Hackers are posing as Interpol to target small business – here's what you need to know

Small businesses are warned to think twice before clicking on links

Phishing concept image showing an email symbol with a fishing hook pierced through, with glowing padlock symbols in background.
(Image credit: Getty Images)

Criminals are posing as Interpol cyber crime investigators to target small businesses across Europe, Asia, the Middle East, and North America.

According to new research from Bitdefender, the phishing messages claim to contain evidence that the recipients are carrying out suspicious activity, pressuring them into opening a password-protected archive.

"Based on information that has come to our attention, there may be activities involving accounts, systems or services associated with your organization that warrant further examination. We have obtained information and video material that may assist in your assessment of the matter," the emails read.

"We recommend conducting an internal review to determine whether any unauthorized, suspicious or potentially fraudulent activities have occurred. Prompt attention to such matters may help mitigate potential financial operational, reputational or regulatory risks."

Latest Videos From

Upon opening the link, recipients are directed to a Proton Drive-hosted file that delivers a ransomware payload hidden within multiple archive layers. Once executed, researchers said the malware seeks to encrypt files across available drives and presents victims with a ransom message.

The campaign is targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.

The ransomware is relatively simple, according to Bitdefender researchers. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.

Interestingly, victims are instructed to contact the attackers through a Tox chat channel to negotiate a ransom, rather than through the more usual dedicated negotiation portal or victim site.

This, researchers noted, is another indication that this is likely a custom-built operation, perhaps assembled using publicly available code and tools rather than the work of an established ransomware group.

What small businesses need to know

Javvad Malik, Lead CISO advisor at KnowBe4, said that impersonating Interpol – or law enforcement in general – is specifically designed to trigger a “rapid emotional response” and dupe victims into ignoring red flags.

"What is interesting about this campaign is that it targets small business,” he said. “These are often understaffed and have no security or even IT expertise on hand, so it's not difficult to see why people would easily fall victim to these kinds of attacks."

Bitdefender has warned small businesses to be on the alert, urging them to verify all unsolicited correspondence by reaching out through official channels to confirm whether the communication is legitimate.

"One of the biggest red flags in this campaign is the delivery method itself," researchers said. "While the attackers impersonate Interpol, legitimate law enforcement agencies don't send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing."

They should treat password-protected archives with caution, especially when the password is included in the email. Showing file extensions on Windows devices will make it easier to spot executables masquerading as videos or documents, and multi-factor authentication (MFA) should be used wherever possible.

Elsewhere, the company urged small businesses to ensure staff are trained to help spot tell-tale signs that communications are fraudulent.

"Small businesses are often viewed as easier targets than large enterprises," the researchers warned.

"Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Emma Woollacott

Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.