Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

Fake “support” texts stealing messaging logins: what to warn staff about today

What small and medium-sized businesses should look out for today.

High Sunday 28 June 2026, 11:08 UK time
Today’s look-out: Impersonated support messages and MFA-code harvesting targeting messaging accounts

What to look out for today

Be alert for fake “support” messages sent by SMS or in-app chat that claim there’s an issue with your messaging account (e.g., security alert, locked account, urgent verification) and ask you to log in, scan a QR code, or share a one-time code.

Why this matters to smaller businesses

Messaging accounts are often used for day-to-day operations (supplier conversations, staff coordination, customer queries). If an attacker gets into an individual’s account, they can impersonate them to:

  • request urgent payments or bank detail changes,
  • extract invoices, personal data, or client details from chat history,
  • pivot into other systems by persuading colleagues to share links/codes,
  • cause disruption by locking the real user out.

Warning signs

  • Messages claiming to be from “support”, “security”, or “admin” with urgency (“within 30 minutes”, “final warning”).
  • Requests to share an MFA/verification code, or approve a login you didn’t start.
  • Links that don’t look like your usual sign-in domain, shortened links, or unusual QR codes.
  • Colleagues receiving unexpected “new number / new device” messages from someone they know.
  • Sudden loss of access to a messaging account, new devices/sessions you don’t recognise, or messages marked as read/sent that you didn’t send.

How attackers may exploit the situation

  • Impersonation: pretending to be the victim to authorise payments, obtain gift cards, or change supplier bank details.
  • Trust chaining: using one compromised account to target others in the same organisation (“Can you confirm this code quickly?”).
  • Data harvesting: searching chat history for invoices, credentials, customer details, or internal processes.
  • Account takeover: using stolen credentials and captured codes to add a new device/session and retain access.

What to do today

  • Send a short staff warning: “Support will never ask for your verification code. Don’t click login links from texts/chats. If in doubt, phone the office/IT using a known number.”
  • Check account recovery settings on key messaging accounts (finance, shared mailboxes, operations leads): ensure recovery email/phone is correct and controlled.
  • Enable/confirm MFA and review any active sessions/devices; remove anything unfamiliar.
  • Agree a payment-change process: bank detail changes and urgent payments must be verified out-of-band (call a known contact, not a number in the message).
  • Make it easy to report: a single internal email/Teams/IT ticket route for “possible account takeover/phish”.

Ask your IT provider

  • Do we have a documented process for messaging account takeover response (session revoke, recovery, user comms, evidence capture)?
  • Can we audit sign-ins/sessions for our core accounts and alert on new device logins?
  • For finance and leadership users, can we apply stronger sign-in controls (conditional access, device requirements, phishing-resistant MFA where available)?
  • Do we have a clear, enforced out-of-band verification workflow for payment requests and supplier bank changes?

Patch watch - only one short paragraph, and only if relevant

No patch-driven action is the priority today. This is primarily a social engineering and account security issue: focus on staff awareness, MFA hygiene, and reviewing active sessions/devices for messaging and email accounts.

One action today

Send a same-day staff note: “Never share verification codes or approve login prompts you didn’t start; report any ‘support’ texts immediately.”

Related Actions On Cyber resource

Actions On Cyber checklist CTA: “Payment change & invoice fraud verification checklist (call-back procedure)”

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.