Fake Okta support trick

A lot of corporate break-ins no longer start with a fake invoice or a malware file. They start with a phone call from someone claiming to be help desk staff and a login page that looks like Okta, the identity system many companies use to sign employees into work apps. (cloud.google.com) (hackread.com) Google-owned Mandiant says voice phishing jumped to 11% of intrusions it investigated in 2025, making it the second most common entry point after software exploits at 32%. That finding came from more than 500,000 hours of incident response work summarized in the M-Trends 2026 report released on March 23, 2026. (cloud.google.com) The trick works because identity systems sit in front of everything else. If an attacker can get an employee to change a recovery method or reset a second login factor, the attacker may not need to hack a server at all. (sec.okta.com) Okta documented this pattern in August 2023 after multiple United States customers reported callers pressuring internal service desk staff to reset all multi-factor authentication factors on highly privileged accounts. In those cases, the target was often a Super Administrator account, which is the top-level account inside an Okta organization. (sec.okta.com) Once attackers got that reset, Okta said they used the compromised administrator account to assign more privileges, weaken second-factor rules, and create a second identity provider they controlled. That second identity provider acted like a forged passport office, letting the attacker sign into apps as other real users through single sign-on. (sec.okta.com) The newer UNC6783 campaigns push the same idea further by copying the rhythm of a real support interaction. Instead of saying “click this urgent link,” the attacker behaves like a technician walking someone through a routine account recovery step, which makes the request sound normal inside a busy company. (hackread.com) (sec.okta.com) Okta’s own guidance says support staff will not ask for your password or for a multi-factor authentication code. Okta also warns that caller ID can be spoofed, so a phone number on your screen is not proof that the caller is really from Okta. (sec.okta.com) That warning matters because these campaigns are built around “post-authentication” access, which means access after the victim has already passed the login gate. If the attacker can talk a worker into changing the gate itself, the company may see a valid login and miss the fraud until data starts leaving cloud apps. (hackread.com) (cloud.google.com) Okta’s defensive advice is to verify any unexpected support contact through a known channel, not the one provided in the message or call. The company says legitimate support emails come from specific addresses like support@okta.com, and security alerts go to named customer contacts rather than random employees. (sec.okta.com) The stronger fix is to use phishing-resistant login methods that do not hand over reusable secrets to a fake website. Okta says passkeys based on Fast Identity Online and Web Authentication standards, along with Okta FastPass, are designed to stop fake sites from collecting the data attackers need. (help.okta.com) (www.okta.com) The bigger shift is that the “phishing page” is no longer the whole scam. The page is now just one prop in a support script, and the real target is the company’s identity workflow itself. (cloud.google.com) (hackread.com)