Fake IT Helpdesk Credential Scams

Fake IT helpdesk scams target employees by impersonating an organisation's internal technology support team. The attacker contacts a staff member — by email, phone, or messaging platform — claiming to be from IT and citing a pressing technical reason to take an action: resetting a password, confirming credentials, clicking a 'system update' link, or installing a remote-access tool to 'fix' an issue.

These attacks are a form of vishing (voice phishing) and spear-phishing, and they sit at the boundary between cybercrime and social engineering. They require no technical sophistication to execute — only research into the organisation's structure, the names of IT staff, and enough plausibility to prompt a busy employee to comply without questioning.

Fake IT helpdesk attacks have been responsible for significant data breaches and financial frauds at organisations of all sizes. Employees who would never click an external phishing link may readily act on what appears to be a routine internal IT request.

The attacker first researches the target organisation. LinkedIn and company websites typically reveal the names of IT staff, department structures, and the names of business tools in use. This information is used to craft a convincing impersonation.

Contact is made by phone, email from a spoofed or look-alike domain, or through a messaging platform used by the organisation. The IT 'staff member' presents a plausible reason for the contact: a security update is being pushed, a compliance requirement must be met before the end of the day, there is suspicious activity on the employee's account, or a systems upgrade requires a password reset.

The employee is asked to click a link to a 'password reset portal' (which captures their current credentials), to install a 'diagnostic tool' (which is remote-access malware), or to read out a verification code they have received by SMS or authenticator app (which the attacker uses to access the account in real time).

In some cases, the attacker gains sufficient access to escalate privileges, access financial systems, or move laterally through the organisation's network before being detected.

Fake IT helpdesk attacks succeed because employees are conditioned to comply with IT requests. IT does legitimately contact staff about system updates, password resets, and security issues. The frame of an internal support request bypasses the scepticism that an obviously external phishing email might trigger.

Authority and helpfulness combine to lower resistance: the IT staff member appears to be working for you, on your behalf, to fix a problem. Refusing to cooperate feels obstructive. Urgency prevents the pause needed to verify.

Remote working has amplified the vulnerability: employees who rarely see IT colleagues in person cannot verify identity through familiarity and may be more reliant on messaging and email, which are easier to impersonate.

This is [IT team name]. We are migrating accounts today and need you to reset your password via this link to avoid being locked out: [fake link].

Hi [name] — IT here. Your device is flagging a security certificate issue. Can you install this diagnostic agent so we can push the fix remotely? [fake link].

We've detected suspicious login attempts on your account. To lock out the attacker, please read me the code that just appeared on your phone.

All staff need to verify their identity before the system update tonight. Please log in here and confirm your current password: [fake portal].

Establish a verification culture in your organisation: any IT request involving credentials, software installation, or code-sharing should be verified by calling the IT team on the number listed in the company's internal directory — not the number that contacted you.

Legitimate IT helpdesks never ask for your current password. They reset passwords; they do not need to know the existing one. Any request for your password should be treated as an automatic red flag regardless of how the request is framed.

For code-reading requests: no legitimate IT process requires you to read an authentication code to a helpdesk agent. These codes are generated by your devices and apps to authenticate you — passing them to someone else defeats their purpose entirely.