It’s a mistake many business leaders make: assuming that because their team is digitally literate, they’re immune to cyber threats. The reality is that some of the world’s most sophisticated organisations, with entire departments dedicated to technology and security, have still fallen victim to attacks that bypass even the most alert staff.
Recently, a major tech giant confirmed that hackers had successfully tricked some employees into granting access to a sensitive customer database. The tactic wasn’t cutting-edge malware or a complex exploit. It was voice phishing, a targeted phone-based scam that convinced individuals to share credentials.
They were staff at Google, who were talked into authorising access to a Salesforce environment after a wave of voice-phishing calls. Google’s own threat team then published a technical analysis of phone-based social engineering leading to data theft and extortion, the same pattern later acknowledged to have hit one of its Salesforce instances. The lesson isn’t that anyone was careless; it’s that well-run and tech aware teams are still human, and today’s adversaries adapt fast to side-step detection.
This campaign didn’t rely on malware. Rather it was designed to trade on confidence, cadence and context, where operators posed as support staff to built a rapport over multiple calls, and push targets toward authorising a connected app or similar access that looked routine. Their objective was the CRM data, including contact information, notes and other commercially sensitive details that could be later leverage for extortion. Google’s analysts estimate around 20 organisations were impacted.
And reporting links the same playbook to other brands across sectors, from global tech and airlines to retailers and luxury goods (Qantas, adidas, Chanel, Google, plus more) reminding us that cloud systems and their users are vulnerable targets, no matter how much we wish it wasn’t the case. Separate coverage notes similar breaches of Salesforce data at other firms, and consumer-facing brands have disclosed third-party CRM compromises in recent days. It highlights a truth that’s uncomfortable but essential to acknowledge cybercriminals don’t just attack systems, they exploit human trust.
The Modern Cyber Threat Playbook
Today’s attackers combine social engineering with technical precision. They:
- Research their targets in detail before making contact.
- Impersonate trusted colleagues, partners, or service providers.
- Use multiple channels, email, phone, SMS, and even in-person calls, to build credibility.
- Create a sense of urgency to push victims into quick, unverified actions.
This means even the best-trained team can be caught off guard, especially if the scam appears to come from a legitimate, internal, or well-known source.
Why Complacency is Risky
Cyber complacency doesn’t happen overnight. It’s the product of routine, where security protocols become habits, and habits become shortcuts.
Employees may think, “I’d never click a suspicious link”, but the attacker’s goal is to make sure the link doesn’t look suspicious at all. And AI makes this possible, with agility and speed.
Global examples prove the point:
- A multinational’s customer database exposed after a cleverly staged phishing campaign.
- Healthcare networks compromised through staff logins obtained via SMS scams.
- Professional services firms targeted with fake client emails requesting document access.
In each case, the victims were well-resourced organisations with technology-aware teams, but human nature was the entry point.
What Leaders Should Do Now
Protecting your business means going beyond software and firewalls. It requires:
- Ongoing, scenario-based training so staff can recognise evolving attack techniques.
- Multi-layered security controls that make a single point of failure less damaging.
- A culture of verification where employees feel comfortable slowing down and confirming requests, no matter the source.
- Regular security reviews to test both the technology and the people behind it.
Where Partners and Advisors Come In
If you’re working with IT service providers, Managed Service Providers (MSPs), or cybersecurity partners, now is the time to lean on them. They can:
- Audit your email security and ensure protection against advanced phishing tactics.
- Simulate real-world attack scenarios to test your team’s readiness.
- Provide early-warning intelligence on new attack trends targeting your industry.
Cyber resilience is no longer just about technology, it’s about readiness, trust, and the ability to respond effectively when something slips through.
Read More About The Google Attack
- Google Threat Intelligence on voice phishing and data extortion targeting Salesforce: https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
- Industry coverage of Salesforce-focused vishing incidents: https://securityaffairs.com/181017/data-breach/google-confirms-salesforce-crm-breach-faces-extortion-threat.html
- Analysis of the Google-Salesforce breach and broader implications: https://www.cxtoday.com/crm/the-google-salesforce-customer-data-breach-what-really-happened/
One Email Is All That It Takes
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist, 'zero zero-day' email security. Special Ops for when speed matters! Our real-time 'zero zero-day', email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
