Practical Guide to Salesforce Phishing Attacks: Risks, Examples and Prevention

Phishing isn’t just reserved for your email inbox. 

Attackers can target core areas like Salesforce through fake login pages, voice phishing calls, malicious connected apps, OAuth abuse, unsafe links, fake support requests and trusted Salesforce workflows. That’s a lot of entry points to look out for. 

That is what makes Salesforce phishing different from ordinary email phishing. 

Salesforce is a trusted business platform. Users rely on it for everyday tasks and activities. If a suspicious link appears inside a Salesforce record, users may be less likely to question it. 

This creates a massive risk: one misplaced click, one fake support call or one approved malicious app can lead to credential theft, data exposure, extortion, follow-on phishing and operational disruption. 

This guide explains how Salesforce phishing works, why it matters, which real-world incidents show the risk, and how organisations can reduce exposure with bowbridge Anti-Virus for Salesforce.

What is Salesforce phishing?

Salesforce phishing is any phishing or social engineering activity that targets Salesforce users, Salesforce credentials, Salesforce data, Salesforce-related apps or Salesforce workflows.

It may involve:

• Fake Salesforce login pages  

• Voice phishing calls impersonating IT support  

• Malicious OAuth or connected app approval requests  

• Fake Salesforce Data Loader or support tools  

• Unsafe links in Chatter, tasks, emails, cases or portals  

• Phishing emails pretending to come from Salesforce or a trusted internal team  

• Follow-on phishing using data stolen from Salesforce records

The important point is that Salesforce phishing does not always exploit a vulnerability in Salesforce itself. 

In recent campaigns, attackers have often targeted the way organisations use Salesforce: users, integrations, third-party apps, connected workflows and the trust employees place in the platform. This means that Salesforce security isn’t enough. You also need a way to prevent issues from the way content enters Salesforce. 

This is part of a wider cybersecurity problem. Attackers often target trusted systems, known workflows and human behaviour rather than relying only on technical exploits. bowbridge has explored this in more detail in its guide to why companies are at risk of cyberattacks, which explains how everyday business processes can become attractive entry points for attackers. 

Salesforce has also warned customers about social engineering and phishing threats, encouraging them to strengthen their security posture and review guidance for protecting Salesforce environments. 

For a broader look at practical controls, see our upcoming guide to Salesforce security best practices. 

Why Salesforce is a phishing attack target 

Salesforce is valuable because it is trusted, central and data-rich. 

For many organisations, Salesforce contains customer records, contact details, sales opportunities, and lots, lots more. It may also connect with marketing platforms, support tools, AI agents, customer portals and third-party applications. 

That creates three advantages for attackers.

1. Salesforce users often trust what they see inside the platform. A link in a case, task or Chatter post may feel safer than a link in an external email. 

2. Salesforce data can make future phishing more convincing. Names, account details, support history and contact information can be used to create targeted scams.

3. Salesforce integrations can hold broad access. If an attacker tricks a user into approving a malicious connected app or steals OAuth tokens from a trusted integration, they may bypass normal login flows and access data at scale.

That is why Salesforce phishing prevention needs to go beyond email filtering.

It also needs to sit alongside wider cyber resilience measures. Phishing, ransomware, credential theft and social engineering often overlap, especially when attackers use one compromised system to move into another. For more practical advice on reducing exposure, read bowbridge’s guide to 10 ways to protect your business against ransomware attacks.

Real-world Salesforce phishing example: follow-on phishing 

McAfee reported that cybercriminals tricked employees at major global companies into handing over Salesforce access and used that access to steal customer records. Its summary named several high-profile brands reportedly affected by social-engineering attacks exploiting human, rather than platform, vulnerabilities. 

Follow-on phishing is one of the most important after-effects of Salesforce data theft. 

Even when a breach does not expose passwords or payment details, customer names, email addresses, phone numbers, job titles, account context and support history can still be valuable to attackers. That information can be used to create highly believable phishing messages. 

A customer who receives a fake support email containing accurate account details may be more likely to trust it. A staff member who receives a message referencing a real case or customer may be more likely to click. This is how one Salesforce-related incident can become the starting point for another. 

For more context on incidents involving Salesforce data exposure, see our upcoming guide to Salesforce security breaches. 

The main types of Salesforce phishing attacks  

Salesforce phishing can take several forms. Some start outside Salesforce and aim to compromise access. Others happen inside Salesforce workflows, where unsafe links and content are harder for users to question.

1. Fake Salesforce login pages 

A fake Salesforce login page is one of the most direct attacks. The user receives a link that appears to lead to Salesforce, a Salesforce-connected app or an internal portal. The page captures their username, password and sometimes MFA token.

Attackers may register lookalike domains, use realistic branding or make the page appear to come from IT, support, a customer team or a trusted partner.

Prevention requires MFA, phishing-resistant authentication where possible, domain awareness, user training and monitoring for suspicious login patterns.

