Google warns of social engineering campaign targeting Salesforce users: Here's what happened

A hacking group posing as IT support personnel has infiltrated the Salesforce systems of at least 20 companies across the United States and Europe, according to a new report by Google’s threat intelligence team.

The cybercriminals, believed to be linked to a loosely connected collective known as “the Com,” exploited human error rather than software vulnerabilities, relying on social engineering techniques to gain access to sensitive corporate data. The group, which reportedly has ties to hackers based in the US, UK, and Western Europe, used phone calls to impersonate IT staff, duping employees into handing over login credentials or connecting rogue applications to their companies’ Salesforce platforms.

Once inside, the attackers exfiltrated data, sometimes waiting months before contacting the victims with extortion demands. According to Google’s findings, the campaign did not exploit any technical flaws within Salesforce itself.

“There’s no indication the issue described stems from any vulnerability inherent to our services,” a Salesforce spokesperson confirmed via email. “Attacks like voice phishing are targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”

Salesforce previously issued a warning in March, highlighting the growing use of social engineering tactics aimed at compromising customer accounts. It also offered guidance to help organisations strengthen their defences.

While many of the recent intrusions have affected the retail sector, the group’s activities appear to extend across a wider range of industries. Notably, several major retailers — including Marks & Spencer, Co-op, Adidas, Victoria’s Secret, Cartier, and North Face — have suffered cyberattacks in recent weeks. However, Google stated that there is not enough evidence to directly link the Com group to these specific incidents.

Austin Larsen, Principal Threat Analyst at Google’s Threat Analysis Group, said: “While we’ve seen this group target retail, they have also targeted other industries and we do not have enough information to definitively link this group to the recent hacks in the US and UK more broadly.”

Google’s investigation also revealed that the perpetrators used infrastructure and tactics previously associated with members of the Com, including individuals believed to be part of the infamous Scattered Spider hacking collective. That group has been connected to numerous high-profile breaches in recent years and is known for impersonating IT personnel as part of its modus operandi. Some members are also believed to be involved in SIM-swapping schemes to steal cryptocurrency, often coordinating via social media platforms.

In light of the findings, Google has urged businesses to reinforce employee training and remain alert to the threat of social engineering, which continues to be a significant vector for cyberattacks despite advances in technical security.

(With inputs from Bloomberg)