Hackers are posing as Interpol to target small business – here's what you need to know
Small businesses are warned to think twice before clicking on links
Criminals are posing as Interpol cyber crime investigators to target small businesses across Europe, Asia, the Middle East, and North America.
According to new research from Bitdefender, the phishing messages claim to contain evidence that the recipients are carrying out suspicious activity, pressuring them into opening a password-protected archive.
"Based on information that has come to our attention, there may be activities involving accounts, systems or services associated with your organization that warrant further examination. We have obtained information and video material that may assist in your assessment of the matter," the emails read.
"We recommend conducting an internal review to determine whether any unauthorized, suspicious or potentially fraudulent activities have occurred. Prompt attention to such matters may help mitigate potential financial operational, reputational or regulatory risks."
Upon opening the link, recipients are directed to a Proton Drive-hosted file that delivers a ransomware payload hidden within multiple archive layers. Once executed, researchers said the malware seeks to encrypt files across available drives and presents victims with a ransom message.
The campaign is targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.
The ransomware is relatively simple, according to Bitdefender researchers. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Interestingly, victims are instructed to contact the attackers through a Tox chat channel to negotiate a ransom, rather than through the more usual dedicated negotiation portal or victim site.
This, researchers noted, is another indication that this is likely a custom-built operation, perhaps assembled using publicly available code and tools rather than the work of an established ransomware group.
What small businesses need to know
Javvad Malik, Lead CISO advisor at KnowBe4, said that impersonating Interpol – or law enforcement in general – is specifically designed to trigger a “rapid emotional response” and dupe victims into ignoring red flags.
"What is interesting about this campaign is that it targets small business,” he said. “These are often understaffed and have no security or even IT expertise on hand, so it's not difficult to see why people would easily fall victim to these kinds of attacks."
Bitdefender has warned small businesses to be on the alert, urging them to verify all unsolicited correspondence by reaching out through official channels to confirm whether the communication is legitimate.
"One of the biggest red flags in this campaign is the delivery method itself," researchers said. "While the attackers impersonate Interpol, legitimate law enforcement agencies don't send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing."
They should treat password-protected archives with caution, especially when the password is included in the email. Showing file extensions on Windows devices will make it easier to spot executables masquerading as videos or documents, and multi-factor authentication (MFA) should be used wherever possible.
Elsewhere, the company urged small businesses to ensure staff are trained to help spot tell-tale signs that communications are fraudulent.
"Small businesses are often viewed as easier targets than large enterprises," the researchers warned.
"Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
Forward deployed engineers are big tech’s latest gambit to drive AI adoptionNews With Microsoft and AWS placing their faith in forward deployed engineers, enterprises will gain a helping hand with tricky AI adoption projects
-
Logitech Signature Comfort Plus Combo MK880Reviews With a laser focus on ergonomics and comfort, this plug-and-play keyboard and mouse set means there's no need to choose between work or pleasure
-
Opera browser thinks it has the solution to stopping ClickFix malware attacksNews The browser company is targeting a growing source of malicious links with its new Paste Protect feature
-
‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolenNews An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
‘They risk damaging confidence’: A Canadian health board outraged staff with phishing tests offering paid leave – experts say it shows why you need to be careful with cyber awareness campaignsNews Phishing tests require a delicate touch, emulating realism while not “exploiting goodwill”
-
Hackers are capitalizing on AI hype to ramp up social engineering attacks – and they're using big brands like Anthropic, OpenAI, and DeepSeek as ‘bait’ to lure victimsNews Microsoft says cyber criminals are impersonating popular AI platforms to deliver malware
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook