THE NEW CYBER THREAT — FAKE INFORMATION TECHNOLOGY STAFF AND REAL CONSEQUENCES

When the hacker shows up at the front door

Recent guidance from the FBI highlights a growing and highly targeted threat to U.S. law firms from the so-called “Silent Ransom Group” (SRG), which relies heavily on social engineering rather than traditional ransomware techniques. These actors impersonate IT personnel through phone calls, phishing emails, and, in some cases, in-person visits to gain access to firm systems and sensitive data.

Unlike conventional ransomware actors, SRG typically avoids system encryption and instead focuses on rapid data exfiltration followed by extortion, threatening public release of sensitive information or direct outreach to clients.

From an EY (Ernst & Young) perspective, this type of threat reflects a broader shift in the risk landscape in which attackers are increasingly blending cyber intrusion with human manipulation and physical access. As a result, traditional security models that focus primarily on technical controls may not fully address the ways in which adversaries are gaining entry.

The FBI advisory highlights a few areas where law firms may want to take a closer look at their current practices:

• Verifying identity isn’t optional: In many of these cases, employees are approached directly and asked to trust someone claiming to be from IT. Firms should make it easy (and expected) for staff to pause and verify who they are dealing with, even if the request seems urgent or routine.

• Physical access can quickly become a cyber issue: Some of the reported tactics involve in-person interactions, including attempts to access workstations or introduce external devices. This reinforces that physical security and cybersecurity are tightly linked and should be managed together.

• “Normal” tools can still pose real risk: Attackers are often using legitimate, widely accepted tools for remote access or file transfer. Because of that, detection is less about spotting obviously malicious software and more about identifying unusual behavior and patterns.

• The window to respond is small: These incidents tend to move quickly from first contact to data exfiltration in a short period of time. Once access is granted, there may be very little opportunity to intervene, which makes prevention and early recognition critical.

Given these developments, many firms are starting to rethink how they evaluate their defenses and whether those controls hold up in realistic situations. Increasingly, the focus is shifting toward practical testing rather than relying solely on policies or theoretical coverage.

• Running tabletop exercises that walk through realistic social engineering scenarios, such as someone impersonating IT or a trusted vendor.

• Taking a closer look at how physical access is managed day-to-day, including visitor handling, badge use, and device policies.

• Testing how cyber and physical controls work together in practice, especially in situations where multiple factors — people, technology, and access — come into play.

• Tailoring awareness efforts to situations employees are likely to face, rather than relying on broad, generic training content.

Taken together, these efforts give organizations a clearer picture of how their controls perform in the real world, not just whether they exist on paper. The activity described in the FBI advisory is a reminder that effective security depends on more than technology alone. It requires attention to how people work, how access is granted and how decisions are made in the moment. As attackers continue to take advantage of trust and urgency, firms that regularly test their assumptions and reinforce good practices will be in a stronger position to reduce risk and respond when something doesn’t look right.

David Scott is managing director | forensics | at Ernst & Young LLP. The views reflected in this column are the views of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.