Insights

Fake IT Support Calls Are an Access-Control Problem for Business Owners

A current Silent Ransom Group campaign against U.S. law firms and professional services firms is a reminder that remote support, onsite visits, and USB access need a verification policy before employees are asked to trust someone claiming to be IT.

A business employee pauses before granting remote access to a caller pretending to be IT support.

BleepingComputer reported on June 7, 2026 that Silent Ransom Group is actively targeting U.S. law firms and professional services organizations with fake IT-support calls that can lead to fast data theft. The same campaign was detailed by Mandiant, which tracks the group as UNC3753, Luna Moth, Chatty Spider, and Silent Ransom Group.

The important business lesson is not that one criminal group has a new script. It is that an employee can be pressured into granting access to a workstation, remote session, document system, or office desk because the request sounds like ordinary IT support.

Why this matters to professional services firms

Mandiant said the campaign targeted dozens of U.S. organizations across legal, financial, and professional services from January through May 2026. Those sectors matter because they hold client agreements, tax records, Social Security numbers, financial files, merger documents, healthcare or insurance records, and other information that can create legal and reputational pressure if stolen.

For New Jersey law offices, accounting firms, medical practices, nonprofit offices, insurance agencies, and other small and midsize organizations, the risk often sits between technology and operations. The attacker may not need to exploit a firewall if a staff member believes the caller is from the help desk. The attacker may not need custom malware if the employee is convinced to install or open a legitimate remote support tool.

The business decision is verification

Owners should treat this as an access-control decision, not only a cybersecurity alert. If someone calls, emails, starts a Teams or Zoom session, asks for Quick Assist, requests AnyDesk, Bomgar, Zoho Assist, or another support tool, or arrives onsite claiming to be a technician, employees need a clear rule for what happens next.

The rule should not depend on whether the employee feels confident. It should be documented, simple, and backed by management. A business should decide in advance who can approve remote access, who can approve an onsite technician, which support tools are allowed, whether USB storage is blocked, and how employees verify a support request using a known phone number or approved ticketing channel.

Questions to ask your IT provider

  • Which remote support tools are approved for our business, and which tools should employees refuse?
  • How should an employee verify a caller who claims to be from internal IT, our MSP, a software vendor, or a security team?
  • Do we require a ticket, work order, callback number, or named approver before remote control is allowed?
  • Are employees allowed to use Quick Assist, Teams screen control, Zoom screen sharing, or third-party remote monitoring tools without manager approval?
  • Can staff plug in USB drives, external hard drives, or technician-provided storage devices?
  • Are document systems, shared drives, SharePoint, OneDrive, Google Drive, and case-management systems monitored for bulk downloads or unusual searches?
  • If a suspicious support session happened, who reviews endpoint logs, remote access activity, cloud storage activity, and outbound file transfers?

What owners should request now

Ask for a one-page support verification policy. It should tell employees how legitimate IT support will contact them, what information the support person must already know, what channel the employee should use to verify the request, and what to do if the caller pressures them to act quickly.

Also ask for a review of remote access controls. That includes approved remote-management software, local administrator rights, screen-sharing permissions, conditional access for virtual desktops and VPNs, USB storage policy, and alerts for unusual file movement from document repositories.

The goal is not to make support impossible. The goal is to make support predictable. If employees know the approved process, a fake technician has less room to improvise, pressure, or confuse them.

A practical next step

Before the next emergency support request, business owners should ask their IT provider for three things: the approved support process, the list of approved remote access tools, and the escalation path for suspicious calls or onsite visitors. If those answers are unclear, the business does not yet have a support process it can safely trust.

Sources and further reading

  1. Silent Ransom Group targets law firms with fake IT support calls
  2. Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
  3. FBI Flash Report TLP Clear: Silent Ransom Group Impersonating IT Personnel through Social Engineering
Was this article useful?
0 net
Follow Tekmyster insights: RSS

Ready for better technical decisions?

Get senior technical judgment before the next move.

Use Tekmyster when you need senior technical judgment before making a larger IT decision, granting vendor access, replacing infrastructure, buying security tools, or continuing with temporary fixes.

Schedule a Practical IT Review Discuss Your IT Situation