A notorious cybercrime collective is offering significant financial incentives to recruit women for voice phishing campaigns targeting corporate IT help desks. The group, known as Scattered LAPSUS$ Hunters (SLH), is reportedly paying between $500 and $1,000 upfront per successful call, according to a new threat intelligence brief from Dataminr. This tactic represents a strategic shift in social engineering attacks, leveraging perceived trust in female voices to bypass security protocols.

Details of the Recruitment Campaign

The threat actors are actively seeking female operatives to conduct vishing, or voice phishing, attacks. In these schemes, the caller impersonates an employee in a distressed situation, such as being locked out of their account while traveling, to manipulate IT support staff into resetting credentials or granting system access. The upfront payment offer is unusually high for such operations, indicating the potential value of the corporate network access being targeted.

Security analysts note that the use of female voices is a calculated social engineering technique. The approach exploits unconscious biases and perceived lower threat levels often associated with female callers in high-pressure scenarios. This method aims to increase the success rate of these intrusions by reducing the suspicion of help desk personnel.

Background on the Threat Group

Scattered LAPSUS$ Hunters is a cybercrime collective with ties to the broader LAPSUS$ threat actor group. LAPSUS$ gained notoriety for high-profile attacks on technology firms like Microsoft, NVIDIA, and Okta. The group’s modus operandi typically involves gaining initial access through social engineering, followed by data theft and extortion.

The shift to financially recruiting external individuals, rather than relying solely on core group members, suggests an evolution in their operational security and scalability. By outsourcing the initial contact phase, the core actors can distance themselves from the first point of failure, making law enforcement tracking more difficult.

Security Implications and Recommendations

This development poses a direct challenge to organizational security awareness training programs, particularly for IT help desk teams. These frontline employees are trained to verify identities but may not be equally prepared for sophisticated emotional manipulation performed under time pressure.

Security firms advise organizations to reinforce multi-factor authentication (MFA) policies and implement strict, identity-verification protocols that do not rely solely on voice communication. Recommendations include using pre-established code words, callback procedures to verified numbers, and secondary approvals for high-risk account changes. The fundamental security principle of “trust but verify” is critically important in this context.

Expected Developments and Mitigation

The cybersecurity community anticipates that this recruitment tactic may be adopted by other threat groups if it proves successful. Increased sharing of threat indicators related to these vishing attempts among corporations and security vendors is expected in the coming weeks. Law enforcement agencies in multiple jurisdictions are likely monitoring these financial recruitment channels for leads.

For organizations, the next steps involve updating incident response plans to include specific procedures for suspected vishing attempts against the help desk. Continuous, scenario-based training that includes this emerging threat vector is considered essential. The effectiveness of these new social engineering tactics will depend on the security awareness and procedural rigor maintained by potential targets worldwide.

Source: Dataminr Threat Brief