We didn’t realize how common this problem was until we spent months talking with CISOs and security teams in different industries. We expected a range of concerns, but we kept hearing the same stories. Help desks tricked by convincing requests from attackers. Text messages that seemed like normal executive outreach until it was too late. Groups like Scattered Spider running campaigns that bypassed identity checks because nothing seemed risky. Security leaders in finance, healthcare, and tech all described the same thing: strong system visibility, but little insight into the human interactions where breaches now start.

These conversations shaped imper.ai more than any technical insight. They confirmed that defenders are being forced to make high-stakes trust decisions with almost no real context. Identity tells you who someone claims to be. Content tells you what they say. But neither tells you if the environment behind the interaction matches the real person. That is the gap attackers exploit because nothing in the current stack closes it.

imper.ai exists to close that gap. We built a platform that examines the signals attackers can’t easily fake, like device behavior, network characteristics, and patterns tied to real identities. These indicators reveal whether an interaction is genuine before it starts. They give defenders clarity at the exact moment trust is granted.

As we continued validating this approach with CISOs, the message stayed consistent. Security teams have hardened systems and infrastructure, but they lack visibility during the interactions that attackers now use as their first move. The perimeter has shifted to the first contact. Defenders need a way to shift with it.

Today, we launch with the support of Redpoint Ventures, Battery Ventures, Maple VC, Vesey Ventures, and Cerca Partners. They recognized early that impersonation has become the starting point of modern intrusions and one of the most urgent gaps in enterprise security.

To our early customers: you did more than just try an early product. You pressure tested the concept, exposed weaknesses, forced clarity, and proved where this approach creates real value. You shaped the direction of imper.ai in ways outsiders will never see. We would not be launching today without you.

The purpose of imper.ai is straightforward. Make trust visible at the moment it is most vulnerable. If you are responsible for defending your organization, this is the time to rethink how you protect the interactions your teams rely on. Attackers have learned to exploit trust. Defenders need a way to verify it.

If this is the challenge you are facing, we built imper.ai for you.

The post Trust is the new attack vector. imper.ai starts here appeared first on imper.ai.

The modern attack surface has shifted

Today’s attackers understand how people work.

Teams are collaborating across Slack, Teams, Zoom, email, SMS, WhatsApp and internal ticketing systems – often simultaneously. Trust signals get stretched thin across all of them.

And attackers exploit exactly that.

Such as: 

• A message in Teams that looks like a colleague asking for help.
• A Zoom call where someone says their camera “isn’t working today.”
• A Slack DM from a manager requesting a quick credential reset.
• A phone call claiming to be from IT, with a voice that sounds close enough.

None of these look like traditional phishing. There’s no suspicious link or malicious attachment. These interactions succeed because they feel normal.

The surface area has expanded far beyond email, and attackers have adapted their methods accordingly. DBIR highlights that third-party and supply-chain-related breaches now account for 30% of incidents and many of those initial points of contact occur in collaboration tools, not inboxes.

As organizations embrace hybrid work and digital collaboration, trust has become the new vulnerability. And it’s no longer a channel reserved for defenders in the SOC. Every employee, from finance to HR to the help desk becomes the first line of defense. Attackers don’t wait for the blue teams. They impersonate the people your teams already trust.

Why traditional defences don’t see it

Legacy defenses were built for a different era. They were designed to detect malicious content such as dangerous links, harmful code, unusual payloads or suspicious attachments.

But modern impersonation doesn’t rely on any of that.

Attackers no longer show up as suspicious strangers. They present themselves as real people inside your organisation, often sounding exactly like them. It doesn’t take sophisticated AI to make the impersonation believable. Just enough knowledge to feel familiar.

This is also why impersonation thrives in voice, video, and chat.

These channels exist outside traditional detection systems and don’t produce the kind of artifacts that filters can scan.

When attackers do choose to use AI, the barrier is low. A few seconds of speech can be enough to create a convincing mimic. 

But the more important point is this: they don’t always need AI.

The impersonation already bypasses old defenses because there is nothing obviously malicious to flag.

Which means that the problem isn’t simply the message, but the identity behind it.

Trust is the real target

At its core, modern social engineering is a trust problem.

Attackers study how organizations communicate. They mimic tone, timing, emoji habits, message length, and informal language patterns. They align their requests with cultural norms, such as “quick question?”, “can you jump on a call?”, “are you at your desk?”

These micro-signals trigger familiarity. And familiarity opens doors. It’s a performance, designed to look and feel like a legitimate interaction.

The goal isn’t to prove someone is definitively who they say they are, as that’s an impossible standard in distributed digital work.

The real goal is to determine whether the person in this specific interaction shows signs of risk, concealment, inconsistency or impersonation.

