What to look out for today
Be alert for fake “support” messages sent by SMS or in-app chat that claim there’s an issue with your messaging account (e.g., security alert, locked account, urgent verification) and ask you to log in, scan a QR code, or share a one-time code.
Why this matters to smaller businesses
Messaging accounts are often used for day-to-day operations (supplier conversations, staff coordination, customer queries). If an attacker gets into an individual’s account, they can impersonate them to:
- request urgent payments or bank detail changes,
- extract invoices, personal data, or client details from chat history,
- pivot into other systems by persuading colleagues to share links/codes,
- cause disruption by locking the real user out.
Warning signs
- Messages claiming to be from “support”, “security”, or “admin” with urgency (“within 30 minutes”, “final warning”).
- Requests to share an MFA/verification code, or approve a login you didn’t start.
- Links that don’t look like your usual sign-in domain, shortened links, or unusual QR codes.
- Colleagues receiving unexpected “new number / new device” messages from someone they know.
- Sudden loss of access to a messaging account, new devices/sessions you don’t recognise, or messages marked as read/sent that you didn’t send.
How attackers may exploit the situation
- Impersonation: pretending to be the victim to authorise payments, obtain gift cards, or change supplier bank details.
- Trust chaining: using one compromised account to target others in the same organisation (“Can you confirm this code quickly?”).
- Data harvesting: searching chat history for invoices, credentials, customer details, or internal processes.
- Account takeover: using stolen credentials and captured codes to add a new device/session and retain access.
What to do today
- Send a short staff warning: “Support will never ask for your verification code. Don’t click login links from texts/chats. If in doubt, phone the office/IT using a known number.”
- Check account recovery settings on key messaging accounts (finance, shared mailboxes, operations leads): ensure recovery email/phone is correct and controlled.
- Enable/confirm MFA and review any active sessions/devices; remove anything unfamiliar.
- Agree a payment-change process: bank detail changes and urgent payments must be verified out-of-band (call a known contact, not a number in the message).
- Make it easy to report: a single internal email/Teams/IT ticket route for “possible account takeover/phish”.
Ask your IT provider
- Do we have a documented process for messaging account takeover response (session revoke, recovery, user comms, evidence capture)?
- Can we audit sign-ins/sessions for our core accounts and alert on new device logins?
- For finance and leadership users, can we apply stronger sign-in controls (conditional access, device requirements, phishing-resistant MFA where available)?
- Do we have a clear, enforced out-of-band verification workflow for payment requests and supplier bank changes?
Patch watch - only one short paragraph, and only if relevant
No patch-driven action is the priority today. This is primarily a social engineering and account security issue: focus on staff awareness, MFA hygiene, and reviewing active sessions/devices for messaging and email accounts.
One action today
Send a same-day staff note: “Never share verification codes or approve login prompts you didn’t start; report any ‘support’ texts immediately.”
Related Actions On Cyber resource
Actions On Cyber checklist CTA: “Payment change & invoice fraud verification checklist (call-back procedure)”
Sources
- Ukraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging Credentials (The Hacker News)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.