2. Salesforce vishing

Vishing is voice phishing. Instead of relying on a written message, attackers call the target and impersonate IT support, helpdesk staff, a vendor or a Salesforce administrator. 

In the UNC6040 campaign, this approach was reportedly used to convince employees to approve malicious connected apps or share access information. Google said UNC6040 repeatedly succeeded by impersonating IT support personnel in convincing phone-based engagements. 

Vishing is dangerous because it creates urgency and social pressure. Users may feel they are helping an internal team resolve a problem. 

Prevention requires clear support procedures, callback verification, user training, app approval governance and restrictions on who can approve connected apps. 

Vishing is also part of a wider set of social engineering threats that go beyond traditional email phishing. bowbridge explains these related risks in its guide to smishing, vishing and other cybersecurity threats beyond phishing. 

3. OAuth phishing and malicious connected apps

OAuth phishing happens when an attacker tricks a user into authorising an app that requests access to Salesforce data. 

The user may believe they are approving a legitimate tool. Once authorised, the app can potentially access Salesforce data through APIs, depending on the permissions granted. 

Salesforce has advised customers to review users with powerful permissions, restrict API access with connected apps and allowlist known safe apps. 

Prevention requires connected app governance, admin-approved apps, regular OAuth usage reviews, permission reviews and token monitoring.

4. Malicious links in Salesforce records 

A phishing link does not need to arrive by email. It can appear inside Salesforce itself. 

Examples include: 

• A Chatter post sharing a “customer document”
• A task note containing a fake login link
• A case comment with a suspicious URL
• A Salesforce email containing a compromised link
• A portal submission including a malicious URL
• A field on a record containing a shortened or disguised link

This matters because users often trust content inside Salesforce. The platform becomes a trust layer around content that has not necessarily been inspected. 

That is why organisations need bowbrige Anti-virus for Salesforce that can assess links and content where users actually encounter them, not just at the email gateway. 

5. Salesforce support case phishing 

Support and service workflows are particularly exposed. 

A customer, partner or external user may submit a case that includes a link. A support agent may click it because it appears relevant to an active issue. The link could lead to a fake file share, credential-harvesting page or malware site. 

Service teams are under pressure to respond quickly, which can make verification harder. 

Prevention requires training, safe handling procedures for links and attachments, and automated URL inspection for case, task and email content. 

6. Chatter phishing links

Chatter is useful because it helps teams collaborate. But that collaboration also means links can move quickly. 

A compromised user could post a link in a Chatter group. An employee could unknowingly share a malicious URL. A shortened link could hide its final destination. Once inside Chatter, the link may feel more legitimate because it appears in an internal collaboration space. 

Prevention requires URL scanning at the point of posting and a clear explanation to users when links are blocked or flagged.

7. Phishing through Experience Cloud and portals

Experience Cloud can connect customers, partners and external users to Salesforce workflows. That can make it a valuable entry point for phishing links, malicious files and social engineering. 

External users may upload content or submit links from unmanaged devices. Partner users may be trusted, but their devices and security posture may vary. 

Prevention requires strong access governance, guest user reviews, portal configuration reviews and content inspection for uploads and links entering through external workflows.

Why native Salesforce security is not enough on its own 

Salesforce provides a highly secure cloud platform, but Salesforce security is a shared responsibility. 

Salesforce secures the infrastructure, platform availability and core SaaS layer. Customers are responsible for how their org is configured, who can access it, which apps are connected, how users are trained, how data is governed and what content is trusted inside workflows. 

That distinction is important for phishing. 

Salesforce can provide security tools, guidance and platform controls, but organisations still need to secure: 

• User behaviour  

• Connected apps

• OAuth approvals

• API access

• External portals

• Sensitive data flows

• Links inside workflows

• Files and content users open inside Salesforce  

This is where many organisations have a blind spot. They secure logins and permissions, but do not inspect the links moving through Chatter, emails, tasks, cases and configured fields. 

bowbridge has explored similar risks in other business-critical environments, where trusted workflows and internal systems can become attack paths. Its guide to cyberattacks on critical infrastructure shows why organisations need to think beyond perimeter security and protect the systems that support essential operations. 

The business impact of Salesforce phishing 

Salesforce phishing can create several types of impact. 

Credential theft can give attackers access to customer records, cases, account details and connected workflows. OAuth abuse can expose data through trusted apps. Malicious links can compromise users. Stolen Salesforce data can support extortion or follow-on phishing. 

The wider breach landscape shows why this matters. Verizon’s 2025 Data Breach Investigations Report analysed more than 22,000 security incidents and more than 12,000 confirmed data breaches. It found that credential abuse and vulnerability exploitation remained leading initial access vectors, while third-party involvement in breaches doubled to 30%. 

Those trends map directly to Salesforce phishing risk. Credentials, third-party access, user trust and connected workflows are all part of the Salesforce attack surface. 

