Global Real Estate Firm Hit by Voice Phishing Attack
Cushman & Wakefield, one of the world's largest commercial real estate firms, has confirmed a data security incident tied to a voice phishing, or vishing, attack. Two separate cybercrime groups have stepped forward to claim responsibility: ShinyHunters alleges it stole 500,000 Salesforce records containing personally identifiable information (PII), while the Qilin ransomware group has independently claimed its own attack on the company. Whether these represent a single coordinated campaign or two distinct intrusions remains unclear, but the incident highlights a troubling reality: even organizations with significant IT resources can be undone by a convincing phone call.
Cushman & Wakefield described the incident as "limited" in scope, but 500,000 records tied to a major cloud CRM platform is not a trivial exposure. Salesforce environments often hold contact details, deal histories, and sensitive business communications. For a firm operating across commercial real estate transactions worldwide, the data at risk could affect clients, partners, and counterparties far beyond the company's own employees.
Why Vishing Is So Effective Against Technical Defenses
Vishing attacks are particularly dangerous because they sidestep the technical controls that most organizations invest heavily in. Firewalls, endpoint detection, and network monitoring are largely irrelevant when an attacker simply calls an employee and convincingly impersonates IT support, a vendor, or an executive. The attacker's goal is to manipulate a person, not a machine, and people are considerably harder to patch.
In a typical vishing scenario, the caller creates urgency, establishes false credibility, and guides the target into handing over credentials, authorizing account changes, or clicking a link that installs malware. Once an attacker has valid credentials for a platform like Salesforce, they can move through an environment quietly, exfiltrating records without triggering obvious alerts. The attack on Cushman & Wakefield follows a pattern seen across multiple industries: social engineering as the entry point, cloud data as the prize.
This is precisely why technical security measures alone are insufficient. Employee awareness training, strict verification procedures for sensitive requests, and clear protocols around credential changes are as important as any software control. Organizations that treat security as a purely technical problem are leaving a human-sized gap in their defenses.
The Case for Layered Communications Security
The Cushman & Wakefield incident raises a broader question about how enterprises handle sensitive communications. When access to systems holding hundreds of thousands of records can be granted over a phone call, it suggests the communication channel itself is part of the attack surface. Encrypted, verified communication channels add a layer of friction that attackers have to overcome, while also creating audit trails that unencrypted phone calls do not.
Secure communication practices matter at every level of an organization. This includes using encrypted messaging for internal coordination, ensuring that remote workers access sensitive systems through secure, authenticated connections, and establishing out-of-band verification steps before acting on any request that involves credentials or system access. These practices are not exclusive to large enterprises: businesses of any size that handle client PII in cloud platforms face the same fundamental exposure.
The ShinyHunters group, which has previously been linked to high-profile breaches across multiple sectors, has been increasingly active in targeting cloud-hosted databases. Their alleged use of a Telegram channel to announce the Cushman & Wakefield claim underscores how public and brazen these operations have become. Meanwhile, Qilin's separate claim suggests that either the company was targeted by multiple actors exploiting the same initial access, or that the ransomware group is opportunistically claiming involvement to pressure the firm into paying.
What This Means For You
For individuals, the most immediate concern is whether your information might be among the 500,000 allegedly compromised Salesforce records. If you have had dealings with Cushman & Wakefield as a client, tenant, or business partner, it is worth monitoring your accounts for unusual activity and being alert to follow-on phishing attempts that may use your personal details to appear legitimate.
For organizations, this incident is a prompt to examine how access to cloud CRM platforms is granted and revoked. Key questions to ask include: Can an employee authorize a credential change or data export based solely on a phone request? Are verification steps for sensitive actions documented and consistently followed? Does your incident response plan account for social engineering as an entry vector?
The Cushman & Wakefield breach is a reminder that security culture matters as much as security tools. No technology investment fully compensates for employees who have not been trained to recognize and report suspicious calls.
Actionable takeaways:
- Train employees specifically on vishing tactics, not just email phishing. Voice-based attacks require different recognition skills.
- Implement multi-step verification for any request involving credentials, account changes, or bulk data access, regardless of how legitimate the caller sounds.
- Audit who has access to cloud platforms like Salesforce and apply the principle of least privilege: users should only access what they genuinely need.
- Establish a clear, trusted internal channel for employees to verify suspicious requests before acting on them.
- Monitor for unusual data export activity in CRM and cloud storage environments, since large-scale record access is often detectable before exfiltration completes.
The human element remains the most exploited vulnerability in enterprise security. Closing that gap requires investment in people, processes, and verified communication practices, not just better software.
