A new threat is emerging in the digital business world, which particularly affects companies with Salesforce-systems. A criminal group, referred to by Google as UNC6040, has been targeting Voice phishing a sophisticated form of telephone fraud.
These attackers pretend to be IT support staff on the phone and convince unsuspecting employees to grant them access to sensitive data. Their aim is clear: to steal data and then blackmail the companies concerned.
According to Google's Threat Intelligence Group, the perpetrators are opportunistic, financially motivated actors. English-speaking departments of multinational companies are particularly at risk and are often chosen as primary targets.
The Telephone fraud works frighteningly effectively because it targets human weaknesses rather than technical security vulnerabilities. The fraudsters use clever conversational techniques to gain trust and bypass even the most advanced security measures.
Important findings
- The UNC6040 group uses Voice phishing Targeted against Salesforce users
- Attackers pretend to be IT support to gain access
- The aim of the attacks is data theft with subsequent blackmail
- English-speaking departments of multinational companies are particularly at risk
- The attacks circumvent technical security measures through social manipulation
- Google describes the perpetrators as opportunistic and financially motivated
What is voice phishing?
Voice phishing refers to a method of attack in which fraudsters build trust over the phone in order to obtain confidential data. This form of fraud is becoming increasingly sophisticated and poses a growing threat, particularly to users of business software such as Salesforce. According to an analysis by the Google Threat Intelligence Group (GTIG), the hacker group UNC6040 has developed targeted campaigns to compromise organizations' Salesforce instances.
The attackers aim to tap into data on a large scale and then blackmail the affected companies. This form of digital attack combines social manipulation with technical tricks and uses the human voice as a tool.
Definition and basic explanations
Voice phishing, also known as Vishing is a scam in which criminals contact their victims by telephone. They pose as trustworthy persons or organizations - for example as employees of the IT department, customer service or even as superiors.
The attackers use psychological tactics to put their victims under pressure and force them to make quick decisions. They often create a sense of urgency or fear in order to suppress critical thinking.
In attacks on Salesforce users, the fraudsters often pretend to be support staff and claim to need to fix a security problem with the account. The aim is to obtain access data or cause malware to be installed.
One particularly dangerous technique is the Voice spoofing. The attackers manipulate the displayed phone number so that the call appears to come from a trustworthy source. Modern Attacks on language systems can even imitate voices, which makes recognition considerably more difficult.
Difference to other phishing methods
Compared to conventional phishing methods, voice phishing offers attackers some decisive advantages. While traditional phishing is mainly carried out via emails or fake websites, voice phishing uses direct human interaction.
The human voice conveys authenticity and enables fraudsters to respond flexibly to queries. Unlike with an email, attackers can build up pressure during a phone call and adapt their approach to the victim's reactions.
Another difference lies in the accuracy of targeting. Voice phishing attacks are often more targeted and better researched than mass emails. The attackers often have prior information about their victims, which increases their credibility.
| Phishing method | Main channel | Special features | Recognizability |
|---|---|---|---|
| Voice phishing | Phone | Personal interaction, urgency, voice as a trust factor | Heavy (especially with Voice spoofing) |
| E-mail phishing | Mass mailing, fake links, attachments | Medium (spam filter, visible URL errors) | |
| Smishing | SMS/Messaging | Short messages, often with links | Means (unknown sender) |
| Spear phishing | Various | Highly personalized, well researched | Very heavy (looks authentic) |
The combination of human interaction and technical tricks makes voice phishing particularly dangerous. While email filters can intercept suspicious messages, there are fewer automated protection measures for phone calls. In addition, attackers use social engineering tactics to manipulate their victims and persuade them to disclose sensitive information.
The risk is particularly high for Salesforce users, as the platform contains valuable customer data and business information. A successful attack can not only lead to data loss, but also cause considerable financial damage through blackmail.
Risks for Salesforce users
For companies that use Salesforce, voice phishing attacks pose specific risks that go far beyond simple data loss. The platform houses extensive and valuable business information that is particularly attractive to cybercriminals. Attackers such as the UNC6040 group have specialized in gaining access to this data through targeted phone calls.
In recent months, this group has been successful on several occasions by posing as IT support staff. Using clever social engineering, they convinced employees to grant them access or to disclose sensitive access data. It is worth noting that in all cases observed, no technical vulnerabilities in Salesforce were exploited - instead, only the end users were manipulated.
