Voice-Phishing Crew Poses as IT Staff to Raid Salesforce Data
Google Spots a New Wave of Social Engineering
Google’s threat-intelligence analysts have warned that a profit-driven hacking crew—tagged UNC6040—has been dialing company employees, pretending to be help-desk staff, and talking its way into corporate Salesforce accounts. According to a report shared with The Hacker News, the gang’s phone-based ruse, known in security circles as voice phishing or “vishing,” has paid off repeatedly over the past several months. Callers speaking fluent English convince workers to hand over login details or perform one small task that secretly opens the door for attackers. In nearly every case, that foot-in-the-door leads to large-scale data theft and, later, attempts to squeeze money out of the victim.
Google links UNC6040 to an online criminal community called The Com, whose members have a history of leaning on slick social-engineering tricks instead of complex technical exploits. What sets the latest campaign apart is its very specific goal: gaining approved access to Salesforce so attackers can download customer records in bulk.
A Tampered Data Loader Is the Key
Salesforce offers an official utility called Data Loader that lets administrators move huge tables of information into or out of their cloud. UNC6040 takes advantage of that legitimate feature. During a typical call, the fake technician walks the target through Salesforce’s “connected app” settings page and asks them to grant access to what is, in fact, a doctored version of Data Loader. The rogue copy often bears an innocuous name, such as “My Ticket Portal,” so it does not raise suspicion. Once the employee clicks “approve,” the criminals enjoy the same privileges as an internal admin and can export anything stored in Salesforce—customer addresses, order histories, support tickets, even payment data.
From CRM to the Rest of the Network
Stealing Salesforce data is only part of the playbook. Google’s Threat Intelligence Group (GTIG) says the attackers then look sideways inside a victim’s environment, searching for single-sign-on providers like Okta, chat platforms such as Workplace, and cloud email services like Microsoft 365. By harvesting or reusing the credentials gathered in the first stage, the intruders can hop between systems, build a complete picture of the company’s operations, and grab additional files.
In some incidents, victims heard nothing more until months later, when an email arrived demanding payment to keep their stolen information private. During those shakedowns, UNC6040’s operators claimed they were allied with the headline-making hacking outfit ShinyHunters, apparently hoping the name drop would scare firms into paying faster.
Overlaps With Scattered Spider but a Different Goal
UNC6040’s tactics echo those of Scattered Spider, another crew tied to The Com that famously targeted Okta administrators. But there is a key difference: Scattered Spider wanted broad network access for resale or ransomware deployment, whereas UNC6040 focuses on snatching Salesforce records specifically, then dragging out an extortion phase. Google and its Mandiant subsidiary say the contrast underscores how versatile modern vishing campaigns have become. Some aim for quick pivots into ransomware, others for slow-burn data theft that does not reveal itself until long after the initial call.
Reconnaissance Starts With Robocalls
Investigators noticed UNC6040 also uses automated phone trees loaded with prerecorded messages. By dialing public and internal numbers, the actors gather details about common help-desk issues, internal app names, departmental extensions, and ongoing outages. That reconnaissance makes the live follow-up calls far more convincing: the caller already sounds “in the know,” boosting an employee’s trust level just enough to comply.
Salesforce: No Underlying Flaw, Just Tricked Users
Salesforce itself addressed the situation in a March 2025 blog post, stressing that attackers are not exploiting a software bug. Instead, they manipulate people. The company reminded customers to lean on built-in defenses—multi-factor authentication, IP allow-listing, and tight control over connected apps—to block unauthorized access.
A Salesforce spokesperson reiterated that the platform has enterprise-grade security woven into every layer, but users must stay alert. “Security is a shared responsibility,” the statement read, urging organizations to train staff to verify every unexpected request, even if it comes from someone claiming to be IT support.
Social Engineering Still Outruns Technical Fixes
Nick Guttilla, who leads incident-response work at Google-owned Mandiant, notes that remote work and outsourced service desks have normalized talking to unfamiliar help-desk agents. That shift makes it easier for criminals to impersonate support teams. Effective awareness programs, he argues, must treat unexpected phone calls with the same skepticism companies now apply to suspicious emails.
Google warns that the gap between the first breach and the ransom demand means more firms may discover months-old compromises only when an extortion letter appears. The takeaway: tighten app approvals in Salesforce, double-check every request for admin action, and remind employees that even the most polite “support technician” on the phone might be an imposter looking for a shortcut into the crown-jewel customer database.