You locked down the endpoints. You rolled out MFA. You trained your clients to spot suspicious emails like they were defusing bombs.
And yet, here we are.
They’re back. The callback phishers. The Luna Moth crew. The so-called “Silent Ransom Group.” Only now, they’re not dropping ransomware payloads. They’re coming for your data—and your reputation—with nothing but a phone line and a clipboard full of lies.
If you run a help desk, congratulations: you’re the next battleground.
The Callback Scam That’s Burning MSPs
Here’s how it goes down:
Your client gets an email. Looks like a ticket. Maybe even branded like your help desk. It says there’s an issue with their account. They need to call in. Or worse—someone calls them, pretending to be you.
Then comes the voice on the other end of the line. Calm. Professional. Knowledgeable. They know the client’s name. Maybe even what tools they’re using. All they need is remote access to “help resolve the issue.”
That’s when the data gets stolen. Files exfiltrated. Blackmail begins.
No ransomware. No encryption. No splashy lock screens.
Just extortion.
And it’s working—because your clients trust your help desk.
Step Zero: You Are the Attack Vector Now
Let’s stop pretending this is someone else’s problem.
Luna Moth isn’t targeting hospitals anymore. They’re going after law firms and financial services. High-value data. Deep pockets. Industries that can’t afford to be embarrassed—and are more than willing to pay quietly.
They’re registering help desk lookalike domains by the dozen. Typosquatting your brand. Faking your client portals. Acting like you.
And here’s the worst part: you’re training your clients to trust the exact workflows these attackers are now mimicking.
How to Lock Down Your Help Desk Before the Next Call Is a Con
Want to stop being the weak link? Here’s your battle plan:
- No Cold Calls. Period. If your help desk is calling a client, a ticket must already exist. Full stop. That ticket should be verifiable through a known portal or prior communication. If the client didn’t open it? They hang up.
- Call Us Back—Using a Published Number. Train every user to never trust an incoming call without verifying it. If someone says they’re from your support desk, your client should hang up and call your official number.
- No Ticket, No Talk. Make this your mantra. If a client can’t see a support ticket in their portal, the conversation is over. If your techs reach out, they should reference a ticket number that the client can confirm before anything happens.
- Brand Everything. Then Defend That Brand Like It’s Cash. Your ticketing emails, your portals, your support numbers—all of it should be standardized and secure. Clients should know exactly what “real” looks like so they can spot a fake.
- Kill the Over-Familiarity. Stop sending vague emails like, “Hey, just checking in about that issue.” Be formal. Be specific. Be boring. Friendly phishing kills companies. Clarity saves them.
- Audit Your Own Help Desk. Yes, audit yourself. Are your staff trained to recognize social engineering? Are they verifying inbound calls from clients? Could a Luna Moth actor talk their way into a session? Don’t wait to find out the hard way.
It’s Not Just About Cybersecurity Anymore—It’s About Identity Theft (Yours)
The attacker isn’t pretending to be Microsoft anymore. They’re pretending to be you.
You need to assume your identity has already been spoofed, your brand is being weaponized, and your clients are already getting the fake calls.
Your only defense is protocol, evidence, and communication.
This isn’t just another wave of ransomware. This is slow-burn extortion. It’s harder to detect. Harder to trace. And it makes you the scapegoat if your clients fall for it.
Final Word: Your Help Desk Isn’t Just Support—It’s a Target
The threat has changed. So must your response.
If your help desk isn’t hardened, verified, and auditable, you’re not running support—you’re running risk.
It’s time to retrain your clients, lock down your workflows, and make damn sure the next time someone gets a call from “tech support,” they know exactly how to verify it.
Because if you don’t?
Luna Moth will.
Need help locking down your help desk workflows? We’ll show you what a zero-trust support desk looks like. Before your clients call back to report a breach you didn’t see coming.
