Protect Your Salesforce Environment from Social Engineering Threats

Cybersecurity is a shared responsibility between a provider and their customers. While Salesforce builds enterprise-grade security into every part of our platform, customers play a vital role in protecting their data — especially amid a recent rise in sophisticated social engineering and phishing attacks targeting Salesforce customers.

Threat actors have been observed employing various social engineering tactics, including voice phishing (i.e., “vishing”), to impersonate members of an IT Support team over the phone. They have been reported luring our customers’ employees and third-party support workers to phishing pages designed to steal credentials and MFA tokens. In some cases, once they gain access to a customer’s Salesforce account, the threat actors have used the Data Loader app to exfiltrate data.

To help our customers strengthen their cybersecurity posture and defend against these types of sophisticated threats, we’re highlighting key platform features and best practices below. While not exhaustive, this list includes links to additional resources so customers can make informed security decisions that best protect their Salesforce instances. If you require assistance, we encourage you to reach out to Support via the Help portal.

1. Set login ranges and trusted IPs

Restricting access through IP addresses helps protect data from unauthorized access and successful phishing attacks. By restricting login IP ranges to your enterprise and VPN network, you can define a range of permitted IP addresses — ensuring unidentified or non-trusted IPs are denied or challenged to verify their identity. You can also restrict login IP addresses in profiles to control login access at the profile level, which allows you to set a range of allowed IP addresses on a user’s profile. When you define IP address restrictions for a profile, a login from any other IP address is denied.

Grant users only the permissions they need to do their jobs — no more, no less. This limits unnecessary access to sensitive information and significantly reduces security risks. Customize permissions across connected apps and modify Session Settings to meet your organization’s needs to ensure no unauthorized access occurs when users step away from their devices. Be sure to layer on user permissions using Permission Sets and Permission Set Groups and avoid granting blanket permissions at the profile level. Configure Data Loader to limit the number of users that can mass import, update, or delete records in the organization by following the instructions in this Help article.

Take advantage of Salesforce settings that allow you to manage who can use your connected apps and where they can access them from by managing access to your connected apps. You can also manage session security to limit exposure to your network when a user leaves the computer unattended while still logged in.

3. Enable Multi-Factor Authentication (MFA)

MFA is an essential, effective tool to enhance protection against unauthorized account access. As sophisticated cyberattacks become more frequent, passwords alone are no longer sufficient to safeguard against unauthorized access. MFA adds an extra layer of defense, particularly against phishing attacks, helping to secure your business and protect your customers.

That’s why Salesforce requires MFA to access our services. To make it easier for your users, including third parties that work within your instances, to comply with this requirement, MFA is automatically enabled for direct logins to Salesforce; for more information on MFA in Salesforce instances, see here.

For enhanced alerting and visibility into activity within your Salesforce org, consider using Salesforce Shield, a powerful suite of security tools designed to protect your enterprise against cyberattacks, meet changing data privacy regulations, and secure your Agentforce and Customer 360 environments.

For example, Event Monitoring, a key feature of Salesforce Shield, alerts you to unusual user behavior and proactively blocks suspicious or unwanted actions. It provides visibility into key activities, such as who viewed data and when, where it was accessed, when records were changed, and where logins are coming from. You can also ingest Event Monitoring logs into your internal security tools and review processes for further analysis.

Additionally, Salesforce Shield offers:

• Threat Detection events, which alert you to incidents such as user session hijackings, credential stuffing attacks, and anomalies in report usage or API calls.
• Transaction Security Policies, which allow you to monitor activities like large downloads and automatically trigger alerts or blocks when these actions occur.
• The ability to find and classify sensitive data, retain historical data, and manage data encryption, all critical components in securing your organization and maintaining compliance.

To ensure that we can reach your organization in the case of a security event, we encourage all Signature and Premier customers to add a Security Contact by following the steps outlined in the Help article, Manage Security Contacts for your Salesforce Organization. We encourage Standard Users to update and maintain a current System Admin.

At Salesforce, Trust is our #1 value, and protecting your data is our top priority. We’re dedicated to ensuring the highest levels of security and empowering you with the tools necessary to safeguard your organization. For more tips and insights on securing your Salesforce environment, please visit security.salesforce.com and review the Salesforce Security Guide.