How a human touch (and donuts) can help fight IT imposters

Some adversaries are really putting the “actor” in threat actor.

Cybercrime groups are impersonating IT pros to steal employee passwords or install malware. One big way to defend against these imitators is employee awareness—not just of the threat itself, but also the company’s own IT staff.

We spoke with IT pros who shared strategies on how to get acquainted with employees—and why that human touch pays off when threat actors act like admins.

Act I. For years, adversaries and pen testers have been imitating IT pros—to malicious effect. Some recent examples:

• In January 2026, Mandiant revealed that a cybercrime extortion group posed over the phone as an IT pro updating the company’s multi-factor authentication settings. The adversaries then directed victims to believably branded credential harvesting sites.
• In March 2026, managed security platform Huntress released findings that threat actors were spamming inboxes, before pretending to be the IT pros dispatched to solve the problem.

Will the real IT pro please stand up? Some standard defenses against imitation IT, according to tech practitioners who spoke with us last year, include sharing clear answers for employees on questions like, “Whom should employees contact when they have a problem?” and, “What will be the approved channel for conversations about IT?”

In its post, Huntress recommended out-of-band verification and having approved execution lists for applications.

Think outside the box (of donuts). Of course, it also helps to know the IT team, and that might mean the right defense is…donuts. Nick Kliminski, office and client services manager at tech business partner GO Technology Group, said a colleague recently arrived onsite early to provide both IT support and a little extra breakfast. That kind of effort builds relationships and creates familiarity and trust, according to Kliminski.

“You can bet that if there was a suspicious call that came into one of those personnel in the operation center of that warehouse going forward,” he said, “and they were asked for password information over the phone, they might be more subject to ask something like, ‘Hey, why don’t you bring in donuts next time?”

Remote possibilities. Donut delivery, however, might be tough at a company where most employees work remotely. Tony Garcia, CISO at fintech company Infineo, which has a geographically distributed remote workforce, said he personally commits to attending new-hire onboarding and tries to get the majority of his dozen-or-so staff on those calls for a “get to know you” session. He said he also uses security awareness training, AI user instruction, and “Lunch and Learn” meetings as recurring chances for IT to be visible and approachable.

“I don’t want an impersonal Jira ticket to be the first contact with somebody on something,” he said, referring to the issue- and project-tracking system.

Check, please! Dan Duffy, cyber practice lead at tech workforce advisory Consulting Solutions, recommends certain practices to confirm that an IT call is really from IT:

• Headshots. Slack or Teams profiles should have identifiable photos so members are recognizable and employees see who’s associated with the incident ticket and who might contact them.
• A (rotating) pass phrase. When contacted by IT (or someone claiming to be IT), the employee can ask for or receive the current challenge phrase—say, consulting solutions wins 2026, as Duffy suggested. If the phrases match up, they can proceed with greater assurance.
• Verification codes. When IT reaches out, they provide a verification code attached to an official help-desk ticket, which an employee can verify separately through the ticketing system.
• Spam reporting. Have a button that sends suspicious messages to IT.

“These attacks work because employees don’t have a clear mental model of what legitimate IT support looks like,” Duffy said.