Google recently fell victim to a sophisticated voice phishing (vishing) attack, serving as a powerful reminder that no organization is immune to social engineering threats.
What Happened?
A financially motivated threat group known as UNC6040 targeted Google’s corporate Salesforce instance using a voice phishing campaign. The attackers impersonated IT support staff to deceive employees into granting access.
One victim was tricked into authorizing a malicious version of the Salesforce Data Loader application, allowing the attackers to exfiltrate basic business information and contact details.
Thanks to Google’s security protocols, the damage was contained but the incident underscores a growing trend: cybercriminals are getting smarter, and voice phishing is on the rise.
What Is Voice Phishing?
Voice phishing is a form of social engineering where attackers use phone calls to manipulate individuals into revealing confidential information or granting access to secure systems. Unlike email phishing, vishing is harder to detect because it relies on human interaction and trust.
How You Can Stay Ahead of Vishing Attacks
Here are key steps your organization can take to defend against vishing attacks of all kinds:
- Educate Employees: Regularly train staff to recognize social engineering tactics, especially impersonation attempts over the phone.
- Verify Requests: Hackers love to pretend to be IT and other vendors. Not sure if a call is legitimate? Tell the caller you are going to hang up and dial the number you know is good. If they panic and try to keep you on the line, it’s probably vishing.
- Limit Access: Apply the principle of least privilege—only grant access to systems and data that employees need for their roles.
