Employees Are Unknowingly Inviting Tech Support Impersonators Into Firms, Says FBI

Tech‑support scams have long preyed on employee trust, but the FBI’s recent Flash report shows a dangerous evolution: attackers are now walking into offices, posing as internal IT staff. Law firms, with their high‑value confidential files, are prime targets for the Silent Ransom Group, a cyber‑crime outfit also tracked as Luna Moth and Chatty Spider. By exploiting the natural deference employees give to perceived IT personnel, the gang sidesteps email filters and endpoint protections, creating a direct conduit for malware insertion.

Once inside, the criminals use a seemingly innocuous USB drive to drop remote‑access utilities such as AnyDesk, WinSCP, or a renamed Rclone binary. These tools enable rapid privilege escalation and data exfiltration to cloud services like OneDrive or Google Drive, often without triggering traditional alerts. The FBI lists these unauthorized installations, unexpected external hard‑drive connections, and outbound transfers to personal cloud accounts as key indicators. Because the malicious software mimics legitimate management utilities, security teams must correlate device‑level events with user behavior to spot the brief, high‑speed breach window before data is siphoned.

Mitigation now demands a blended approach. Beyond standard phishing awareness, firms should enforce strict USB port controls, disable auto‑run features, and maintain an inventory of approved peripherals. Physical security policies must require verification of any IT visitor—photo ID, escort, and a pre‑approved ticketing system. Crucially, employee training should stress that any IT request received via unsolicited call, email, or voicemail must be confirmed through a known internal channel, not the contact details supplied in the message. By aligning cyber hygiene with tangible access controls, organizations can blunt the most insidious facet of this emerging threat.