Salesforce Security Best Practices -Vishing Warning

Posted: August 14, 2025 | Author: | Filed under: Uncategorized | Tags: , , , , , | Leave a comment

If your IT department calls you asking you to do something you probably would do it without giving it a second thought. That’s why the new wave of cyber criminals are now calling you directly and impersonating your companies IT support staff.

Unlike past phishing emails, that often get blocked by IT’s email security rules, criminals are now using voice calls (aka Vishing) and are extremely convincing. They will act like they are calling from your IT support team. They might send you to websites for you to steal your credentials and MFA tokens or ask you to install an app that seems legitimate.

Recently, cyber criminals have been gaining access to Salesforce orgs around the world by convincing admins to install a “new” version of Data Loader app. The app of course is not legit and once it is installed the criminals have access to your Salesforce data.

A person holding a smartphone in one hand while sitting in front of a laptop on a wooden table.

Don’t Get Conned

Be suspicious if you get an unexpected call from your IT support (or anyone else for that matter–whether your child or the President) asking you to do something. With even just a small bit of audio, criminals can imitate a voice so that call could truly sound exactly like your boss.

If you are a Salesforce Admin you can help spread the word to your users about these types of Cons. You can easily do this using the out-of-the-box no-code In-App Guidance. Just create a prompt to warn users about Vishing and remind users to only log into the designated url. Include an acknowledgment button that the user has to click to close the prompt. Then add your prompt to “Any Page, Any App” and schedule it to show up every day until they acknowledge the message.

Sidenote: If you are new to In-App Guidance it is absolutely cool tool for educating users in the context of Salesforce; watch a video here https://salesforce.vidyard.com/watch/EeyJabzZtNm67Fz6NzTFYM and take this trailhead https://trailhead.salesforce.com/content/learn/modules/user-engagement/promote-feature-adoption-and-discovery to learn more.

Proactive Ways to Protect Your Salesforce Org

While you cannot prevent your teammates and users from falling victims to this or other cons, Admins can take steps now to minimize the damage should a bad actor try to get into your Salesforce org. Here are some things you can do:

  1. Ensure everyone is using MFA. No exceptions. Salesforce requires this but you will need to enforce it for your users and third parties.
  2. Limit login IP ranges to your trusted enterprise and VPN network addresses. Define them at the profile level for added control.
  3. Follow the Principle of Least Privilege. This is an issue I see ALL THE TIME. Entire objects are made public and shared with everyone instead of only giving users what they need to do their job. Connected apps have too many permissions and access to more data than it needs. Far too many users have admin level permissions. Bottom line only give people and systems access to the data and capabilities that they need to do their job. Nothing more.
  4. Run the Health Check. Use the out of the box Salesforce Health Check found under Setup to see if there are any recommended security settings that need improvement.
  5. Use Tools to Monitor for Threats. I know Salesforce shield and other threat detection tools are not cheap but ask yourself if you can afford NOT to have it. The cost of an undetected breach could be several millions of dollars and cause severe reputation damage.
  6. Use the AppExchange – Only install apps directly from the Appexchange as they have all been vetted by Salesforce security. You might have legitimate third-parties that ask you to install their non-Appexchange package but do so with extreme caution and verify the authenticity of the app first.
  7. Use Data Masking. The above best practices all apply to your sandboxes as well, but with Sandboxes you have an additional tool in your toolbelt–Data Mask. Salesforce has an add-on product that you can buy that will automatically obfuscate personally identifiable information (PII) and sales revenue to random or similar words. If your IT budget does not allow for this one could also DIY it through an ETL process to remove sensitive information before loading data in to sandboxes.

I often joke ‘This is why we can’t have nice things.’, but the good news is that with Salesforce we can STILL have a powerful app that adds efficiency while also securing and protecting access to data.

Stay vigilant everyone.

###