Data and information at risk
In successful voice phishing attacks on Salesforce users, criminals can access a wide range of sensitive information. Customer data is particularly at riskwhich contain detailed contact information, purchase histories and personal preferences. This data is of considerable value to cyber criminals, as it can be used for further fraud attempts or for resale on the darknet.
In addition to customer data, internal business information is also a coveted target. Sales forecasts, marketing strategies and product development plans can fall into the wrong hands and lead to competitive disadvantages. Attackers can also gain access to internal communication channels, which enables other systems to be compromised.
The Security in Salesforce is particularly jeopardized by the fact that attackers often remain undetected for months after successful infiltration. The UNC6040 group has shown that it proceeds patiently after the initial compromise and sometimes waits months before extracting data. This approach makes detection considerably more difficult and increases the potential damage.
| Data at risk | Value for attackers | Potential consequences | Difficulty of recognition |
|---|---|---|---|
| Customer contact data | Very high | Identity theft, spear phishing | Medium |
| Sales data | High | Competitive disadvantages, market manipulation | High |
| Trade secrets | Very high | Loss of competitive advantages | Very high |
| Access data | Extremely high | Long-term system compromise | High |
Potential financial losses
The financial impact of voice phishing attacks on Salesforce users can be devastating. Direct costs are initially incurred through extortion paymentsthat attackers demand after the data theft. Depending on the size of the company and the value of the stolen data, these can run into hundreds of thousands or even millions of euros.
In addition, there are considerable costs for forensic investigations and the restoration of compromised systems. Companies have to hire specialized IT security experts to determine the scope of the attack and close security gaps. These measures not only tie up financial resources, but also valuable IT department working time.
The indirect financial damage caused by loss of reputation and customer churn is particularly serious. If it becomes known that a company has been the victim of a data breach, customer trust suffers considerably. Studies show that up to 30% of customers lose trust in a company after a data protection incident and switch to competitors.
The threat situation is further exacerbated by the use of AI-supported security risks. Modern attackers are increasingly using artificial intelligence to refine their attacks and make detection more difficult. For example, they can imitate real voices or carry out automated personalized attacks based on publicly available information about employees.
What is particularly worrying is that traditional security measures are often ineffective against this type of attack. Since voice phishing does not target technical vulnerabilities in Salesforce, but rather the manipulation of employees, traditional security systems are bypassed. Companies therefore need to take a holistic approach to security that considers both technical and human factors.
How does voice phishing work?
Behind voice phishing attacks on Salesforce users is a sophisticated methodology that abuses trust and exploits technical vulnerabilities. The attackers are highly organized and follow a multi-stage process aimed at deceiving employees and gaining access to valuable company data.
The attack usually begins with thorough research. Cyber criminals gather information about the company structure, IT systems and employees with Salesforce access rights. This preparatory work enables them to make their calls credible and target the right people.
At the heart of the attack is persuasion over the phone. The fraudsters pretend to be trustworthy people - such as IT support staff or official Salesforce specialists. Their aim is to persuade victims to authorize a malicious Connected app for the Salesforce portal.
Typical methods and tactics used by attackers
One particularly dangerous development is the Identity theft through language clones. Attackers use recordings of an executive's voice to create deceptively real voice impersonations. With this technology, they can convincingly impersonate superiors or well-known colleagues.
Advanced attackers have also developed methods to Voice recognition-systems. They manipulate audio data so skillfully that biometric security systems are fooled, while the voice sounds natural to human listeners.
In a typical vishing call, the perpetrators direct their victims to a Salesforce Connected app setup page. There, employees are asked to authorize a supposedly legitimate version of the data loader. This app often has a slightly different name or modified branding, which is hardly noticeable at first glance.
However, the installed application is an unauthorized, modified version of the official Salesforce Data Loader. As soon as this app gains access, the attackers can gain full access to the company's Salesforce data and extract it.
Examples of voice phishing calls
A common scenario begins with a supposed call from the IT department: "Hello, this is Thomas from IT security. We have detected unusual activity in your Salesforce account and urgently need to install a security patch."
In another example, the caller pretends to be a Salesforce employee: "We are carrying out an important update and need your help to ensure that your data is not lost. Could you please authorize our Data Loader?"
Attacks with Identity theft through language clonesin which the voice of a manager is imitated: "Hello, this is Managing Director Martin. I'm in an important meeting right now, but our Salesforce system has a critical problem. Please authorize the app immediately, which our IT partner will send you by email in a moment."
