It said firms should reassess how their IT help desk "authenticates staff members" before resetting passwords, especially senior employees with access to high-level parts of an IT network.
It highlighted press speculation around "social engineering" as a way hackers may have gained access to accounts.
Criminals use social engineering techniques to get people to trust them when they email, text or call pretending to be from a company's IT help desk - ultimately tricking employees into handing over their log in passwords and security codes.
This also works the other way - calling people who work on the help desk and pretending to be an employee locked out of their account.
Cyber security experts now recommend further layers of security to deal with these sorts of attacks.
"Having code words that get used when an employee phones up to change their credentials, such as "BluePenguin", is one thing being discussed in the cyber community as a way to check that the member of staff is genuine," said Lisa Forte from cyber security firm Red Goat.
"Ultimately it comes back to the same issue with login credentials as always – we need multiple ways to do it to ensure it isn't easy to bypass."
The NCSC advice is the strongest hint yet the hackers are using tactics most commonly associated with a collective of English-speaking cyber criminals nicknamed Scattered Spider.
The name derives from "spider" being the label given to financially motivated cyber criminals, while "scattered" is because they are not a cohesive, organised gang.
In the past two years these disparate hackers, in their teens or early twenties, have coordinated and planned attacks on Discord and Telegram to breach dozens of companies and steal or scramble data to extort their victims.
The NCSC does not specifically name the group as being responsible for the current wave of attacks, but acknowledges Scattered Spider are known for these types of hacks.
In other NCSC advice, cyber defenders are being urged to watch out for "Risky Logins".
This means looking out for when and where employees have logged in from - for example late at night or from strange locations.
Although cyber criminals could be anywhere in the world, young English-speaking hackers in the UK and US have become adept at using social engineering in their attacks.