Inside the Voice Phishing Playbook: The Rise of UNC6040 Vishing Group

A New Player in the Cybercrime Arena

A cybercrime group labeled UNC6040 has emerged as a prominent force in the world of social engineering. Identified by Google's Threat Intelligence team, this financially driven operation has focused its attacks on enterprises using Salesforce, the popular cloud-based customer relationship management (CRM) platform. What sets UNC6040 apart is its specialized use of voice phishing—commonly called "vishing"—a tactic that exploits human interaction over the phone to trick employees into giving up sensitive information.

While cyber threats often rely on software vulnerabilities, UNC6040 flips the script by targeting the people behind the systems. By impersonating internal IT support, the group persuades employees to unwittingly compromise their own organizations. This hands-on, voice-based approach adds a layer of believability, especially in an era of remote work where employees may be more accustomed to speaking with unfamiliar support personnel.

Social Engineering Meets Salesforce

At the core of UNC6040's campaigns lies an elaborate ruse involving a Salesforce utility called Data Loader. This tool is typically used for importing and exporting large volumes of data. The attackers modify it, disguising the application under names like "My Ticket Portal," and guide victims into authorizing it through the official Salesforce interface.

Once approved, the malicious app acts as a backdoor into the organization's CRM environment, giving UNC6040 direct access to valuable customer data. The deception doesn't end there. The attackers often use this foothold to expand laterally, moving on to other internal systems like Okta, Microsoft 365, and Workplace. It's a domino effect—starting with a phone call and ending in widespread data exposure.

More Than Just Data Theft

The consequences of UNC6040's activity extend far beyond stolen data. In select cases, the group or its affiliates have returned months later with extortion demands, using the stolen information as leverage. To amplify the pressure, they claim connections to ShinyHunters, a well-known hacking collective, even though a direct affiliation hasn't been confirmed.

This delayed extortion strategy suggests a calculated approach, possibly in coordination with other cybercrime actors. It also highlights the long-term risk posed by such breaches. Organizations may not feel the full impact until long after the initial compromise, giving attackers time to explore the stolen data's value and potential uses.

Not an Isolated Threat

UNC6040 isn't operating in a vacuum. Its tactics overlap with other cybercrime groups, such as Scattered Spider, part of a loosely organized network known as The Com. These connections suggest that vishing has become a go-to method among financially motivated cybercriminals.

What's particularly notable is how these groups adapt traditional phishing techniques to modern workplace dynamics. With many companies relying on remote IT support and outsourced help desks, the presence of an unfamiliar voice on the phone no longer raises red flags. This normalization of remote interactions gives attackers more room to maneuver.

Why This Matters Now

Salesforce, aware of the growing threat, issued a warning in March 2025, alerting customers to these tactics. According to the company, there's no evidence of a vulnerability in its platform. Instead, the attacks hinge on exploiting individual users' lack of cybersecurity awareness. In all reported cases, attackers used social engineering—not technical exploits—to breach defenses.

This development underscores the shifting cybersecurity landscape. As technology platforms harden their systems, attackers are shifting focus to the softer targets: the people. Voice phishing blends old-school deception with modern tools, proving that even high-tech environments are vulnerable to low-tech manipulation.

How Organizations Can Respond

The rise of UNC6040 is a wake-up call for businesses of all sizes. While firewalls and antivirus tools remain essential, they cannot defend against a convincing phone call. Employee education is now a critical layer of defense. Organizations must train staff to recognize red flags, such as unexpected IT requests, unusual app authorizations, or pressure to act quickly.

Furthermore, technical safeguards—like app approval workflows, multi-factor authentication, and restricted access controls—can help contain the fallout if social engineering succeeds. Monitoring for unusual app activity and tightening integration permissions in platforms like Salesforce are now must-haves, not nice-to-haves.

Bottom Line

UNC6040 represents a growing class of cyber threats that prey on trust and human behavior rather than software flaws. Its campaigns remind us that cybersecurity is not just a technical challenge—it's a human one. As voice phishing tactics become more sophisticated, organizations must invest equally in awareness and technology to defend against them. The call might sound like help, but as UNC6040 has shown, it could be the start of something far more harmful.