Fake IT Helpdesk Credential Scams on Telegram
Scammers create Telegram accounts impersonating corporate IT support, targeting employees with urgent credential-reset requests that deliver access tokens directly to the attacker.
Part of: Fake IT Helpdesk Credential Scams
Last reviewed: 1 June 2026
Telegram is increasingly used in business environments for team communication, making it a plausible channel for fraudulent IT helpdesk contacts. An attacker who knows a target's organisation — through LinkedIn research or prior data breaches — can create a convincing IT helpdesk persona on Telegram and reach the target directly.
The attacker may reference real internal systems, colleagues' names, or current projects to make the message appear to come from an insider with genuine knowledge of the organisation.
How this scam works on Telegram
A Telegram message arrives claiming to be from the company's IT operations team. It references a specific internal system the target uses and states that an urgent credential refresh is needed due to a security incident. The target is directed to a Telegram bot or external link to re-enter their credentials.
The scammer may already know partial information about the target — their email address, their manager's name, or a project they are working on — making the contact difficult to dismiss as a random cold approach. This intelligence is typically gathered from social media profiles, particularly LinkedIn.
Some attackers use Telegram's bot framework to automate the credential-harvesting step, collecting entries from multiple targeted employees simultaneously.
Common red flags
- Telegram message claiming to be from your IT team referencing specific internal systems
- Request for credentials or MFA codes via a Telegram bot or external link
- Message that includes your manager's name or internal project details to build credibility
- Urgency framing connected to a supposed security incident
- IT contact who communicates only via Telegram and cannot be reached through official channels
- Bot that automates the credential-collection step rather than a human conversation
How to protect yourself
- Treat any Telegram IT contact requesting credentials as suspicious regardless of how detailed it appears
- Call the IT helpdesk using the internal company directory number to verify the request
- Never enter credentials into any form linked from Telegram
- Report to your IT security team and corporate management immediately
- Advocate for company policies that explicitly prohibit credential requests via external messaging apps
How to report it
- Report the Telegram account using the in-app 'Report' function and select 'Fraud'
- Escalate to your corporate IT security or incident response team
- Report to your national cybercrime authority if a breach of corporate accounts occurred
Frequently asked questions
How do attackers find enough information to make a fake IT Telegram contact convincing?
Company structure, employee names, and technology stack details are often visible through LinkedIn profiles, company websites, job listings, and data breach databases. Attackers compile this intelligence before initiating contact to make the scam harder to dismiss at first glance.