The FBI has issued a FLASH alert (FLASH-20260526-01) warning that the Silent Ransom Group is now sending operatives to the offices of US law firms after their callback phishing attempts fail. They turn up posing as IT support, then physically plug a USB drive into a workstation to exfiltrate data. Thirty-eight firms have already had their data leaked. The FLASH classification is the FBI’s “act now” tier — reserved for active and ongoing threats requiring immediate attention.

Why this matters for Australian wealth management, legal and accounting firms: you sit on exactly the same kind of data — client identities, financial records, M&A documents, estate matters — and most professional services offices in Sydney, Melbourne and the regions still operate with open reception areas and helpful front-of-house staff. The tactics travel. If a US gang has proven a model that works, copycats follow within weeks, and as The Register reported this week, the technique is dirt cheap to scale.

What to do this week:

• Brief reception and admin staff that “IT support” never just walks in. If someone shows up unannounced claiming to be from your MSP, the answer is “please wait while I call them on a number I already have.”
• Disable USB storage device installation via Group Policy or Intune on every endpoint that doesn’t have a documented business need. This single control breaks the entire physical-access stage of the attack.
• Confirm your endpoint detection tool flags new mass storage device events — and that someone actually reads the alert when it fires.
• Re-test your callback phishing awareness with staff. The fake phone call is still how every one of these incidents starts.

If you’d like a hand reviewing your USB policy, helpdesk impersonation procedures or cybersecurity posture more broadly, that’s exactly what we do. Worth a 15-minute call before this technique lands here.