Phone Scammers Are Getting Smarter: How to Protect Your Work and Personal Accounts

Google's Threat Intelligence Group has uncovered an extensive scam operation called BlackFile, run by a group tracked as UNC

6671. These criminals are using voice phishing, also known as vishing, to target organizations. They call victims pretending to be from IT support or other trusted sources, then trick them into entering their login credentials on fake websites. Once they steal these passwords, they use them to break into accounts and extort victims. The scammers use adversary-in-the-middle techniques that can even bypass some security protections. This threat affects anyone who uses single sign-on accounts for work. Single sign-on is when you use one login (often your work email and password) to access multiple work applications. If you work for a company, nonprofit, school, or any organization that uses cloud-based tools, you could be a target. The scammers often call pretending to be from your IT department or a service like Microsoft or Google. They create a sense of urgency to pressure you into acting quickly without thinking. Here is what you should do right now:
6672. Never give your password to anyone who calls you, even if they claim to be from IT support. Legitimate IT staff will never ask for your password over the phone.
6673. If someone calls claiming to be from your company's IT department or a tech service, hang up and call back using a number you find independently (from your company directory or the official website), not a number the caller provides.
6674. Look carefully at any login page before entering your password. Check the web address in the browser bar. Fake sites often have slight misspellings or unusual domain names.
6675. Enable two-factor authentication (also called multi-factor authentication or 2FA) on all your work and personal accounts. Even if scammers steal your password, they cannot get in without the second verification step.
6676. Report suspicious calls immediately to your workplace IT or security team. To stay safe long-term, treat unexpected phone calls with skepticism, especially ones creating urgency about account security or asking you to verify information. Train yourself and your family members to pause and verify before taking action. Scammers rely on pressure and fear. Taking a moment to think and verify independently can stop most of these attacks before they succeed.