Fake IT Emails Are Tricking Workers Into Installing Hacking Tools
A phishing campaign called VENOMOUS#HELPER has compromised 80+ organizations by impersonating IT staff and tricking employees into installing remote access software.
Source
GetCyberRight Intelligence
Original headline: VENOMOUS#HELPER Phishing Campaign Hits 80+ Orgs
Plain-English summary by GetCyberRight. Read the full report at the source above.
What You Need to Know
A sophisticated phishing campaign has successfully compromised over 80 organizations across the United States. Attackers are impersonating internal IT departments to trick employees into willingly installing software that gives hackers complete control of their computers. This campaign, dubbed VENOMOUS#HELPER, is still active and targeting workplaces nationwide.
The Details
Here's how this attack works. You receive an email that appears to come from your company's IT department. The message looks legitimate, uses your company's terminology, and asks you to install remote support software like SimpleHelp or ScreenConnect.
Here's the clever part: these are real, legitimate programs that many IT departments actually use. They're not viruses or malware. They're professional remote management tools that let technicians access your computer to fix problems. That's exactly why this scam is so effective.
Once you install the software as instructed, the attackers gain persistent access to your computer. They can see everything you type, access all your files, and move laterally through your company's network. Because the software is legitimate, traditional antivirus programs won't flag it as dangerous. The hackers essentially walk through the front door because you held it open for them.
Who Is Affected
This campaign primarily targets employees at medium and large organizations. If you work in an office environment with an IT department, you're a potential target. The attackers have hit companies across multiple industries, with no specific sector being singled out.
Remote workers face heightened risk. When you're working from home, you can't easily walk down the hall to verify a request with IT in person. That physical distance makes it harder to confirm whether an email is legitimate, which is exactly what attackers count on.
What You Should Do Right Now
Never install software based solely on an email request. If you receive any email asking you to install remote access tools, stop. Call your IT department directly using a number from your company directory, not from the email.
Stay one step ahead of scammers
Weekly cybersecurity briefings for families. No spam, just the threats that matter and what to do about them.
Check the sender's email address carefully. Hover over the sender name to see the actual email address. Attackers often use addresses that look similar to legitimate ones but have small differences (like "suppport" instead of "support").
Report suspicious emails to your IT department immediately. Forward the email without clicking any links. Your IT team needs to know if employees are being targeted.
Ask your employer about verification procedures. Find out now, before an emergency, how your IT department will contact you about legitimate software installations. Will they call first? Use a ticket system? Establish this baseline.
Review what remote access software is already on your work computer. If you find SimpleHelp, ScreenConnect, or similar tools that you don't remember installing, report it to IT immediately.
The Bigger Picture
This attack represents a growing trend: criminals abusing legitimate business tools to bypass security systems. Traditional security measures struggle against attacks that use authorized software. The human element becomes the last line of defense. Staying informed about current tactics isn't just good practice anymore. It's essential protection for your workplace and the sensitive data you handle daily.
How GetCyberRight Can Help
Our GCR Scam Guard tool helps you identify suspicious emails before you click or install anything. It analyzes message patterns, sender information, and common phishing tactics that campaigns like VENOMOUS#HELPER rely on. Think of it as a second pair of expert eyes reviewing your inbox, catching the subtle warning signs that slip past busy workers during a hectic workday.
Curated from trusted cybersecurity sources by GetCyberRight
Source: GetCyberRight IntelligenceStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles
Canvas Breach: What Parents Need to Know When Schools Won't Negotiate
Instructure was breached twice in one month, with hackers defacing Canvas login pages. The company refuses to negotiate while student data remains at risk.
3 min readWhy Paying Ransomware Attackers Doesn't End the Nightmare
The ShinyHunters attack on Instructure proves paying ransoms doesn't stop cybercriminals. Hundreds of college portals were defaced anyway.
4 min readCanvas Breach Myth: Paying Doesn't End It
The Canvas learning platform was breached for the third time. Now hackers are directly targeting individual schools after the vendor refused to pay.
3 min readCollege Portal Hack Shows Why Paying Ransoms Doesn't Stop Attackers
ShinyHunters breached Instructure twice after ransom refusal, defacing hundreds of Canvas college portals with extortion messages.
3 min read