The attackers often create artificial time pressure and claim that data could be lost or services will fail if action is not taken immediately. This urgency is intended to suppress critical thinking and lead to quick, rash actions.
In all cases, the perpetrators use psychological tricks, technical expertise and persuasive conversation techniques to manipulate their victims. The combination of a trustworthy appearance, seemingly legitimate requests and sophisticated Voice recognition-This makes voice phishing a particularly dangerous threat for Salesforce users.
Signs of a voice phishing call
Vigilance against suspicious call patterns is the first step in defending against voice phishing attacks on Salesforce users. Cybercriminals are refining their Telephone fraud-methods to appear more authentic and fool more victims. The ability to recognize these fraudulent calls can make the difference between data security and serious security breaches.
Typical characteristics of suspicious calls
Voice phishing calls often have characteristic patterns that can serve as warning signals. Particularly with Salesforce users, fraudsters target valuable customer data and access information. Recognizing these patterns is the first step in protecting sensitive company data.
To the Most common signs of a voice phishing attempt include:
- Unexpected calls allegedly from IT support or Salesforce employees
- Artificially created time pressure and urgency ("Your account will be blocked in 30 minutes")
- Direct requests for access data or MFA codes
- Requests to visit certain websites or to install software
- Threats of consequences such as data loss or system failures
The use of technical terms to feign competence is particularly ingenious. Attackers often use technical jargon to unsettle victims and increase their credibility. They can pretend to be Salesforce employees or IT specialists and claim to have to fix urgent security problems.
Another typical feature is a request to visit a specific website. In recent attacks on Salesforce users, criminals have tricked their victims into opening an Okta phishing panel. There, access data and multi-factor authentication codes were requested directly in order to log in and add the Salesforce Data Loader app.
Behavior in the event of suspicious calls
The correct behavior in the event of a suspicious call can be decisive in preventing a Telephone fraud to prevent this. The basic rule is: stay calm and don't let yourself be put under pressure.
The following Rules of conduct should be observed in the event of suspicious calls:
- Never make decisions or disclose personal data under time pressure
- Politely end the call and announce a callback
- Contact the IT department or Salesforce via official channels
- Do not open links or install software recommended during the call
- Do not provide access data or MFA codes over the phone
Special care should be taken if the caller asks for multi-factor authentication codes. These codes are the last line of defense against unauthorized access and should never be disclosed. Legitimate Salesforce employees or IT support teams will never ask for this sensitive information.
If you are unsure, it is always better to end the call and dial the official number of the company or Salesforce support yourself. This way you can ensure that you are actually speaking to an authorized employee. Document suspicious calls with the date, time and information requested so that you can create a detailed report if required.
A good principle is: If a call sounds too good to be true or seems unusually urgent, healthy skepticism is advisable. Trust is good, verification is better.
If you have inadvertently disclosed data, act immediately. Change affected passwords, inform your IT security department and monitor your accounts for suspicious activity. The faster you react, the greater the chance of averting or limiting damage.
Protective measures for Salesforce users
With voice phishing attacks on the rise, Salesforce users need a multi-layered security approach to protect their data. The threat of telephone fraud attempts requires both technical and organizational measures to protect the Security in Salesforce to guarantee security. A holistic approach that combines different levels of protection and systematically closes potential vulnerabilities is particularly important.
Best practices for avoiding voice phishing
To effectively protect against voice phishing, companies should first establish clear communication protocols for IT support requests. These protocols help employees to distinguish legitimate from fraudulent requests and provide a structured process for support requests.
A fundamental safety principle is the application of the least authorizations. Employees are only given access to the data and functions required for their work. Google expressly recommends this approach as an effective countermeasure against phishing attacks.
The implementation of IP-based access barriers is another important protective measure. These restrictions prevent unauthorized access from unknown or suspicious locations and thus significantly increase the security of the Salesforce system.
It is particularly important to activate the Multi-factor authentication (MFA) for all Salesforce accounts. Ideally, companies should use hardware security keys instead of SMS codes, as these offer a higher level of security. MFA is considered one of the most effective measures against unauthorized access and should therefore be implemented consistently.
Security software and tools
Salesforce offers special security tools for additional protection. Salesforce Shield is a powerful solution that provides advanced monitoring and encryption functions. The tool enables comprehensive advanced security monitoring and policy enforcement, as recommended by Google as a protective measure.
