Fake IT Helpdesk Credential Scams on WhatsApp
Fraudsters impersonate corporate IT helpdesks on WhatsApp to harvest employee login credentials, multi-factor authentication codes, and VPN access details under the guise of urgent account maintenance.
Part of: Fake IT Helpdesk Credential Scams
Last reviewed: 1 June 2026
Fake IT helpdesk scams on WhatsApp target employees by exploiting the normalised practice of receiving IT notifications on personal devices. A message from an account presenting itself as the organisation's IT support team claims a system migration, security patch, or account verification is required immediately.
Employees under time pressure at work may act quickly on IT instructions to avoid disruption, without questioning whether WhatsApp is an appropriate channel for corporate credential requests. The personal device context makes it harder for recipients to compare the message with internal IT communication norms.
How this scam works on WhatsApp
A WhatsApp message arrives claiming to be from the company's IT helpdesk. It states that an account migration is underway and the recipient must verify their credentials — username, password, and current MFA code — through a linked verification portal within 30 minutes or face access loss.
The linked portal mimics the company's real login page and captures the entered credentials in real time. The scammer uses them immediately to access corporate accounts, email systems, or VPN infrastructure. The victim's MFA code is requested at the same moment the scammer is triggering the real authentication prompt on the corporate system.
In some variants, the 'IT helpdesk' account sends a WhatsApp voice note to add a personal touch that increases credibility.
Common red flags
- WhatsApp message claiming to be from your company's IT department requesting credentials or MFA codes
- Tight deadline — told you must verify within 30 minutes or lose account access
- Link to a login portal that looks like your company's internal system but has a different URL
- Request for your current one-time MFA code, which legitimate IT teams never need
- Voice note accompanying the message to increase perceived authenticity
- Message arriving outside working hours or during a known corporate event
How to protect yourself
- Verify any IT request by calling your IT helpdesk directly using the number from your company directory
- Understand that legitimate IT teams never ask for your password or MFA code
- Do not click login links sent via WhatsApp — go to your company's internal portal directly
- Report the WhatsApp message to your corporate IT security team immediately
- Change any credentials you may have entered immediately and notify IT security
- Enable additional login protections on your corporate accounts if available
How to report it
- Forward the message to your corporate IT security or CISO team immediately
- Report the WhatsApp account using the in-app 'Report' function
- File a report with your national cybercrime authority if credentials were compromised
Frequently asked questions
How should my company communicate IT security requests to employees?
All credential-related IT requests should go through official internal communication channels — company email, an intranet portal, or verified ticketing systems. Any IT request arriving via WhatsApp or personal messaging should be verified by calling the helpdesk through the number listed in the company directory.