- 4
- March
In March 2026, Huntress (a cybersecurity research firm) disclosed a new attack pattern found in at least 5 organizations — hackers flood the target's inbox with thousands of spam emails, then follow up with a phone call posing as "IT Support" to "help fix the problem" — in reality, they trick the victim into installing a Remote Access Tool that leads to data theft or Ransomware deployment.
What Is a Fake IT Support Attack?
A Fake IT Support Attack is a form of Social Engineering where hackers "create the problem first, then offer to solve it" — a psychological technique that builds trust and persuades victims to grant access to their computers, without ever suspecting they are under attack.
The 5 Stages of the Attack
| Stage | What the Hacker Does | Objective |
|---|---|---|
| Stage 1 | Spam Bomb — sends thousands of spam emails to the target | Create stress so the victim welcomes any help |
| Stage 2 | Phone call introducing themselves as the organization's IT Support | Build credibility using technical jargon to appear professional |
| Stage 3 | Request Remote Access via Teams, AnyDesk, or TeamViewer | Gain access to the victim's computer |
| Stage 4 | Install a C2 Framework (Havoc, Cobalt Strike) | Plant a backdoor for long-term control |
| Stage 5 | Steal data or deploy Ransomware for extortion | Access critical data or encrypt the entire system |
Why Is This Attack So Effective?
Why Fake IT Support attacks have a high success rate:
- Employees are stressed from the spam flood and willingly accept help from anyone
- Hackers sound exactly like real IT technicians — they use technical jargon and know the organization's system names
- They use legitimate channels (Microsoft Teams, phone calls) that are not blocked by firewalls
- No malware in the email — bypasses all antivirus since the emails are just spam with no malicious attachments
Traditional Phishing vs Fake IT Support
| Comparison | Traditional Phishing | Fake IT Support |
|---|---|---|
| Channel | Email with links/attachments | Phone + Teams + Email |
| Antivirus detection? | Partially detectable | Undetectable |
| Requires clicking a link? | Yes | No — victims install remote access themselves |
| Complexity level | Low to Medium | Very High |
| Outcome | Steal passwords/data | Full machine control + lateral movement across the network |
Impact on ERP Systems
If a hacker gains Remote Access to a machine running an ERP system, they can immediately access all critical data:
- Financial data — balance sheets, income/expenses, bank account numbers
- HR data — employee salaries, national ID numbers
- Customer data — risk of PDPA violations with fines up to 5 million baht
Read more: ERP System Security | Disaster Recovery | Risk Management for Organizations
How to Protect Your Organization from Fake IT Support
| ☐ | Establish official IT Support channels — use a ticket system only; do not provide support via unsolicited phone calls |
| ☐ | Never grant Remote Access to unsolicited callers — always verify identity through a separate channel |
| ☐ | Conduct Security Awareness training for employees — educate staff about new Social Engineering techniques |
| ☐ | Implement Multi-Factor Authentication (MFA) — even if passwords are compromised, attackers cannot log in without the OTP |
| ☐ | Restrict software installation privileges — regular employees should not have admin rights on their machines |
| ☐ | Set up Email Filtering to block spam bombs — use rate limiting to detect high volumes of email in short periods |
| ☐ | Block unauthorized Remote Access Tools — only allow tools approved by the organization |
Social Engineering doesn't attack systems — it attacks people. The best defense is training and clear processes.
- Saeree ERP Development Team
References
- Huntress — Threat Research Blog
- SharkStriker — Top Ransomware Attacks 2026
- World Economic Forum — Cyber Threats 2026
If your organization wants to strengthen ERP security, you can schedule a Demo or contact our consulting team for a free consultation.