This is also why Salesforce phishing should be viewed alongside wider security risks such as malware, ransomware and data leakage. A phishing link inside Salesforce may lead to credential theft, but it can also become the first step in a broader attack chain. bowbridge’s guide to content-based attacks explains how malicious files, links and content can exploit trusted application workflows. 

Salesforce phishing prevention checklist

Use this checklist to reduce Salesforce phishing risk. 

1. Enforce MFA and strengthen authentication 

MFA should be mandatory for Salesforce access. Where possible, consider phishing-resistant authentication methods that reduce the risk of stolen passwords and real-time token capture. 

2. Train users on Salesforce-specific phishing 

Generic phishing training is not enough. Users should understand what Salesforce phishing looks like: fake login pages, vishing, malicious connected apps, suspicious Chatter links, risky case URLs and fake support workflows. 

This training should also include related social engineering methods. Smishing, vishing, fake support calls and malicious links often work together, as covered in bowbridge’s guide to cybersecurity threats beyond phishing. 

3. Create clear IT support verification rules 

Users should never approve apps, share codes, install tools or change settings because of an unexpected phone call. Create callback procedures and make it easy to verify support requests. 

4. Restrict connected app approvals 

Limit who can approve connected apps. Use admin-approved app policies and review which users have permissions such as “Customize Application,” “Modify All Data” or “Manage Connected Apps.” Salesforce specifically recommends reviewing powerful permissions and managing connected app access. 

5. Review OAuth usage regularly 

Monitor connected apps, OAuth scopes, token usage and inactive integrations. Revoke access for apps that are unused, unknown or no longer needed. 

6. Monitor API activity and unusual exports 

Salesforce phishing can lead to API-based data theft. Monitor unusual query volume, mass exports, new app activity, suspicious login locations and changes in access behaviour. 

7. Secure Experience Cloud and external access 

Review guest users, partner access, portal uploads, public pages and external sharing. External workflows are valuable, but they can also introduce content from unmanaged environments. 

8. Inspect links inside Salesforce workflows 

Do not rely only on email security. Links can enter through Chatter, Salesforce emails, tasks, cases, portals and configured fields. URL filtering should happen where users actually encounter the links, which is one of the core use cases for Salesforce Anti-Virus. 

9. Block, warn or neutralise risky URLs 

Not every suspicious link should be treated the same way. Your controls should support policy-based actions: block known malicious URLs, warn on suspicious links, neutralise risky links and log every action. 

10. Keep logs and evidence for investigation 

Security and compliance teams need to know what was clicked, blocked, posted, removed or allowed. Logs, dashboards, alerts and reports help teams investigate incidents and prove controls are working. 

For broader security planning, bowbridge’s guide to protecting your business against ransomware attacks includes practical steps that can support wider resilience across users, systems and workflows. 

How bowbridge helps reduce Salesforce phishing risk

bowbridge Anti-Virus for Salesforce is designed to help organisations close one important gap in Salesforce phishing prevention: unsafe links moving through trusted workflows. 

bowbridge can monitor user-submitted text in Chatter posts, Salesforce emails and task descriptions or notes for URLs, then perform real-time threat analysis using threat intelligence sources such as malicious URL databases, URL reputation services and heuristic indicators. If a URL is malicious or high risk, bowbridge can block or neutralise the link and notify the user. 

bowbridge URL filtering is designed to cover Chatter posts, comments and messages, Salesforce email content, task fields and other configured objects or text fields. It also logs URL events for audit purposes, including the URL, user, context and action taken. 

This means bowbridge helps teams: 

• Check links before users click
• Block or neutralise known phishing URLs
• Protect agentic applications from malicious data
• Alert admins when malicious URLs are found
• Keep logs for investigation and audit evidence 
  

bowbridge is also broader than URL filtering alone. The product supports file scanning for malware and ransomware, DLP for sensitive data patterns, policy actions such as block, quarantine, warn, allow or alert, and dashboards and reporting for visibility. 

That matters because phishing rarely exists in isolation. Unsafe links, malicious files and sensitive data exposure often appear together inside real workflows. 

bowbridge Anti-Virus for Salesforce helps organisations bring these controls closer to the point of risk, inside the Salesforce workflows where users already collaborate, respond to customers and manage sensitive information. 

Salesforce phishing is a workflow risk 

Salesforce phishing is not just a login problem. 

It is a workflow risk. 

Attackers can use fake login pages, vishing calls, malicious connected apps, OAuth token abuse and unsafe links inside Salesforce workflows. They can exploit the trust users place in Chatter, cases, tasks, emails, portals and connected apps. 

The answer is not to distrust Salesforce. The answer is to secure the way content and links move through it. 

That means strong authentication, connected app governance, user training, API monitoring, portal security and Salesforce-specific URL filtering.  

Phishing does not stop at the inbox. Your protection should not stop there either.