Setting up automatic alerts for unusual activities can uncover suspicious processes at an early stage. These alerts should be configured in such a way that they immediately inform the responsible employees in the event of potential security breaches.
Regular checks of connected apps are also essential. Access to these apps should be handled restrictively, as suggested by Google, in order to minimize the risk of data leaks.
Special Phishing protection mechanisms such as call filters or verification systems for support requests can specifically detect and ward off voice phishing attacks. These tools analyze incoming calls for suspicious patterns and can automatically block potential threats.
A combination of different security levels is recommended for comprehensive protection:
- Technical measures such as MFA and IP restrictions
- Organizational regulations such as clear support protocols
- Monitoring systems for detecting suspicious activities
- Regular safety audits and inspections
The consistent implementation of these protective measures forms a robust security network that effectively protects Salesforce users against voice phishing and other forms of attack. It is particularly important that all measures are regularly reviewed and adapted to new threat scenarios.
Response to voice phishing incidents
The right response to voice phishing attacks can make the difference between a small security breach and a massive data breach. Especially for Salesforce users, who often work with sensitive customer data, a quick and coordinated approach is crucial. Experience shows that cybercriminals often take a strategic, step-by-step approach to their attacks in order to test and refine their methods.
Immediate steps if phishing is suspected
As soon as you suspect a voice phishing attack, you should act immediately. End the call immediatelywithout disclosing any further information. Even if you are unsure, it is better to be careful than to risk losing data later.
If access data has already been passed on or suspicious apps have been authorized, you must react immediately:
- Change all affected passwords immediately
- Deactivate suspicious applications in your Salesforce account
- Check your access authorizations for unusual changes
- Document the incident with all relevant details
You should be particularly careful with small, seemingly insignificant data queries. Criminals use Voice spoofing Often a test strategy: in documented cases, attackers first extracted small blocks of data to test their methods. In one Salesforce instance, they were able to access ten percent of the data before being discovered.
Another case shows an even more systematic approach: Here, the attackers first launched numerous test queries with small blocks of data before reading out entire database tables. This step-by-step approach makes Attacks on language systems particularly treacherous, as minor incidents are often not taken seriously enough.
Informing the IT department or security officer
After the initial immediate measures, the next critical step is to communicate with those responsible for security. Use a previously defined secure communication channel for this - never the potentially compromised channel.
The IT department can then initiate further important measures:
- Checking the system logs for suspicious activities
- Isolation of potentially affected systems
- Carrying out a forensic analysis
- Initiation of countermeasures in the event of a confirmed data outflow
Also check legal reporting obligations. According to the GDPR, companies must inform the responsible data protection authority within 72 hours if they suspect a data leak. Failure to report can lead to severe penalties.
Complete documentation of the incident is particularly important. This not only helps with internal processing, but can also be decisive for later legal action or insurance claims. Make a note of the time, content of the call, affected systems and all measures taken.
Experience shows: The better a company is prepared for voice phishing incidents and the faster it reacts, the less damage is caused. A predefined response plan for such security incidents should therefore be standard in every company that uses Salesforce.
Training and awareness-raising within the company
In the fight against Telephone fraud and voice phishing, raising awareness among all employees is essential. As Google reports, while vishing is neither new nor particularly innovative, the increasing focus on Salesforce environments and IT support staff is a worrying development. Attackers have realized that the human factor is often the weakest link in the security chain.
Importance of employee training
Employee training is not just a precautionary measure, but a Necessary investment in corporate security. The success of the hacker group UNC6040 clearly shows that voice phishing remains an effective attack vector.
Employees with access to sensitive systems such as Salesforce are particularly at risk. These are specifically targeted as they can serve as a gateway to valuable company data. IT support staff are also increasingly being targeted, as attackers exploit their privileged roles to gain initial network access.
"Even the best firewall is useless if employees carelessly disclose sensitive information over the phone. Regular training is therefore not a luxury, but a necessity."
Effective training programs should be hands-on and simulate real-life scenarios. This is the only way for employees to learn to recognize fraud attempts in real time and react appropriately.
Example measures to raise awareness
Various measures have proven to be particularly effective in raising awareness of voice phishing in the long term:
- Phishing simulations: Controlled but realistic voice phishing calls help employees to recognize suspicious signs.
