Social Engineering

The ‘Friendly’ IT Person Who Isn’t So Friendly

Jake · June 10, 2026 · 3 min read
A concerned businessman on a phone call, split with an image of a hooded hacker working at a computer in the dark

Picture this: someone calls your business claiming to be from your IT support company. They’re polite, professional, and seem to know just enough about your systems to sound legitimate. They say there’s an urgent security issue that needs immediate attention — they just need your password to fix it quickly.

This scenario plays out in Australian businesses every day. Cybercriminals are getting better at impersonating legitimate IT support, and small business owners are prime targets.

How These Scams Work

Social engineering attacks targeting IT support relationships are particularly clever because they exploit trust. Here’s how they typically unfold:

  • The caller claims to be from your existing IT company or a well-known tech brand
  • They create urgency by mentioning security threats or system failures
  • They request remote access to your computer or ask for login credentials
  • Once inside your systems, they can steal data, install malware, or demand ransom payments

The sophistication is increasing too. Scammers research businesses beforehand, gathering information from websites and social media to make their calls more convincing.

Red Flags to Watch For

Legitimate IT support rarely operates the way these scammers do. Be suspicious if someone:

  • Contacts you unexpectedly about urgent problems you weren’t aware of
  • Requests passwords or login details over the phone
  • Pressures you to download software or provide remote access immediately
  • Asks for payment via gift cards, cryptocurrency, or wire transfers
  • Gets defensive or aggressive when you ask questions or want to verify their identity

Protecting Your Business

The best defence is having clear protocols in place before you need them:

Establish Verification Procedures

Always verify unexpected IT support calls by hanging up and calling your actual IT provider directly. Use the number from your records, not one the caller provides.

Never Give Passwords Over the Phone

Legitimate IT professionals should never need your passwords. They have other ways to access and diagnose systems securely.

Question the Urgency

Real IT emergencies do happen, but scammers always create false urgency. Take a moment to think critically about whether the situation makes sense.

Educate Your Team

Make sure everyone in your business knows these protocols. Scammers often target employees who might not know your IT arrangements.

When Legitimate IT Support Contacts You

Your actual IT provider should be able to verify their identity easily. They’ll understand if you want to call them back, and they’ll have proper procedures for any urgent issues.

If you’re working with a reputable managed IT service, they’ll also have monitoring systems in place that often detect problems before you even know about them.

Don’t let a ‘friendly’ voice fool you into compromising your business security. When in doubt, verify first and act second.

Concerned about your business’s vulnerability to these types of attacks? Contact JCPIT Support for a free security assessment and learn how to protect your business from social engineering scams.

Jake
JCPIT Support — Keeping IT Simple.
← Previous Article
SPF, DKIM and DMARC Explained: Email Security in Plain English
Next Article →
Why Antivirus Alone Is Not Enough for Small Business Cybersecurity
← All Articles