FBI Warning: Fake IT Support Calls Are Now Stealing Data From U.S. Businesses

The FBI issued a rare FLASH-level alert this week warning that a cybercrime gang called the Silent Ransom Group is calling businesses while posing as their own IT department, talking employees into handing over remote access to their Windows PCs, and walking off with sensitive files. When the phone trick fails, the group is now sending people to show up at offices in person, claim to be IT, and plug a USB drive into a workstation. There is no virus, no ransom screen, and no encryption — which is exactly what makes this so dangerous for small businesses and home users in York County.

What the FBI said

On May 26, 2026, the FBI issued FLASH-20260526-01, the second formal warning about SRG in twelve months and the first at FLASH severity, a classification reserved for active and ongoing threats requiring immediate attention.

The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using social engineering techniques. Through phone calls and phishing emails, SRG actors pose as IT support to establish access to victim computers and exfiltrate data, usually through legitimate remote access tools or by sending an individual in-person to the victim company's location to gain physical access to computers.

SRG actors—active since at least 2022—conduct data theft and extortion operations without relying on traditional ransomware encryption. Unlike conventional ransomware actors, SRG actors typically seek rapid access to victim systems, immediate data exfiltration, and extortion through threats of public disclosure or sale of stolen data. The group has also hit companies in insurance, finance, and healthcare, though law firms remain its primary target.

How the scam actually works

The attack starts with a phone call or a phishing email. "As of Spring 2026, SRG actors use a social engineering scheme to pose as an employee from the victim's IT department. SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support," the FBI warned in a Tuesday flash alert. "While on the phone, the SRG actor directs the employee to grant access to a remote desktop session. If that attempt fails, SRG sends a threat actor to the victim's location to gain access to insert a storage device into the victim's computer."

The pretext is almost always the same — they tell the employee they need to "image the device or create a backup file" because of a phishing alert. Once the threat actor obtains access to the victim's device, they minimally escalate privileges and quickly pivot to data exfiltration without encryption. SRG actors use WinSCP (Windows Secure Copy) or a hidden or renamed version of "Rclone" to exfiltrate data. SRG actors also exfiltrate data to internal filesharing platforms such as Google Drive or Microsoft OneDrive.

These are normal Windows admin tools, which is why antivirus rarely catches the intrusion. If your machine is acting strange after a suspicious call, an honest malware and intrusion cleanup can confirm whether anything was left behind even when no traditional infection is present.

Why this is different — and harder to spot

What makes SRG's approach particularly difficult to defend against is what it does not do. The group deploys no ransomware, no encryption, no malware payloads. Desktops do not lock. There are no splash screens demanding payment. IT systems continue to function normally. The attack can be entirely invisible until a ransom email arrives threatening to post stolen data on SRG's publicly accessible clearnet leak site unless a payment is made.

The operative walks in, claims to be IT support, gains access to a workstation, and connects a USB drive or external hard drive. Data exfiltration follows immediately, using WinSCP or a disguised version of Rclone — both legitimate file-transfer utilities that most antivirus tools will not flag as malicious. The FBI notes that SRG typically escalates privileges minimally; the goal is speed, not depth: get in, get data, get out.

The damage has been real. The gang has already had data from more than 38 firms published on its public leak site, and researchers say the total attack count exceeds 100 — with activity surging sharply in early 2026.

What the FBI tells businesses to do

The FBI's recommendations in the FLASH alert are straightforward:

- Verify the credentials of all individuals accessing company spaces, including obtaining copies of each visitor's ID cards

- Limit access to sensitive data from less secure networks, such as home or public internet.

- Conduct staff training on identifying, resisting, and reporting phishing attempts.

- Maintain regular backups of company data.

- Require phishing-resistant multi-factor authentication (MFA) for as many services as possible.

- Develop and communicate policies regarding when and how IT support will communicate and authenticate themselves to employees

Watch for warning signs on your network too: unexpected installs of Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera; unauthorized installation of external hard drives or USB drives on company computers; exfiltration of data to Microsoft OneDrive, Google Drive, or external servers; WinSCP or Rclone connection made to an external IP address.

If a workstation in your office has been touched by a stranger claiming to be IT, the safest move is to disconnect it from the network and have it checked. Our shop can audit a suspect PC, review what tools were installed, and help determine whether files were copied off — and restore the machine to a clean state.

What This Means for York, PA

York County small businesses — especially law offices, medical practices, accountants, and insurance agencies — are exactly the kind of targets SRG looks for. If anyone calls your staff claiming to be "IT support" and asks them to install remote access software, hang up and call York Computer Repair at 717-739-9675 before touching the keyboard.