Google Warns That Fake IT Workers Are Stealing Financial Data

Impersonation of IT staff has become a preferred vector for cyber‑extortion groups because it exploits the inherent trust employees place in internal support teams. Over the past year, Google’s Threat Intelligence Group and Mandiant have observed a surge in campaigns that blend social engineering with technical tools, targeting law firms, accounting practices, and other professional services that handle sensitive financial data. By framing requests as routine migrations or invoice processing, attackers lower the friction for victims to grant privileged access, turning a simple support call into a gateway for large‑scale data theft.

The attacks unfold in two distinct modes. In remote operations, perpetrators send phishing emails that reference data migrations, then follow up with phone calls to arrange screen‑sharing sessions and install remote‑management utilities. Physical campaigns involve actors dressed as IT technicians who walk into offices and plug malicious USB drives into workstations, instantly copying confidential contracts, personally identifiable information, and financial statements. The FBI’s recent cyber‑intelligence bulletin identified the Silent Ransom Group as a primary actor, noting its focus on U.S. law firms since spring 2023 and its use of both digital and on‑site tactics to exfiltrate data before demanding ransom.

To blunt these blended threats, Google and Mandiant urge a unified security posture that treats physical access and endpoint controls as a single perimeter. Core recommendations include mandatory employee training on IT‑impersonation scams, verification of all external contractors, conditional access policies for remote connections, disabling read/write permissions on USB mass‑storage devices, and continuous monitoring of authentication anomalies. Organizations that embed these safeguards into governance frameworks not only reduce the likelihood of data theft but also demonstrate compliance readiness, a critical factor as regulators tighten breach‑notification requirements for financial and legal entities.