Southwest Networks - Managed IT Services & Cybersecurity
Cybersecurity · 4 min read

When "IT Support" Shows Up — And It's Actually a Criminal

By Matt Disher ·
A law firm receptionist at a front desk looking uncertain as she holds a phone, a stranger in business casual clothes standing nearby claiming to be IT support

When “IT Support” Shows Up — And It’s Actually a Criminal

The FBI issued a formal advisory on May 26, 2026, warning that the Silent Ransom Group is actively targeting U.S. businesses — including law firms — using fake IT support calls and even in-person office visits to steal confidential data and extort victims for up to $20 million. If someone contacts your front desk claiming to be IT support and needing access right now, that call may be the moment everything goes wrong.

The Moment That Changes Everything

Picture the scene: it’s a Tuesday morning, your receptionist picks up the phone, and someone says they’re from IT support — there’s a problem with the server and they need remote access immediately. What happens next?

Matt Disher, president of Southwest Networks and a CISSP- and HCISPP-certified cybersecurity expert, said the real issue is psychological, not technical.

“The receptionist is thinking something is broke — I better get it fixed right away,” Matt explained. “But hopefully she slows down and thinks about it for a second and asks more questions before just blindly acting on the request.”

That moment of hesitation — or the lack of it — is the entire ballgame. The Silent Ransom Group is counting on urgency overriding judgment. They’re counting on your staff wanting to be helpful. They’re counting on the assumption that nobody would actually impersonate IT support in real life.

They’re wrong on every count.

This Isn’t Just a Law Firm Problem

The FBI advisory specifically called out law firms, and the headlines followed. But Matt’s read on this is that professional services firms of all kinds face the same level of risk.

“Same risk level,” Matt told our team. “They know those industries are rich with personal information that can be used to impersonate and steal — as well as billing data which could lead to money lost.”

CPA firms hold tax returns, Social Security numbers, business financial records, and payroll data. Medical practices hold health records protected under HIPAA. Both represent exactly the kind of confidential, high-value data that makes a ransom demand credible — and makes victims more likely to pay. The HHS breach portal is full of incidents that started far more mundanely than a $20 million extortion scheme, yet ended with practices facing regulatory scrutiny and reputation damage.

Law firms got the headline. But if you’re running a five-person CPA practice or a small medical office, don’t read that FBI advisory and think it doesn’t apply to you.

The Physical Threat Nobody’s Prepared For

Here’s the detail that most small business owners completely missed in the news coverage: the Silent Ransom Group isn’t just calling. They’re showing up.

According to the FBI advisory, SRG has been sending operators into corporate offices — physically — while posing as IT technicians. The goal is to plug in a storage device and manually pull data off systems while standing in your server room or at an unattended workstation.

Most business owners think their cybersecurity risk lives in their inbox. Phishing emails, suspicious links, ransomware attachments. And yes, those are real. But In Matt’s view, this tactic exposes a much bigger blind spot.

“It says the risk is always changing — which is something we have been telling our clients for years. Every time we find a way to slow down or stop an attack, they adapt and change things up.” — Matt Disher, CISSP, HCISPP

This is not a theoretical concern. The Verizon Data Breach Investigations Report consistently shows that social engineering — manipulating people, not hacking systems — is one of the leading causes of breaches. You can have great email filtering and still have someone walk through your front door.

The asymmetry here is worth sitting with. According to Matt, the detail buried in this story that actually keeps him up at night is this: “Hackers only have to be right once, and we as business owners have to be perfect 100% of the time.”

The mentality of “it’s never happened to me before” or “I’m too small for a hacker to attack me” is — in Matt’s words — completely false and dangerous.


FAQ

Could this really happen to my small business, not just big law firms?

Yes. The Silent Ransom Group targets businesses based on the value of the data they hold, not the size of the company. CPA firms, medical practices, financial advisors, and any professional services firm with sensitive client records are attractive targets. The FBI advisory focused on law firms, but the attack pattern applies broadly.

How would I know if someone calling my front desk isn’t actually from IT support?

Your legitimate IT support provider will never call out of the blue demanding immediate remote access. Microsoft, Google, and major vendors will NEVER cold-call your business asking for access to your systems — that’s a scam, full stop. If a call feels urgent and pressured, that urgency is a red flag, not a reason to comply faster.

What if someone actually shows up at our office claiming to be a technician?

Stop them before they touch anything. Ask for identification, then independently verify their identity by calling the company they claim to represent — using a phone number from your own records, not one they provide. Do not accept contact information from the person standing in front of you.

Is there a low-cost way to protect my business from this kind of attack?

Yes. Establish a verification protocol with your IT provider — a support PIN or code phrase that only your staff and your IT company know. Anyone who can’t provide it doesn’t get access, full stop. It costs nothing to set up and creates a hard stop against impersonation.

What should I do if I think my staff already responded to one of these calls?

Call your IT provider immediately. According to Matt, the first step is to find out whether anything was shared — credentials, access to a website, a link that was clicked — so you can assess the exposure. Don’t wait to see if something bad happens. The faster you move, the more options you have.


What To Do This Week

This doesn’t have to be complicated. Here’s what I’d tell any client to put in place right now:

First, establish a verification policy. If someone calls claiming to be IT support — from any company, including ours — your staff should slow down. Ask for a name. Ask for a callback number. Then call your IT provider using the number already in your records, not the one the caller gave you.

Second, set up a support PIN. Work with your IT provider to establish a shared code word or PIN that gets exchanged on any support call. If the caller doesn’t know it, the call ends.

Third, train your front desk on physical access. Anyone who shows up claiming to be a technician needs to show ID and be verified before they touch a single device. “They said they’re from IT” is not verification.

Fourth, brief your whole team — not just the receptionist. The most dangerous assumption in cybersecurity is that an attack will look like what you expect. These attackers are polished, professional, and convincing. Your entire staff should know: if something feels off, stop and verify before you act.

If you’re not sure whether your business has the right policies in place to stop this kind of social engineering attack, let’s talk through it. Book a free discovery call at swnet.com/discoverycall — no pressure, just a straight conversation about where your gaps are and what it would actually take to close them.

Ready to Protect Your Business?

Schedule a free consultation with our team. No obligation, no pressure — just a clear picture of where you stand.

Or take the free IT security assessment first — see exactly where you stand in minutes.