How Do You Know It's Really Us on the Phone? (And How Do We Know It's Really You?)

When someone calls your team claiming to be from IT, your help desk, or your service provider, how does your staff actually know it's true?

For most organizations, the honest answer is: they don't. They trust the voice, the name, and the urgency. And that's exactly the gap attackers have learned to walk through.

At Nucleus Networks, we're changing that. Over the coming weeks, we're rolling out bidirectional multi-factor authentication (MFA) across how we work with you. In plain terms: when we call you, you'll be able to confirm it's really us, and when you call us for a password reset or any sensitive change, we'll be able to confirm it's really you. Trust will go both ways, and it will be verified, not assumed.

Here's why this matters more than ever, and what it will look like for your team.

Security got good at protecting systems. Attackers moved to the conversation.

The security industry has spent years hardening systems: stronger passwords, MFA on logins, Zero Trust access, and  endpoint protection. It worked. So attackers stopped attacking the technology and started attacking the people and the process around it.

The modern playbook is depressingly simple:

1. Set the stage with a phishing email that creates a little confusion or urgency.
2. Make a phone call, posing as IT, a Microsoft "support" rep, or a trusted vendor.
3. Apply pressure. "We've spotted a problem on your account, and we need to fix it right now."
4. Get what they came for: a password, an MFA approval, or remote access to a machine.

No software exploit required. Just a believable conversation. With AI now able to generate convincing scripts and even clone voices, sounding legitimate has never been easier for the bad guys.

This isn't theoretical. It's already costing billions.

The FBI's 2025 Internet Crime Report logged more than one million complaints and nearly $21 billion in reported losses, a 26% jump over the prior year. Business email compromise alone accounted for roughly $3 billion of that. (FBI IC3 report)

Consider one real case investigated in late 2025. Attackers gained access to a shared mailbox at a healthcare facility and quietly read internal messages until they understood how a particular physician communicated, who they reported to, and what access they needed. Armed with that context, they called the help desk: urgent tone, the right name, the right access level, "patients are waiting." The help desk reset the password and MFA token. The attackers logged in, registered their own devices, opened the HR system, and rerouted the physician's direct deposit. Nobody noticed until the physician asked why they hadn't been paid. (Source: Traceless)

The lesson is uncomfortable but clear: the paycheck was the target, but the help desk call was the attack path. The whole scheme hinged on one moment where trust moved faster than verification.

The missing piece: verifying the human, in real time

MFA protects logins. Endpoint tools protect devices. Zero Trust protects access pathways. But none of them protect the conversation itself: the call, the email, the "quick favour" message. That's the layer we're closing.

We're partnering with Traceless to bring real-time, two-way identity verification into every sensitive interaction. Here's what that means in practice.

When we contact you, you'll be able to prove it's actually us before you act on anything:

• Ticket-based code. When we open or update a support ticket, a short verification code is automatically delivered to you through the system. When our technician calls or emails, they'll read that code, and you'll already have it waiting. If the codes don't match, the request isn't real.
• Push approval. Our technician can trigger a push notification to your registered device mid-call. Seeing that prompt arrive in real time confirms the person on the line is an authorized member of our team.
• No code or push arrives before or during a call that claims to be from IT or a vendor.
• The caller rushes you and pushes back on verifying ("we don't have time for that").
• You're asked to read out a code or approve a prompt you didn't expect or didn't trigger.
• The contact comes out of nowhere, from an unfamiliar channel with no ticket or reference behind it.

When you contact us for a password reset, an account change, or anything sensitive, we'll run the same kind of check in reverse. Before we reset a password or change a setting, we confirm your identity through a verification prompt rather than relying on a name and a believable story. That single step is exactly what was missing in the healthcare case above.

Red flags worth sharing with your team now

Even before the rollout is complete, train your people to pause when:

A legitimate request will never be damaged by a ten-second identity check. A fraudulent one almost always will.

Our goal: make the safe step the easy step

We're not asking your team to become suspicious of every phone call, or to slow down work that needs to move quickly. The point of bidirectional MFA is the opposite: to make verifying identity so simple and routine that it stops being a judgment call under pressure. Speed shouldn't quietly turn into blind trust.

As we roll this out, we'll share onboarding details, what to expect on your end, and how to get your team set up. Because we believe every organization we work with should have this protection, we'll be making bidirectional MFA available to you directly as part of how we help keep your business secure.

If you'd like to talk through what this looks like for your environment, or get an early look, reach out to the Nucleus Networks team. We're happy to walk you through it.