If attackers are targeting trust, then defenders must protect trust – not just content.

From phishing detection to real-time risk analysis 

Email-based phishing detection is built around the question of whether a message is dangerous.

But today’s environment means we need to be asking, is this conversation trustworthy?

This requires moving from content filtering to real-time identity assurance, an approach centered on the signals surrounding a live interaction.

imper.ai focuses on analyzing the digital and behavioral signals that are difficult for attackers to fully control, such as:

• Device fingerprint
  Does the device match known patterns for this person, team, or environment?
• Network diagnostics
  Does the connection, network behaviour or location show signs of risk?
• Behavioural metrics
  Are there inconsistencies in how the person is communicating, interacting or presenting themselves?
  

Together, these signals form a real-time view of whether an interaction should be paused, escalated or allowed to continue.

Importantly, this is done in a privacy-first, frictionless way. Which means no intrusive scanning, biometrics or interruption to how people collaborate.

It comes down to clearer signals in the moments when trust is stretched thin. If trust is the target, then detecting impersonation risk in real time must be the defence.

Rethinking where the budget goes

Security budgets still reflect an older threat model, one where email is the dominant source of risk. But the data tells a different story.

DBIR shows that email now represents less than one-third of human-initiated breaches. Meanwhile, PhishingBox and other industry analyses have tracked a sharp rise in multi-channel impersonation, particularly through collaboration tools and voice-based attacks.

Which means that CISOs are facing unavoidable questions such as, are we defending the channels attackers are actually using?

And the truth is, most organizations aren’t. Investment still flows disproportionately toward email protections, while the actual risk has shifted to voice, video, chat and cross-channel interactions.

To stay ahead, organizations need to protect the conversations they’re having.
imper.ai’s positioning reflects this future with proactive, real-time identity assurance that spans the channels where work – and trust – now happen.

The bottom line?

Attackers have shifted their focus from inboxes to interactions.

They exploit human trust across every channel, blending into the steady flow of everyday communication.

Defending against this new reality requires recognizing that trust itself has become the new attack surface.

imper.ai brings prevention to the first moment of contact. By analyzing the digital and behavioral signals that reveal impersonation risk, we help organizations protect the conversations they’re having.

Because the question is no longer “Did the email look suspicious?”

It’s “Can I trust this conversation?”

And with imper.ai, organizations can answer that with clarity.

The post Phishing has moved on. Have your defenses? appeared first on imper.ai.

On the other end, “Sara” sounds rushed, apologetic – and extremely plausible. She knows the internal project names. She references a recent outage. She even uses the same casual phrases Sara always uses. She just needs a quick password reset. It happens to all of us at some point, right?

Except it isn’t Sara on the line.

Impersonation has always been the core of social engineering. In fact, around 60% of social engineering attacks involve impersonation, pretending to be a trusted colleague, vendor or authority figure.

What’s changed is the speed and precision with which attackers can now pull it off.
AI-powered tools means that attackers can scrape vast amounts of personal and organizational data in minutes, including:

• What “Sara” sounds like
• How she writes
• What tools she uses
• What pressures she’s under
• Even the internal jargon she’d naturally reference

And here’s the twist: When the time comes to actually carry out the attack, they don’t actually need a cloned voice. They just need to sound confident – and convincingly human.
This is the real threat facing modern help desks: not AI replacing humans, but AI empowering attackers to impersonate them faster, more accurately and at scale.

When trust becomes the target

It’s common to think that impersonation is the new frontier of social engineering – but it’s actually the foundation. Today’s threat actors don’t necessarily need to breach software or deploy malicious code. Instead, they exploit trust. And that shift is quietly powerful.
In recent years, cybercrime has shifted away from technical break-ins and moved toward human compromise.

According to the Verizon 2024/25 Data Breach Investigations Report (DBIR), 68% of breaches involved a non-malicious human element – that is, someone being manipulated or making a mistake.

At the same time, about 17% of confirmed breaches were due to social engineering-driven incidents, putting it firmly in the top kick-points for attackers.

So, what’s changed?

• Attackers now use AI and big-data tools to conduct research at scale – collecting what someone like “Sara” says, the emails she subscribes to, how she writes and what tools she uses.
• Now they impersonate her voice, tone and workflow – and they just need to sound right.
• The result: The barrier to entry has plummeted, meaning fewer technical exploits and more social finesse.

Why the help desk is a prime target

For attackers, the help desk is the perfect storm of high trust and high pressure. It’s one of the few places in an organization where strangers routinely ask for sensitive actions – and agents are expected to help fast.

