Fake IT Support Calls: How Your Team Can Spot and Stop Them

Your phone rings. The caller says they're from IT, there's a problem with your account, and they need you to hop on a quick remote session to fix it. The caller ID even shows your company's name. Do you let them in?

A lot of capable people are saying yes right now, and it's costing their firms dearly. I want to walk through what's actually happening, why it works on smart people, and the one habit that shuts it down.

What's actually happening

The FBI first warned about this crew — the Silent Ransom Group, also tracked by Google's Mandiant as Luna Moth, Chatty Spider, and UNC3753 — back in 2025. Then in May 2026 it issued a new FLASH advisory about this exact move: impersonating IT to get a foot inside law firms. The group has been active since at least 2022, and they've dropped ransomware entirely. No encryption, no locked files. They call you, talk their way onto your network, copy your sensitive data, and threaten to leak it unless you pay.

Their favorite targets are law firms and professional services firms. Mandiant put it plainly: legal firms hold "concentrated repositories of extremely sensitive client transaction files." Contracts, tax records, M&A plans, Social Security numbers — the kind of data a firm will quietly pay to keep off the internet.

Here's how the call usually goes, based on BleepingComputer's writeup of the campaign:

1. You get an invoice-looking email from an ordinary Gmail-style address. No link to click, no attachment to open, so it sails past most filters.
2. Soon after, your phone rings. The caller says they're from IT and offers to sort out the "invoice problem."
3. They get you onto a screen-share — Microsoft Teams, Zoom, or Windows Quick Assist.
4. They walk you through installing a remote-access tool like AnyDesk or Zoho Assist. Now they're inside.
5. They go hunting through your documents and quietly copy them out.
6. The ransom demand lands fast. In this campaign, often within 30 minutes of the attackers leaving.

And if the phone approach stalls? The FBI says some of these crews will send a person to your office to "image" a computer or plug in a USB drive by hand. That's how far they'll go.

Why this works — and it isn't about being gullible

This is vishing: voice phishing. It works on competent people because it doesn't attack what you know. It attacks how you work.

Picture a normal busy Tuesday. Someone calls claiming to be IT, sounds calm and professional, references a real-sounding problem, and offers to make it disappear. Saying "let me verify who you are first" feels rude and slow. The attacker is counting on exactly that hesitation. New York's Department of Financial Services flagged this pattern last year, warning that vishing calls aimed at help desks were climbing fast.

The uncomfortable part: in 2025, phone calls passed email as the most common way attackers first get into a network. The phone is the soft spot now.

The one rule that stops it

You don't need your team to memorize attacker playbooks. You need one rule, and everyone has to know it cold:

Nobody grants access, resets a credential, or moves money based on an inbound call. You hang up and call back on a number you already trust.

That's the whole defense. Real IT will never have a problem with you calling back. The attacker's game falls apart the second you do, because they don't control your actual help desk line.

Give your team a short checklist

Post this where people will see it:

• Unexpected call about an "account problem"? Hang up and call IT back on the number in your directory — not a number the caller gives you.
• Never install software or join a remote session because a caller asked you to.
• Treat urgency as a warning sign, not a reason to hurry. Pressure is the tool.
• Invoice email from a personal-looking address? Verify through your normal billing contact, not by replying.
• If something feels off, report it. A false alarm costs nothing. A breach costs plenty.

None of this takes technical skill. It takes permission to slow down — and that has to come from the top. If you run the firm, say out loud that you would rather be called back and verified than have anyone skip the step to be polite to you.

Key takeaways

• Attackers are posing as IT support to talk employees into granting remote access, then stealing data and demanding payment. The FBI issued a formal warning in May 2026.
• It works by exploiting ordinary workplace courtesy and urgency, not technical ignorance.
• One rule stops almost all of it: never grant access or change anything on an inbound call — hang up and call back on a trusted number.
• Make verification the expected, encouraged behavior, not the awkward exception.

How we can help

At Amoeba Networks we run IT and security for firms across New York, and we build verification into how a real help desk works with your people — so the safe path is also the easy one. We do a lot of this for law firms and professional services firms, where the stakes run highest.

If your team isn't sure how they'd handle the call I described at the top, that's worth a short conversation. We'll help you put simple, human defenses in place before someone makes that call.