In a move that sounds backward at first, the FBI and CISA are warning help desks and IT departments not to reset passwords during certain cyberattacks.

This doesn’t mean you shouldn’t reset your personal passwords. If you’re doing it yourself for your own account, go right ahead—especially if you're switching to a stronger one or upgrading to passkeys.

But this new warning is directed at organizations—companies, agencies, and support teams.

Share

The threat? A hacking group called Scattered Spider, which has already hit big names in retail and aviation. Their method isn’t technical—it’s personal.

They don’t brute-force their way in. Instead, they pose as employees, calling support desks repeatedly, collecting just enough information to fake a password reset or steal MFA tokens. Eventually, they convince a help desk worker to hand over the keys.

So why is resetting a password risky?

Because Scattered Spider’s trick is to initiate the reset process themselves. If a real employee resets the password mid-scam, it could help the attacker seize control. It's like slamming the door shut at the exact moment the burglar has their foot inside.

What companies should do:

• Use phishing-resistant MFA (like security keys or passkeys—not just SMS codes).

• Train employees to recognize phone-based scams (vishing) and spearphishing attempts.

• Tighten help desk protocols, especially for high-level accounts. Always verify who’s asking before approving any reset.

Bottom line: Modern cyberattacks often succeed not because of tech flaws, but because people trust too easily. Better tech helps. Smarter systems help more. But training your people? That’s mission-critical.

Read more about it from Forbes.