No really, it's me.
I need you to help me.
I forgot my password. Could you just reset it?
The MGM Grand hack and subsequent nightmare privacy issue for the company in 2023 was yet another example of how easily social engineering can thwart the most robust security solutions around. Vox has a good story on it: https://www.vox.com/technology/2023/9/15/23875113/mgm-hack-casino-vishing-cybersecurity-ransomware
How do you know if the "IT person" that's calling you is authorized? You don't. They might sound identical, they may know things that only your IT team should know, they may even look identical.
One of the only things you can do to try to improve your trust is to call them back on a number you already know. It, of course, doesn't count if they give you a number to call. Similarly it doesn't matter if the number they are calling from seems legit. This is critically important: your phone may give you the impression it's them.
"Let me call you back" - if they argue or push back, that's a warning sign. If they tell you it's a different number than normal, that's a warning sign. Call them back on a number you already know to be legitimate.
It may be the difference between a secure or a very insecure interaction.