Beware the UNC6040 smartphone threat.
Update, June 8, 2025: This story, originally published on June 6, has been updated with further warnings from the FBI regarding dangerous phone calls, as well as additional information from the Google Threat Intelligence Group report potentially linking the UNC6040 threat campaign to an infamous cybercrime collective known as The Com.
Google’s Threat Intelligence Group has issued a new warning about a dangerous cyberattack group known only as UNC6040, which is succeeding in stealing data, including your credentials, by getting victims to answer a call on their smartphone. There are no vulnerabilities to exploit, unless you include yourself: these attackers “abuse end-user trust,” a Google spokesperson said, adding that the UNC6040 campaign “began months ago and remains active.” Here’s what you need to know and do. TL;DR: Don’t answer that call, and if you do, don’t act upon it.
Google’s Threat Intelligence Group Issues UNC6040 Smartphone Attack Warning
If you still need me to warn you about the growing threat from AI-powered cyberattacks, particularly those involving calls to your smartphone — regardless of whether it’s an Android or iPhone — then you really haven’t been paying attention. It’s this lack of attention, on the broadest global cross-industry scale, that has left attackers emboldened and allowed the “vishing” threat to evolve and become ever-increasingly more dangerous.
If you won’t listen to me, perhaps you’ll take notice of the cybersecurity and hacking experts who form the Google Threat Intelligence Group. A June 4 posting by GTIG, which has a motto of providing visibility and context on the threats that matter most, has detailed how it’s been tracking a threat group known only as UNC6040. This group is financially motivated and very dangerous indeed. “UNC6040’s operators impersonate IT support via phone,” the GTIG report stated, “tricking employees into installing modified (not authorized by Salesforce) Salesforce connected apps, often Data Loader variants.” The payload? Access to sensitive data and onward lateral movement to other cloud services beyond the original intrusion for the UNC67040 hackers.
Google’s threat intelligence analysts have designated UNC6040 as opportunistic attackers, and the broad spectrum of that opportunity has been seen across hospitality, retail and education in the U.S. and Europe. One thought is that the original attackers are working in conjunction with a second group that acts to monetize the infiltrated networks and stolen data, as the extortion itself often doesn’t start for some months following the initial intrusion itself.
Google Links UNC640 To The Com
The Google Threat Intelligence Group report has linked the activity of the UNC640 attack group, specifically through shared infrastructure characteristics, with a cybercrime collective known as The Com.
The highly respected investigative cybersecurity journalist, Brian Krebs, has described The Com as being a “distributed cybercriminal social network that facilitates instant collaboration.” This social network exists within Telegram and Discord servers that are home to any number of financially motivated cybercrime actors. Although it is generally agreed that The Com is something of a boasting platform, where criminal hackers go to boost their exploit kudos while also devaluing the cybercrime activities of others, its own value as a resource for threat actors looking to find collaborative opportunities with like-minded individuals should not be underestimated.
“We’ve also observed overlapping tactics, techniques, and procedures,” Google’s TIG researchers said with regard to The Com and UNC6040, “including social engineering via IT support, the targeting of Okta credentials, and an initial focus on English-speaking users at multinational companies.” However, the GTIG report admits that it is also quite possible these overlaps are simply a matter of associated threat actors who all boast within the same online criminal communities, rather than being evidence of “a direct operational relationship” between them.
The FBI Issues Smartphone Calls Alert In Addition To Google Warning
The Federal Bureau of Investigation has now also joined the chorus of security experts and agencies warning the public about the dangers of answering smartphone calls and messages from specific threat groups and campaigns.
Public cybersecurity advisory I-051525-PSA has warned that the FBI has observed a threat campaign, ongoing since April 2025, that uses malicious text and voice messages impersonating senior U.S. officials, including those in federal and state government roles, to gain access to personal information and ultimately valuable online accounts.
As with the latest Google Threat Intelligence Group warning, these attacks are based around the fishing tactic of using AI-generated voice messages along with carefully crafted text messages, known as smishing, as a method of engendering trust and, as the FBI described it, establishing rapport with the victim. “Traditionally, malicious actors have leveraged smishing, vishing, and spear phishing to transition to a secondary messaging platform,” the FBI warned, “where the actor may present malware or introduce hyperlinks that direct intended targets to an actor-controlled site that steals log-in information, like usernames and passwords.”
The latest warnings regarding this scam call campaign have appeared on social media platforms such as X, formerly known as Twitter, from the likes of the FBI Cleveland and FBI Nashville, as well as on law enforcement websites, including the New York State Police. The message remains the same: the FBI won’t call you demanding money or access to online accounts, and the New York State Police won’t call you demanding sensitive information or threatening you with arrest over the phone.
“Malicious actors are more frequently exploiting AI-generated audio to impersonate well-known, public figures or personal relations to increase the believability of their schemes,” the FBI advisory warned.
The FBI has recommended that all smartphone users, whether they iPhone or Android devices, must seek to verify the true identity of the caller or sender of a text message before responding in any way. “Research the originating number, organization, and/or person purporting to contact you,” the FBI said, “then independently identify a phone number for the person and call to verify their authenticity.”
Google’s UNC6040 Attack Mitigation Recommendations
To mitigate the UNC6040 attack risk, GITG said that organisations should consider the following steps:
- Adhere to the Principle of Least Privilege.
- Manage access to connected applications rigorously.
- Enforce IP-based access restrictions.
- Leverage advanced security monitoring and policy enforcement with Salesforce Shield.
- Enforce multi-factor authentication everywhere.
And, of course, as Google has advised in previous scam warnings, don’t answer those phone calls from unknown sources. If you do, and it’s someone claiming to be an IT support person, follow the FBI advice to hang up and use the established methods within your organization to contact them for verification.
Source: https://www.forbes.com/sites/daveywinder/2025/06/08/never-answer-these-calls-on-your-smartphone-google-warns/
