
  • Contact