Help desk teams exist to unblock people. They’re trained to solve problems quickly, reset credentials, grant temporary access and keep operations running smoothly. But of course, that makes them a natural target.

Attackers know this and they weaponize it.

One login is all they need to move laterally

A single credential reset might feel like a small thing. But to an attacker, it’s a valuable foothold.
With one valid login, a threat actor can:

• Blend into normal traffic

• Explore internal resources
• Identify higher-privileged accounts
• Exploit weak segmentation
• And pivot to other machines inside the network

This ability to move laterally is exactly how attackers escalate from a simple impersonation call to a full-scale breach. They rarely stop at the first account; they use it as a stepping stone to reach someone with more power and more valuable data.

A real-world example: Clorox–Cognizant

During the Clorox–Cognizant breach, attackers exploited help desk processes to reset a password – and that was the tipping point. From there, they navigated internally and accessed critical systems, including supply chains.

Clorox ended up suing Cognizant (which managed its IT help desk), holding them responsible for a cyberattack that crippled Clorox’s production capability and cost the company $380 million.

And it wasn’t even a sophisticated exploit. It was a social one.

Why traditional safeguards fail

Most organizations assume their existing safeguards – MFA, caller verification scripts, collaboration platform logs, even voice recognition cues – are enough. But modern attackers are slipping straight through the gaps between systems.

Why is this happening?

1. Collaboration tools weren’t built to verify identity
   Slack, Teams, Zoom, email – these platforms connect people, but they don’t confirm that the person behind an account is who they claim to be.
   
   Attackers exploit this by using:
   • Compromised accounts
   • Newly created lookalike accounts
   • Hijacked session cookies
   • Convincing usernames or display names
     
     Once inside a communication channel, they can sound authoritative and appear legitimate. There is no built-in identity assurance, just the illusion of it.
     
2. Attackers spoof multiple channels to stack legitimacy
   Modern social engineering rarely comes through just one vector. Attackers now combine channels to create urgency and credibility simultaneously.
   
   And the methods go both ways:
   
   When impersonating the employee
   They may:
   • Gather intel using AI reconnaissance
   • Call the help desk pretending to be the employee
   • Reference real projects, colleagues and workflows
   • Push for a password reset or MFA change
     
     But attackers also impersonate IT to trick employees
     
     A second pattern is growing fast: Attackers pose as the IT help desk and call employees directly.
     
     A typical sequence looks like this:
   • They trigger an MFA bomb, flooding the employee with approval requests.
   • They immediately follow up with a ‘helpful’ phone call, pretending to be IT.
   • They claim something is wrong with the employee’s MFA device, laptop or VPN.
   • They instruct the employee to download a remote-access tool like QuickAssist, AnyDesk or TeamViewer.
   • Once installed, the attacker gains full control of the device – and therefore the network.
     
3. Voice authentication is unreliable in the age of synthesis
   Relying on vocal familiarity (‘that sounds like Sara’) is no longer enough. Even without high-end voice cloning, attackers can:
   • Mimic tone and cadence
   • Reuse scraped audio snippets
   • Sound rushed or emotionally charged to suppress scrutiny

And even when AI voice-synthesis detection tools exist, they tend to operate in a constant cat-and-mouse dynamic. As generative models evolve, attackers can quickly outpace any system that relies on analyzing the audio itself.

This is why organizations just can’t depend on voice analysis alone – it’s a moving target.

From awareness to assurance

For years, organizations have relied on security awareness training, verification scripts and manual checks to defend against social engineering. But awareness alone can’t keep up with attackers who move faster, learn faster and impersonate more convincingly than ever.

It’s time to move from human awareness to machine-backed assurance.

Real-time impersonation detection: built for the help desk frontline

imper.ai gives humans the seamless safety net they’ve never had.

Instead of depending on agents to spot subtle cues of deception, imper.ai analyzes signals that are extremely difficult for attackers to mimic:

• Device fingerprints: is the request coming from a known device?
• Network diagnostics: is the network signature consistent with the real user’s usual environment?
• Behavioral metrics: are typing patterns, navigation flows and interaction habits typical for this person?

Within seconds, imper.ai can assess whether the interaction shows signs of impersonation.

Final thoughts

Impersonation has always been the heart of social engineering – and today, AI has supercharged its speed and accuracy.

Help desks sit directly in the path of these attacks, expected to deliver both efficiency and perfect judgment under pressure.

imper.ai exists to fix that. By providing real-time, invisible identity assurance, imper.ai turns trust from a vulnerability into a defense, empowering frontline teams to work with confidence and speed.

Help desk employees shouldn’t be expected to outsmart AI-powered attackers – but they should be equipped with technology that protects them automatically.

The post The rise of fake help desk calls appeared first on imper.ai.