Advisory
Credential phishing targeting facilities staff
We've seen a rise in phishing targeting facilities and property managers — asking them to approve access or reset credentials on behalf of a 'new vendor'. The pattern is identifiable and stoppable.
Affects
Three clients in the last six months received phishing attempts targeting facilities staff — emails from a spoofed vendor asking the facilities lead to approve a contractor's credential reset, or to grant elevated access to a 'new technician.'
The targeting is deliberate: facilities staff often have admin rights on access platforms, and their role requires processing vendor requests on a short deadline.
The mitigation is process, not technology. Adopt a 'phone-confirm on any credential change' rule. Any email, text, or portal request that would elevate someone's access requires a phone-call confirmation to a known number before it's actioned.
Mitigation
What to do this week.
- 01Define a written phone-confirmation policy for any credential escalation.
- 02Train facilities staff on the pattern — the social engineering is stereotyped.
- 03Configure access platforms to require MFA on admin actions. Not just login.
- 04Maintain a current vendor contact list. Phone-confirmation is only useful if you have the right number.
Want us to apply this to your system?
A 30-minute remote review against this advisory, no obligation. We'll tell you on the call whether you're exposed and what the fix looks like.
Book a review