Prevent This: The Fake Security Call
Americans lost $1.3 billion to tech support scams last year. Here's how the call actually works, and how to prevent the damage.
A few years ago, I got a phone call from an elderly family member. He was standing in the checkout line at Target, and something in his gut was telling him to call me before he paid. The “Microsoft Security Team” had called him earlier that day. They told him his computer had a virus. They could fix it, but there was a problem with their payment systems. Credit cards were down. The only way to pay was with Target gift cards.
He had the gift cards in his hand. He was one transaction away from handing hundreds of dollars to a stranger in another country.
Two things saved him. First, the Target employees at the register had seen this before. They slowed him down. They asked questions. They told him to think about it. Second, he called me.
He was not talking to Microsoft. There was no virus. There was no payment system outage. There was just a person on the other end of a phone line, counting on the fact that a friendly voice and a little urgency would be enough.
I got a nearly identical call a couple of years later. This time it was a neighbor, already on the phone with “Microsoft Security,” wanting me to confirm whether this was real. Same pitch. Same pressure. Same gift cards.
That scam never stopped, but it’s evolved. Keep reading to learn more.
Same Con, New Costume
On July 9, Okta’s threat intelligence team published a warning about a campaign targeting employees at companies in the automotive, aviation, healthcare, construction, and technology sectors. The attackers are calling people on the phone, pretending to be IT support, and walking them through a fake security enrollment process for their Microsoft 365 work accounts.
The old version asked for gift cards. This version asks for something worth more: a passkey.
A passkey is a new type of login credential that is supposed to replace passwords. Microsoft, Google, and Apple have all been rolling them out. If you use Microsoft 365 at work, your IT department may have recently asked you to set one up. You might have seen a pop-up at login nudging you to enroll. Since May 2026, Microsoft has enabled these enrollment nudges by default for many organizations.
The attackers know this. They are counting on the fact that you have seen these prompts before, so when someone calls and says “we need you to set up your new passkey,” it sounds like something your company would actually ask you to do.
How the Call Goes
You get a phone call. The person on the other end says they are from your company’s IT department, or from Microsoft support. They tell you that you need to set up a passkey for your work account. They give you a website to visit. The domain looks plausible. It has the word “passkey” in it.
When you go to the site, it looks like a Microsoft login page. You enter your username and password. If your company requires a second factor (a code from an app, a push notification, a text message), the attacker’s system adapts on the fly to whatever your company uses and walks you through that, too.
Once you are logged in through their site, something odd happens. You are shown a “recovery phrase” and asked to write it down and confirm one of the words. This is not part of any real Microsoft passkey setup. But if you have never enrolled a passkey before, you would not know that. It looks official. It feels like a security step.
While you are confirming your recovery phrase, the attacker is enrolling their own passkey on your account. When it is done, they have a permanent key to your front door. Changing your password will not lock them out. Passkeys work independently of passwords.
The group behind this campaign, tracked by security researchers as O-UNC-066, is affiliated with a loose cybercriminal collective that includes members of Scattered Spider and ShinyHunters. They are not after gift cards. They are after corporate data, and they run an extortion site where they publish stolen files to pressure companies into paying.
Why This Keeps Working
My family member in that Target checkout line was sharp. He had run a business for decades. He was not careless or gullible. But he was alone, he was being spoken to by someone who sounded professional and authoritative, and the story had just enough detail to feel real.
That is the anatomy of every phone scam, from the gift card version to the passkey version. The technology changes. The human pressure does not.
Phone calls work because they create urgency in real time. An email gives you space to think, to forward it to someone, to Google it. A phone call puts you on the spot. The person is waiting. The silence is uncomfortable. You want to be helpful. You want the problem to go away.
The FTC received over one million reports of imposter scams in 2025, with losses up nearly 20% to $3.5 billion. Imposter scams have been the number one reported fraud category for nine consecutive years. Gift cards showed up in 25% of all fraud cases. And phone calls remain one of the primary ways these scams reach people.
The new passkey version is harder to spot because it does not ask for money. It does not ask for gift cards or wire transfers. It asks you to do something that sounds like good security hygiene. That is what makes it dangerous.
