Photo by Taylor Grote on Unsplash
It’s not every day you hear that companies like Google, Louis Vuitton, and Cisco all fell for the same scam. But that’s exactly what happened — and the hackers didn’t even need to break any code.
Instead, they just picked up the phone.
The scam starts with a call — and ends with your data
Back in June, Google uncovered a sneaky phone-based scam targeting companies that use Salesforce. The attackers didn’t bother with hacking tools or exploits. They went old school: pretending to be IT staff and asking employees for access.
That’s it. And it worked.
The fraudsters told employees there was a problem, then asked them to connect an external app to Salesforce. Nothing too suspicious on the surface. But then they asked for an eight-digit code — a one-time security pass that legit users need to link apps in Salesforce.
Photo by Claudio Schwarz on Unsplash
Once they had that code, they got in.
Inside, they could see company data stored in Salesforce — names, contact info, and whatever business data was stored there. Google says the breach on their side lasted for a “small window of time before the access was cut off,” but not before some data had been retrieved. Fortunately for them, most of that info was already publicly available.
Google fell victim too — and didn’t even know it until later
Though Google originally reported the broader campaign in June, it revealed just this Tuesday that its own systems had been compromised as part of the very scam it warned others about.
The company believes the attackers behind the breaches are financially motivated. One group, dubbed UNC6040, carried out the actual clever phishing calls. A second group, UNC6042 — also known by its splashy nickname, ShinyHunters — may be handling the extortion side of things. Google even thinks ShinyHunters might be setting up a data leak site to increase the pressure on victims to pay up after breaches occur.
High-profile victims, and likely more we haven’t heard about
This wasn’t a one-off attack. Some big names now known to have been targeted include:
- Adidas
- Qantas
- Allianz Life
- Cisco
- Louis Vuitton
- Dior
- Tiffany & Co.
And maybe more, since not every affected company may have realized it yet — or gone public.
What can companies do?
This kind of scam shows how even the biggest companies can trip over low-tech tricks. So what can be done?
Photo by Zulfugar Karimov on Unsplash
Google has some advice:
- Audit who or what is connected to your Salesforce instance
- Double-check external apps that have access
- Enforce multi-factor authentication (MFA)
- Train employees to recognize scams, especially social engineering tactics
Simply being cautious with phone requests — especially ones asking for access codes — can make a huge difference.
The takeaway
No matter how big or secure your company is, it only takes one phone call to let someone in. Social engineering is an old trick for a reason: it still works.
So if you’re using Salesforce or similar platforms, now might be a good time to take a closer look at your integrations and train your team.
Because apparently, even Google isn’t too big to get scammed.
Keywords: phone scam, data breach, Google, Salesforce, social engineering
