Criminals Are Now Calling Employees Then Showing Up to Steal Data
A dangerous new attack combines phone scams with in-person visits. Here's what your family needs to know if anyone works from home or in an office.
Source
GetCyberRight Intelligence
Original headline: Vishing + Physical Intrusion Campaign Targets US Firms
Plain-English summary by GetCyberRight. Read the full report at the source above.
What Happened
Cybercriminals have launched a sophisticated campaign targeting U.S. businesses by combining phone scams with physical break-ins. Attackers first call employees pretending to be IT support staff, then actually show up in person to steal company data. This escalation from digital-only attacks to physical intrusions marks a concerning shift in how criminals operate.
The Details
Here's how this attack works. A criminal calls an employee, claiming to be from the IT department or tech support team. They create urgency by saying there's a security problem that needs immediate attention. The caller might ask the employee to share login credentials, disable security features, or provide information about office access.
The real danger comes next. Using information gathered from these phone calls, attackers then physically visit the business location. They may pose as repair technicians, contractors, or even fellow employees. Once inside, they steal laptops, access computers left unlocked, or plug in devices to extract data directly from the company network.
This combination is particularly dangerous because it exploits two weaknesses at once: our tendency to trust helpful voices on the phone and our assumption that people in our physical workspace belong there. Many businesses have strong digital defenses but weaker physical security protocols, especially in hybrid work environments.
Who Is Affected
This threat primarily impacts employees who work in office settings or hybrid arrangements. If someone in your household has access to work systems, company data, or office buildings, they could be targeted. Remote workers are especially vulnerable because home offices often lack the physical security measures of corporate buildings.
Small and mid-sized businesses face heightened risk. These organizations may not have dedicated security staff or formal verification procedures for IT support calls. Family members who own businesses, manage teams, or handle sensitive company information should pay close attention to this threat.
What You Should Do Right Now
Talk with working family members about verification procedures. Before anyone shares information with IT support callers, they should hang up and call the IT department directly using a known number from the company directory.
Stay one step ahead of scammers
Weekly cybersecurity briefings for families. No spam, just the threats that matter and what to do about them.
Establish a family rule: Never share work passwords over the phone. Legitimate IT departments will never ask for passwords in unsolicited calls. This applies to remote access codes, building entry codes, and computer login credentials.
Report unexpected visitors immediately. If someone shows up claiming to fix computers or network issues that weren't scheduled, verify with management before allowing access. Real technicians will understand the delay.
Lock computers every time you step away. Even for bathroom breaks. Use Windows Key + L on Windows or Control + Command + Q on Mac to lock screens instantly.
Review your workplace's visitor and vendor policies. Know the official process for verifying contractors, repair staff, and temporary workers. Share concerns with your security team if these policies seem unclear or outdated.
The Bigger Picture
This attack represents a troubling evolution in social engineering tactics. Criminals are becoming more patient and sophisticated, willing to invest time in reconnaissance and physical risk. As digital defenses improve, attackers increasingly target the human element through manipulation and deception. Staying informed about these evolving tactics protects not just your job, but also the personal information of customers and colleagues in your company's systems.
How GetCyberRight Can Help
Our Awareness Hub provides practical training on recognizing social engineering tactics like vishing (voice phishing) and physical security risks. The interactive modules help families practice identifying red flags in phone calls and understanding workplace security protocols. Training yourself and your family members to spot these manipulation tactics is one of the most effective defenses against modern cyber threats.
Curated from trusted cybersecurity sources by GetCyberRight
Source: GetCyberRight IntelligenceStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles
FBI Shuts Down $1.9B Fake Package Text Scam: What Families Need to Know
The FBI just dismantled a massive cybercrime network that used fake delivery texts to steal $1.9 billion. Here's how to protect your family from similar scams.
3 min readFBI Shuts Down $1.9B Scam Behind Those Fake Package Delivery Texts
The FBI dismantled a massive operation that provided the technology behind convincing package and toll scam texts. Here's what families need to know.
3 min readFBI Shuts Down $1.9 Billion Scam Text Operation: What Families Need to Know
A China-based phishing ring sent 2.5 million fake delivery and toll texts in just two weeks. Here's how to protect your family from similar scams.
3 min readFBI Shuts Down $1.9B Fake Package Text Scam Ring
The FBI dismantled a massive China-based scam operation that used AI to send fake delivery and toll texts. Here's what every family needs to know.
3 min read