- Interactive workshops: Presentation of current scams and joint development of defense strategies.
- Clear guidelines: Establishment and regular communication of protocols for dealing with unexpected support calls.
- Regular updates: Information on new attack methods and tactics used by cyber criminals.
- Security for voice assistants: Training on the safe use of digital voice assistants in the corporate context.
Continuous repetition of the training content is particularly important. One-off training sessions are not enough, as attackers are constantly refining and adapting their methods.
The Security for voice assistants deserves particular attention, as these technologies are increasingly being used in companies. They can be potential gateways for voice phishing if employees are not trained accordingly.
Companies should also establish a structured process for reporting suspicious calls. Employees need to know who they can contact if they suspect possible telephone fraud.
These comprehensive measures turn employees from potential vulnerabilities into an effective first line of defense against voice phishing attacks. The investment in training and awareness-raising pays for itself many times over in the form of avoided security incidents.
Technologies for detecting voice phishing
In the digital age, advanced technologies are emerging that can identify voice phishing attacks at an early stage. These innovative solutions help companies detect suspicious calls and fend off potential threats before sensitive data is compromised. The continuous development of these technologies is crucial to keep pace with the increasingly sophisticated methods used by attackers.
Use of AI and machine learning
Artificial intelligence and machine learning are revolutionizing the detection of voice phishing attacks. Modern AI systems can identify unusual call patterns and automatically trigger alerts when suspicious activity is detected.
These intelligent systems analyze various factors such as call times, frequency of calls from unknown numbers and linguistic characteristics. AI-supported security solutions continuously learn from new attack patterns and thus improve their detection rates over time.
Particularly noteworthy is the progress made in the Voice recognition. This technology can identify synthetically generated or fake voices, which are often used in voice phishing attacks. The algorithms recognize subtle nuances and irregularities that often escape the human ear.
| AI technology | Function | Advantages | Challenges |
|---|---|---|---|
| Call pattern analysis | Detects unusual call times and frequencies | Early warning system for suspicious activities | Requires large amounts of data for training |
| Voice recognition | Identifies synthetic or fake voices | High accuracy in the detection of deepfakes | Can be fooled by advanced voice imitations |
| Speech pattern analysis | Recognizes typical phishing formulations | Identifies social manipulation techniques | Linguistic variations make recognition difficult |
Security systems for companies
Specialized telephony security systems are available for companies that can be seamlessly integrated into the existing communications infrastructure. These systems automatically filter suspicious calls or flag them for closer scrutiny.
A particular strength of these solutions is their ability to work with Salesforce security protocols. This integration enables a holistic approach to protectionwhich secures both the communication channels and the CRM data.
Analyzing network traffic also plays an important role in detecting voice phishing. Modern security systems continuously monitor the data flow and can identify unusual movements that could indicate an ongoing attack.
The challenge is that the same AI technologies we use for defense are also used by attackers to refine their methods. It's a technological arms race in which both sides are constantly innovating.
Companies should invest in advanced detection technologies, but be aware that these are only part of the security strategy. The most effective defense against voice phishing comes from combining technological solutions with trained staff and robust security policies.
While implementing these technologies requires an initial investment, in the long term they offer significant protection against the financial and reputational damage that can result from successful voice phishing attacks. Together, these measures help to make such attacks significantly more difficult and increase the security of Salesforce users.
Outlook: The future of voice phishing
Voice phishing is constantly evolving and presenting companies with new challenges. The coming years will be characterized by a technological race between attackers and defenders.
Developments in phishing technology
Artificial intelligence and improved speech synthesis enable ever more realistic voice imitations. The Identity theft through language clones is therefore becoming a growing threat. Attackers can already imitate the voices of executives in a deceptively realistic way.
At present, the focus is mostly on employees of English-speaking branches of multinational companies. However, this target group will expand as the technology becomes cheaper and more accessible.
Future protective measures for companies
To counter the new threats, companies need to develop innovative Phishing protection mechanisms use. Biometric authentication methods will play an important role. These go beyond simple Voice recognition and use several factors to confirm their identity.
Context-based security systems that automatically recognize unusual requests will become standard. Blockchain technology could also contribute to the secure verification of communication in the future.
The combination of technical solutions and trained employees remains crucial for effective protection. Companies should develop flexible security strategies and adapt them regularly to keep pace with constantly changing threats.
English 
Deutsch 
Español 
Français 
Polski