Google Alert: These Incoming Calls Could Compromise Your Phone—Ignore Them to Stay Safe
By : Javid Amin | June 10, 2025
Google and the FBI have issued urgent warnings about a sophisticated phone scam targeting both Android and iPhone users. This emerging threat, orchestrated by a cybercriminal group known as UNC6040, is part of a rising trend in vishing attacks—where hackers use fake voice calls to manipulate victims into compromising their devices.
What’s Happening?
According to Google’s Threat Intelligence Group, UNC6040 doesn’t break into your phone using malware or brute force. Instead, they pretend to be trusted IT personnel, convincing users—often employees of large organizations—to download fake apps and grant access voluntarily.
“This is a form of social engineering at its most dangerous,” Google warns. “Once you install the malicious app, your entire system could be compromised.”
One of the common disguises? A fake version of Salesforce’s “Data Loader” tool, used by UNC6040 to infiltrate company systems and cloud services.
Who Is at Risk?
Everyone with a smartphone is vulnerable, whether you use an Android or an iPhone. The attackers aren’t discriminating—they’re targeting organizations in sectors such as:
-
Hospitality
-
Retail
-
Education
With operations reported across the U.S. and Europe, the impact is widespread and ongoing.
What Is Vishing?
Vishing, or voice phishing, is when attackers call a victim and impersonate someone credible, such as company IT support. Their goal is to manipulate you into:
-
Sharing credentials (like your Okta login)
-
Downloading fake software
-
Allowing remote access to your device or systems
These calls may sound convincing and professional. But falling for them could mean handing over access to sensitive data, leading to further breaches, identity theft, or financial loss.
The Bigger Picture: UNC6040 and ‘The Com’
Google’s analysis suggests UNC6040 may be loosely connected to another cybercrime group known as The Com—a Telegram and Discord-based collective known for:
-
Trading hacking methods
-
Sharing stolen credentials
-
Targeting English-speaking employees at global firms
Although it’s unclear whether the groups are formally allied, their methods are strikingly similar, involving a mix of vishing, smishing (SMS phishing), and spear phishing.
FBI Issues Separate Warning
The Federal Bureau of Investigation (FBI) has also flagged a related scam active since April 2025. In this version, hackers use AI-generated voice messages and texts claiming to be from senior U.S. officials. These messages direct victims to malware-laden websites or phishing platforms.
FBI field offices including Cleveland, Nashville, and New York State Police have all shared alerts on X (formerly Twitter) and other platforms to warn the public.
Google’s Top Security Tips
To avoid falling victim to these sophisticated scams, Google recommends a proactive security strategy—especially for businesses:
Key Tips:
-
Use Least Privilege Access
Only give employees access to the systems and tools they absolutely need. -
Control App Access Strictly
Audit connected applications frequently. -
Use IP-Based Access Restrictions
Limit system access based on trusted networks only. -
Deploy Salesforce Shield (if applicable)
Monitor for unusual behavior across Salesforce environments. -
Enable Multi-Factor Authentication (MFA)
Mandatory for all systems and logins—personal and professional. -
Don’t Trust Unsolicited Calls
If someone claims to be from your IT department or tech support, hang up and call your verified company number directly.
Frequently Asked Questions (FAQs)
Q1. What is vishing in phone scams?
Vishing is a type of phishing that involves voice calls. Scammers impersonate trusted sources to manipulate victims into revealing sensitive information or installing malicious software.
Q2. Can iPhones also be compromised through vishing?
Yes. Both iOS and Android devices can be targeted, as these attacks rely on human manipulation, not technical vulnerabilities.
Final Advice: Don’t Let Your Voice Be Your Vulnerability
These scams are not going away any time soon. As attackers continue to evolve and exploit trust, it’s crucial to stay alert, educate employees, and implement strict cybersecurity policies.
If you get a call that feels urgent, suspicious, or unexpected—don’t engage. Hang up. Verify. Report.