Fake IT Support Is Now Walking Through the Front Door
Google and the FBI say Silent Ransom Group has moved beyond calls and screen-sharing into in-person office intrusions, a reminder that cybersecurity now includes front-desk procedure.
Fake IT support scams used to be mostly a phone-and-screen-share problem. The warning now is more physical: in some cases, investigators say the same extortion ecosystem has tried to put a person inside the office.
Google’s Mandiant and Google Threat Intelligence Group say a financially motivated data-theft cluster tracked as UNC3753 — also known as Luna Moth, Chatty Spider, and Silent Ransom Group — targeted dozens of U.S. organizations across professional, legal, and financial services from January through May 2026. Google Cloud/Mandiant report
The usual entry point is still social engineering. According to Google, attackers use invoice or data-migration pretexts, then pose as IT support and talk employees into screen-sharing sessions or remote monitoring and management tools. Google Cloud/Mandiant report
What makes the latest warning sharper is the in-person piece. Google says incidents “possibly linked” to UNC3753 involved people posing as IT technicians entering corporate offices and attempting to exfiltrate data from an endpoint with USB storage media. Google Cloud/Mandiant report
The FBI issued a similar alert in late May, saying Silent Ransom Group has targeted law firms using phone calls and phishing emails, with actors posing as IT support to gain computer access and exfiltrate data through remote tools or by sending someone to a victim company’s location. FBI FLASH alert, May 26, 2026
Why law firms are such attractive targets
The FBI says the group has victimized organizations in insurance, finance, healthcare, and other sectors, but has consistently targeted U.S.-based law firms since spring 2023. FBI FLASH alert
That focus is not surprising. A law firm workstation may hold privileged communications, settlement material, merger documents, tax records, personal identifiers, or client financial data. Google says the stolen material in investigated incidents typically included proprietary legal agreements, personally identifiable information, and financial records used for later extortion demands. Google Cloud/Mandiant report
This is also not classic “encrypt everything and drop a ransom note” ransomware. The FBI describes Silent Ransom Group as a data-theft and extortion operation that seeks rapid access, immediate exfiltration, and pressure through threats to sell or publish stolen data. FBI FLASH alert
The new control point: the front desk
The important lesson is that cybersecurity controls cannot stop at the login screen. If an attacker can persuade an employee, a receptionist, or a contractor that “IT is here to fix the phishing problem,” the office itself becomes part of the attack surface.
The FBI’s recommendations are practical and physical: verify the credentials of anyone entering company space, collect visitor identification where appropriate, define how IT support authenticates itself to employees, train staff to resist phishing attempts, require phishing-resistant MFA where possible, and limit sensitive-data access from less secure networks. FBI FLASH alert
For smaller firms, the fix is not buying one more security product. It is making “who sent you?” and “how do I verify you?” part of everyday office procedure. The attacker is counting on courtesy, urgency, and confusion. The defense is a process that makes verification normal before anyone touches a keyboard.
Featured image: “flash-drive” by Nedko, licensed under CC BY 2.0 via Flickr.
No Comment! Be the first one.