Turns out, the call was coming from inside the (corporate) house.
In this publication, we're uncovering a sophisticated social engineering scam that’s targeting companies across Europe and the Americas — and it starts with something as simple as a phone call. Let’s dive in.
Cybercriminals are impersonating Salesforce representatives and tricking employees into installing a fake version of a widely-used Salesforce tool. Once installed, hackers gain access to company data, cloud services, and internal systems — leading to data theft, extortion, and serious operational damage.
How It Works:
- A targeted employee receives a voice call (a “vishing” attack) from someone pretending to be associated with Salesforce.
- The caller convinces the employee to visit what appears to be a legitimate Salesforce app setup page.
- There, the employee downloads and installs a malicious version of “Data Loader,” a real Salesforce tool used to import large amounts of data.
- Once installed, the fake app gives hackers deep access to Salesforce environments — including customer data, internal records, and even broader cloud infrastructure.
- From there, the hackers can move laterally into other systems, steal data, and potentially hold companies to ransom.
Who’s Targeted:
This campaign, tracked as UNC6040 by Google’s Threat Intelligence Group, has primarily targeted:
- Large enterprises in Europe and the Americas
- Organizations using Salesforce or connected cloud services
- Employees with access to CRM tools or IT systems
- Teams that might not be well-trained in identifying vishing or app impersonation scams
Real-Life Example:
Google reports that around 20 organizations have already been affected by this campaign. While some attacks were caught in time, a subset had sensitive data successfully exfiltrated.
Salesforce responded, clarifying there’s no vulnerability in their platform itself, but emphasized this scam is exploiting human error through social engineering.
“These are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices,” Salesforce said in a statement.
Why You Should Care:
This isn’t just about one tool or one platform. This type of attack:
- Bypasses traditional cybersecurity defenses
- Can lead to significant data breaches across multiple platforms
- Damages company reputation and trust
- May result in regulatory fines, legal issues, and financial loss
- Exposes the company to future extortion or ransomware attacks
If your company uses Salesforce or other cloud tools, this scam could compromise your entire digital infrastructure through one well-placed phone call.
How to Protect Yourself:
• Don’t install apps unless verified. Always get IT approval before downloading or installing tools, even if they appear related to trusted platforms like Salesforce.
• Be suspicious of unsolicited calls. If someone asks you to install software over the phone, hang up and contact your official Salesforce or IT rep directly.
• Enable app installation restrictions. IT admins should limit who can install apps and monitor for unusual permissions or integrations.
• Train employees regularly. Awareness is your best defense. Teach staff to recognize social engineering tactics like “vishing.”
• Report suspicious activity immediately. If someone installs a suspicious app or receives a phishing call, escalate it right away to IT/security.
Quick Tips & Updates:
Quick Tip #1: “Did you know? Vishing attacks are rising — cybercriminals are using human voice and fake authority to gain trust faster than phishing emails.”
Pro Tip: Set up zero-trust application controls — trust no app until it's verified internally, regardless of its branding or source.
Update: Salesforce has warned all users in a March 2025 blog post about these attacks. If you use Salesforce, check your integration logs for unfamiliar tools.
Stay safe, stay informed.
Keywords Defined:
• Vishing – A phishing scam that uses voice calls to manipulate victims into taking harmful actions like installing malware or revealing personal info.
• Data Loader – A legitimate Salesforce tool used to import, export, and delete bulk data in CRM systems.
• Social Engineering – Manipulative tactics used by hackers to trick people into bypassing security protocols.
• UNC6040 – The threat actor group identified by Google as responsible for this ongoing attack campaign.
• App Impersonation – A tactic where hackers create fake versions of trusted apps to trick users into installing malware.
To read more, kindly find source article here