The "IT Support" Phone Call
A confident caller says he is from IT and needs your help right now. Do you trust him?
The scenario
Your phone rings. A friendly, confident voice says:
"Hi, this is Ahmed from IT Support. We are seeing a virus spreading on the network and your computer is one of the affected machines. I need to fix it before it reaches the file server. Can you read me the 6-digit code that just appeared on your screen? And to save time, please confirm your network password so I can apply the patch under your account."
He sounds professional, uses internal terms, and keeps repeating that this is urgent and that other people are already locked out. He becomes slightly impatient when you hesitate.
"Hi, this is Ahmed from IT Support. We are seeing a virus spreading on the network and your computer is one of the affected machines. I need to fix it before it reaches the file server. Can you read me the 6-digit code that just appeared on your screen? And to save time, please confirm your network password so I can apply the patch under your account."
He sounds professional, uses internal terms, and keeps repeating that this is urgent and that other people are already locked out. He becomes slightly impatient when you hesitate.
What to learn
This is "vishing" — voice phishing / social engineering over the phone. The attacker impersonates a trusted role (IT) and combines authority with urgency to extract two valuable things: a one-time MFA code and your password.
Key defenses:
• Legitimate IT will never ask for your password or your MFA code. Those are yours alone.
• Authority + urgency + a request for credentials is the signature of a social-engineering attack.
• Verify independently: hang up and call IT back on a number you already trust (from the intranet or a colleague), not a number the caller gives you.
• It is always acceptable to slow down and verify. A real colleague will understand; an attacker will pressure you not to.
Report the call to your security team — others may be targeted in the same campaign.
Key defenses:
• Legitimate IT will never ask for your password or your MFA code. Those are yours alone.
• Authority + urgency + a request for credentials is the signature of a social-engineering attack.
• Verify independently: hang up and call IT back on a number you already trust (from the intranet or a colleague), not a number the caller gives you.
• It is always acceptable to slow down and verify. A real colleague will understand; an attacker will pressure you not to.
Report the call to your security team — others may be targeted in the same campaign.