The Rule That Covers All of It
Here is the thing my family member figured out in that Target checkout line, standing there with a gift card in his hand and a knot in his stomach: legitimate companies do not cold-call you and ask you to do security things over the phone.
Not Microsoft. Not your bank. Not your IT department. Not the IRS. Not Apple.
If someone calls you and says you need to take an urgent security action, the correct response is always the same, whether they are asking for gift cards or passkeys:
Hang up. Do not feel bad about it. Do not worry about being rude. A real IT person will understand. A scammer will try to keep you on the line.
Call back using a number you already trust. Look up your company’s IT help desk number on the company intranet. Find Microsoft’s support number on their website. Call the number on the back of your bank card. Do not use any number the caller gives you.
Tell someone. Call a family member. Tell a coworker. Walk up to the Target register and ask the cashier if this sounds right. My family member’s phone call to me took two minutes and saved him hundreds of dollars. The Target employees who slowed him down may not have known the technical details, but they had seen enough people buying stacks of gift cards with a panicked look on their face to know what was happening.
That is it. Three steps. They work whether the scam involves gift cards, passkeys, remote desktop software, Bitcoin ATMs, or whatever comes next.
If You Work at a Company That Uses Microsoft 365
A few specific things to know about the passkey scam:
Real passkey enrollment happens at your computer, not over the phone.Your IT department will send you instructions by email or through your company’s internal tools. They will not call you and walk you through it live.
Microsoft passkey setup does not involve a “recovery phrase.” If someone asks you to write down a series of words during passkey enrollment, that is not a real Microsoft process.
Be suspicious of any URL with “passkey” in the domain name. The attackers have been registering domains like assignpasskey[.]com, deploypasskey[.]com, and passkeydeploy[.]com. Legitimate Microsoft enrollment happens at microsoft.com or your company’s own domain.
If you think you fell for it, tell your IT department immediately. They can remove unauthorized passkeys from your account. Speed matters here. The faster you report it, the less time the attacker has to access your data.
What We Owe Each Other
My family member is no longer with us. God rest his soul. But I think about that phone call from Target often, because it was not technology that saved him. It was people. The employees at the register who had the presence of mind to slow things down. The fact that he trusted me enough to call. The two minutes it took to say, “That is not Microsoft. Put the gift cards back.”
The scam has changed. The gift cards became wire transfers, then cryptocurrency, and now passkeys. The technology got more sophisticated. But the defense has not changed at all. It is still the same thing it was when my family member was standing in that checkout line: another person who cares enough to say, “Hold on. Something is not right here.”
Be that person for someone in your life. Share this with a parent, a grandparent, a neighbor, a coworker. Tell them the rule: if someone calls and asks you to do something urgent for security, hang up and call back on a number you trust.
It is the simplest advice in cybersecurity. It has been the right answer for a decade. It will still be the right answer when the next version of this scam shows up wearing whatever costume comes after passkeys.
If you or someone you know has been targeted:
FTC: reportfraud.ftc.gov or 877-382-4357
FBI IC3: ic3.gov
Microsoft Support: support.microsoft.com (never use a number a caller gives you)
FTC Tech Support Scam Guide: consumer.ftc.gov/all-scams/tech-support-scams
Sources
Vishing actors target Entra passkey enrollment (Okta Threat Intelligence, July 9, 2026)
Entra passkey enrollment vishing targets Microsoft 365 users (BleepingComputer, July 8, 2026)
Hackers Use Fake Microsoft Entra Passkey Enrollment to Gain Microsoft 365 Access(The Hacker News, July 10, 2026)
Okta Warns of Vishing Attacks Targeting Microsoft 365 Customers (SecurityWeek, July 10, 2026)
Extortion crew hijacks Microsoft 365 accounts via fake passkey setup (Help Net Security, July 9, 2026)
Scams Are Booming. The Latest Numbers, And How To Protect Yourself (Forbes, May 8, 2026)
Gift Card Scams (FTC Consumer Advice)
Tech Support Scams (FTC Consumer Advice)
Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out Intruvent Edge.





