The FBI warns a group known as the Silent Ransom Group is using charm and obvious tech cover to steal sensitive files from U.S. businesses, often starting with a phone call and, when rebuffed, sending an impostor through the front door; this article breaks down how the scam works and gives clear steps companies can take to stop it. Read on for the tactics these attackers use, why law firms are prime targets, and practical defenses that don’t require a tech overhaul. If someone shows up claiming to be IT, the situation deserves verification, not blind trust.
Picture a stranger arriving with a badge, a laptop bag and a calm voice saying they need to fix a problem. That setup is exactly the opening the attackers count on, because most employees would rather be helpful than suspicious. When someone seems official, the instinct to cooperate can hand a criminal full access to a workstation.
The FBI says this group targets U.S. businesses, with a focus on law firms, and often begins over the phone. An initial call tries to convince staff to install remote access software so the caller can “fix” an issue. If that fails, the next move is to send a person in person to the office.
Those in-person visits are brazen. The impostor may bring USB drives, external hard drives or other gear, sit at a computer and copy files or install malware. They can quietly escalate access and walk away before anyone notices, only to surface later with an extortion demand.
The operation goes by several names in intelligence circles and uses multiple tactics including phishing, phone persuasion and face-to-face deception. The remote desktop pitch is common because it hands attackers the controls they need without a physical break-in. The fallback is the human element at the front desk.
Once inside, the attacker can pull client files, contracts, financial records and other sensitive data with alarming speed. After stealing data they threaten to sell or publish it, or to call clients and create panic, turning stolen files into leverage. That kind of public pressure is an efficient way to force payment without encrypting systems.
Law firms are especially exposed because they hold privileged information, but the risk extends to medical offices, finance shops, insurers and any business that keeps private records. A fake IT worker does not need advanced hacking tools if an employee hands over a keyboard or plugs in a stranger’s drive. The method is low tech and highly effective when trust is abused.
The trick works because it looks normal: a person with a plausible story, apparently on official business and briefly occupying a desk. Receptionists and managers can assume the visit is authorized, and the ruse blends into a busy workday. That normalcy is the attack’s greatest camouflage.
There are clear red flags to watch for: unscheduled visits, a refusal to provide a ticket number or a manager contact, someone who insists on using an unsupervised workstation, or anyone who brings their own removable media. Another common ploy is manufactured urgency that pushes staff to skip verification steps. Slow the encounter down and ask for confirmation.
Make verification mandatory. Call your known IT number instead of using a number the visitor provides, confirm identity and ticket details, and require manager or IT approval through established channels. Keep an approved vendor list at reception and enforce a rule that no outside technician gets workstation access without explicit sign-off.
Limit removable media and monitor for unauthorized devices. If employees rarely need external drives, block USB ports; if they do need them, allow only approved devices. Attackers prize removable storage because it moves data quickly and quietly, and controlling that capability cuts a simple but effective attack route.
Training should cover in-person scams as well as email phishing and social engineering. Employees should feel comfortable saying, “I need to verify this first.” IT teams must watch for unexpected remote access tools appearing on endpoints and investigate any unknown installs immediately.
Adopt least-privilege access so users can reach only the files they need, and log device connections, file transfers and privilege changes to spot unusual behavior. A receptionist checklist with photo ID, company name, ticket number and an approved contact forces friction into the process that attackers rely on to move fast. If a suspicious person shows up, report it to your manager and IT right away, and notify law enforcement when appropriate.
Install reputable, up-to-date security software to detect malware and ransomware if something goes wrong, but remember tools are an aid, not a replacement for procedures and human checks. Combine technical controls with clear visitor policies and training to dramatically reduce the chance a confident stranger can walk out with your data. When someone says they’re from IT, pause before handing over your keyboard.
