In May 2025, the FBI issued a private industry notification warning that a hacking group called the Silent Ransom Group had been targeting U.S. law firms for over two years. Security researchers also track them as Luna Moth and Chatty Spider. They don’t use traditional ransomware. They don’t encrypt your files. They steal them, then threaten to publish everything online unless you pay.

What makes them different from most threat groups is how they get in. There’s no malicious attachment. No sketchy link in an email. The whole attack starts with a phone call.

How callback phishing works

The attack begins with an email that looks like an internal IT notice. Maybe a password expiration, a system update, or a helpdesk ticket. The email doesn’t contain a link or a file. It contains a phone number.

When the employee calls the number, they reach someone who sounds like IT support. The person on the other end walks them through installing a remote access tool like AnyDesk, Splashtop, Zoho Assist, or Syncro. These are legitimate, commercially available tools. They’re digitally signed, so they won’t trigger antivirus or endpoint detection. Your firewall won’t flag them either.

Once the tool is running, the attacker has hands-on access to the employee’s machine. They tell the employee that “work needs to be done overnight” and to leave their computer on. Then they move through the network, looking for sensitive files on local drives and shared folders. They exfiltrate the data using tools like WinSCP or Rclone, and they’re gone before morning.

A few days later, a ransom demand arrives. Pay up, or your client files go public.

According to security firm EclecticIQ, which published research on Luna Moth’s campaigns in May 2025, ransom demands range from $1 million to $8 million depending on the size of the firm.

Why this bypasses your spam filter

Most phishing defenses are built to catch malicious links and attachments. Callback phishing has neither. The email itself is clean. Just text and a phone number. There’s nothing for your email security to flag.

This is the same pattern behind what security researchers call TOAD attacks (telephone-oriented attack delivery). The social engineering happens over the phone, not in the inbox. If your firm relies on email filtering as the primary defense against phishing, this attack walks right past it.

The FBI’s notification specifically noted that the Silent Ransom Group registered typosquatted domains through GoDaddy to impersonate IT helpdesk portals for law firms. EclecticIQ identified at least 37 of these domains, using patterns like [firmname]-helpdesk.com and [firmname]helpdesk.com. If an employee navigates to one of these sites, it looks like a real support portal with instructions to download and install the remote access tool.

Why law firms specifically

Law firms make good extortion targets because of what’s sitting on their servers: merger agreements, litigation strategy memos, client financials, privileged communications. That data is worth more as leverage than an encrypted hard drive.

The Silent Ransom Group knows this. We wrote about this dynamic in our post on how most cyberattacks start with a login, which specifically mentions Luna Moth as one of the groups using social engineering rather than software exploits to get into law firm networks.

Small firms are especially vulnerable for a specific reason: there’s no internal IT helpdesk number to verify against. When someone calls claiming to be from “IT support,” there’s no one else to check with. The caller is IT support as far as the employee knows.

What this looks like in practice

Here’s a realistic scenario for a 25-person Iowa law firm:

A paralegal gets an email that says their VPN certificate is expiring and they need to call the helpdesk to renew it. The email has the firm’s name in the sender line and looks professional. The paralegal calls the number, talks to someone who seems knowledgeable, and installs a remote support tool as instructed. It takes five minutes.

That night, the attacker copies every file on the paralegal’s mapped network drives. Client documents, case files, financial records. By morning, the attacker has disconnected. Two days later, the managing partner gets a ransom email with a sample of stolen files attached as proof.

The firm’s antivirus never fired. The firewall logged nothing unusual. The email filter didn’t catch anything because there was nothing to catch.

What your firm should do about this

Train staff on callback phishing specifically. Most phishing training focuses on links and attachments. Your team also needs to know that a phone number in an email can be the attack. If someone calls asking you to install software, hang up and verify through a known channel.

Establish a verification process. If your firm uses an MSP (like us), every employee should know the MSP’s real phone number and real helpdesk URL. Any request to install software should be verified through that known contact. We tell our clients: if someone calls you claiming to be from Artech, call us back at the number you already have.

Restrict RMM tool installation. If your firm doesn’t use AnyDesk, there’s no reason it should be allowed to run. Application control policies can block unauthorized remote access tools from executing. This is one of the controls cyber insurance carriers are starting to ask about.

Monitor for unusual file transfers. Large outbound data transfers, especially via SFTP or cloud sync tools at odd hours, should trigger alerts. If your firm has endpoint detection and response (EDR) in place, make sure it’s configured to watch for this.

Know the fake domains. If you see helpdesk-related domains that look like your firm’s name but aren’t yours, report them. The FBI asks victims and potential targets to file reports through IC3.

The bigger picture

Callback phishing isn’t a one-off technique. It’s becoming the go-to entry method for data extortion groups because it works. We’ve covered device code phishing (which targets Microsoft 365 logins) and other cybersecurity threats facing Iowa firms. Callback phishing fits the same pattern: attackers are getting past technical controls by going after people instead of systems.

The FBI warning is still active. The Silent Ransom Group is still operating. If your firm hasn’t trained staff on this specific type of attack, now is a good time to start.

Artech Solutions is a managed IT provider in West Des Moines, Iowa, working with law firms and professional services companies across the Des Moines metro. If you’re not sure whether your firm is protected against callback phishing and social engineering attacks, get in touch.