Air Tindi Air Tindi
Security Advisory
Air Tindi aircraft on a floodlit night ramp
Cyber Security  ·  Real Incident Awareness for all staff

The Inbox Flood and the Fake IT Call

An attacker buried one inbox under thousands of emails — then picked up the phone. Here is what happened, and the one move that kept it from becoming a breach.

Reading time4 minutes
AudienceAll Air Tindi staff
TopicEmail bombing & helpdesk impersonation
Read the story
01The Story

A staff member suddenly started receiving thousands of unexpected emails.

Inbox 1 000+ unread
PR
password-reset@accounts
Confirm your password reset request
now
NL
The Daily Roundup
Welcome! Please confirm your subscription
now
SU
no-reply@signups
Activate your new account
now
FT
FitTrack Rewards
You're almost there — verify your email
now
SH
ShopNorth Deals
Confirm your email to start saving
now
VR
verify@newsletter
One more step to confirm your address
now

Password resets. Newsletter confirmations. Account signups. Random messages from services they had never used.

At first, it looked like a spam problem. But it was really a setup.

The attacker was flooding the inbox on purpose. The goal was to create confusion, stress, and urgency. If important messages were buried and the mailbox started acting strangely, the next step would feel believable.

Then the phone rang
Incoming call  ·  "IT Support"
"We see your mailbox is under attack."
"We need to fix this quickly."
"We need to connect to your computer."

The caller claimed to be from IT. They used a confident voice and acted like they already knew what was happening.

That is the moment the attack changed — from email bombing to helpdesk impersonation.

02The Right Move

The staff member did exactly the right thing.

They did not argue. They did not follow instructions. They did not install anything. They did not give remote access.

They hung up and contacted the real IT support team through the normal, trusted channel.

Because they paused and verified, the incident stayed contained. The real IT team investigated the flood of email, put temporary protections in place, checked for signs of compromise, cleaned up the immediate mess, and helped restore the mailbox to normal use.

The important part: because the user hung up first, IT was cleaning up an attack attempt — not recovering from a breach.

03What the Fake IT Caller Wanted

If the attacker had convinced them to continue, the caller likely would have tried to:

Get remote control of their computer
Have them install a remote support tool
View email, files, browser sessions, or saved passwords
Trick them into approving MFA prompts
Steal login tokens or credentials
Create forwarding or mailbox rules
Access company systems from a trusted device
Use their account to attack coworkers, customers, or finance

The email flood was the distraction.
The phone call was the real trap.

The Rule
Stop Hang up Verify

If someone unexpectedly contacts you claiming to be IT and asks for remote access, stop. Hang up. Then contact IT using the normal support number, ticket system, or trusted internal channel. A real IT team will not be offended when you verify — we want you to verify.

04What To Do

If you receive a suspicious IT support call:

Don'tGrant remote access to your computer
Don'tInstall any software they ask you to
Don'tApprove MFA prompts because someone on the phone told you to
Don'tShare passwords or verification codes
DoHang up
DoContact real IT support through the normal channel
DoReport what happened — even if you did not click anything
05A Good Response Sounds Like This
Say this
"I'm going to hang up and contact IT through our official support channel."
That sentence can stop a breach.
Remember
The attacker does not need you to make a big mistake. They only need one rushed moment.
Pause·Hang up·Verify