Salesforce data breaches are rising due to voice phishing (vishing) tactics, threatening business data integrity. In this post, we’ll outline cybersecurity policies for SMB and show how small businesses can stay safe using Google Workspace SSO, MFA, the Advanced Protection Program, and a solid cybersecurity framework. We’ll also explain what vishing is and what happened with Qantas and cloud giants like Google and Adidas.
What Happened: Salesforce Vishing Data Breaches
Voice Phishing Targets Major Companies
In a shocking campaign, employees at Google, Adidas, and other companies received phone calls from attackers posing as IT support. They were tricked into installing a malicious Salesforce Data Loader OAuth app. Often disguised as “My Ticket Portal” by entering an 8‑digit code. This let hackers exfiltrate CRM data and even move into Microsoft 365 and other systems.
Google later confirmed its internal Salesforce instance used to store contact info and notes for SMB customers was breached by ShinyHunters (tracked as UNC6040) using vishing. The attackers accessed data for a brief window before being shut out.
A Broader Attack Wave
This vishing campaign also targeted Qantas, Allianz Life, LVMH (including Louis Vuitton, Dior, Tiffany), Pandora, Cisco, and more.
Phishing typically uses deceptive emails or messages to lure users into providing credentials or clicking links.
Vishing vs. Phishing: What’s the Difference?
Vishing, on the other hand, is voice-based attackers call, impersonate a trusted role (like IT), and trick staff into sharing codes or installing apps.
This is the same strategy used in the recent Qantas breach, where hackers breached 6 million customer records via a Manila-based call centre using vishing. Personal data like names, emails, birthdates, frequent flyer numbers were accessed but not financial data.
How to Stay Safe from Salesforce Vishing Scams
1. Enforce Google Workspace SSO with MFA
- Use Google Workspace single sign-on (SSO) to consolidate login control.
- Enforce Multi-Factor Authentication (MFA) for every access point.
- Consider enrolling accounts in Google’s Advanced Protection Program. To date, no enrolled accounts have been compromised. APP requires a security key, locks down suspicious apps, and ensures only whitelisted apps can access data.
2. Minimize Attack Surface
- Audit and restrict Salesforce access only employees who need it should have it.
- Disable self‑authorized connected apps, especially on CRM environments.
- Monitor OAuth app installs and CRM logs for suspicious activity.
3. Train Staff Regularly
- Conduct frequent cyber awareness training. Teach teams to recognize and verify unusual calls.
- Run phishing simulations, including vishing scenarios.
- Emphasize policies: employees should verify identity before granting access.
4. Adopt a Cybersecurity Framework
Small businesses should follow a structured cybersecurity framework like SMB1001. This ensures clear, practical steps for securing operations. Learn more here: SMB1001 certification
Create and enforce transparent cybersecurity policies for SMB
Recommended Cyber Security Posture Overview
| Best Practice | Why It Matters |
| SSO + MFA + Advanced Protection | Hardens access points; blocks app-based exploits |
| Least-privilege access | Limits potential entry points |
| App installation monitoring | Enables early detection of rogue apps |
| Regular training + simulations | Builds a security-aware workforce |
| Cybersecurity framework | Ensures consistent policy and compliance |
Conclusion
Protecting your business from vishing-led Salesforce breaches starts with strong internal policies and layered defenses. By enforcing Google Workspace SSO + MFA, enrolling in Advanced Protection Program, following the cybersecurity policies for SMB, and investing in awareness training and frameworks like SMB1001, you can dramatically reduce your risk.
Take action now:
- Review your Salesforce access controls.
- Ensure all users have SSO with MFA + consider APP.
- Train staff to spot vishing.
- Build cybersecurity policies and get started on the SMB1001 framework.
We invite you to reach out to us for a complimentary discussion about your current environment. We’ll review your setup, identify risks, and provide tailored recommendations on the steps you may wish to take to strengthen your cybersecurity posture.
Stay vigilant. Stay protected.
Frequently Asked Questions (FAQ)
Q: What is vishing in cybersecurity?
A: Vishing (voice phishing) uses phone calls to trick users into revealing information or installing malicious apps. It’s like phishing, but via the phone.
Q: Why use Google Workspace SSO and MFA?
A: They secure user access and reduce risk of unauthorized entry, especially in coordinated vishing attacks.
Q: What makes Google’s Advanced Protection Program special?
A: It uses physical security keys, blocks third-party apps by default, and is the strongest protection Google offers—so far, no enrolled accounts have been compromised.Q: What is the SMB1001 framework?
A: SMB1001 is a practical cybersecurity certification and framework tailored for small to medium businesses to help build and maintain strong policies.