Blog Details

The fake “evidence” they send looks technical on purpose

In this case, the attackers included a document styled like a Sage data verification log. It contains scary-looking claims like:

• “Database Engine Reported an Error” and “Error Code 6069.. dB code 103..”
• “Data Files Corrupted” percentages (e.g., 41%, 34%, etc.)
• A timestamp to make it feel “real”

They also used a “rep identity” / internal-extension style sheet:

• Name: Kevin
• “EXT ID: 1432”
• Multiple phone numbers listed as “Technical Dep”
• A made-up sounding “subscription” line (“1 Year Data Protection Service Plan”)

None of that proves anything about your Sage data. It’s theater—meant to push you into letting them “fix” something. 

Red flags your team can spot in under 30 seconds

• A billing email that tells you to call a number (instead of using your known vendor portal/account contact).
• Urgency + fear: “account inactive,” “data corruption,” “immediate action required.”
• “Proof” that’s just a text log with generic wording and dramatic percentages.
• A “support agent” with an extension and multiple phone numbers that aren’t traceable to official vendor resources.
• They want remote access or want you to install anything “to repair the data.”

What to do if you receive one of these emails

Do this:

1. Don’t call the number in the email.
2. Don’t click “update card” links unless you’re already signed into your known vendor portal (typed manually / bookmarked).
3. Forward the email to your IT provider (or internal IT) and ask them to validate it.
4. Verify billing using a trusted method:
   • Use your known Sage/Intuit portal login/bookmark
   • Or call a number from a prior invoice/contract you already trust

Do not do this:

• Don’t “just call to confirm.” That’s the trap.
• Don’t let anyone “repair” your Sage/QuickBooks data over the phone.

If someone already called them (damage control)

If a staff member already called and interacted with the “rep,” treat it like a security incident:

• Disconnect the PC from the network (Wi-Fi off / unplug Ethernet) if remote access was granted.
• Tell IT exactly what happened: what was installed, what was clicked, what access was given.
• Change passwords (email first, then accounting software, then anything reused).
• Check for remote access tools and persistence (services, startup items, scheduled tasks).
• Run a real cleanup & verification process – see Virus Malware & Spyware Removal
• Confirm backs are safe & recoverable (this matters if anything escalates – see Off-Site Data Backup .
• Review financial/banking activity if any “billing update” was attempted.

How we help clients prevent this (without relying on luck)

At TSG Computer Services, we focus on keeping these scams from turning into downtime:

• Ongoing monitoring & support so issues get caught early – Managed IT Services.
• User-safe processes: a simple internal rule—no one calls vendor numbers from emails.
• Email security + endpoint protection to reduce phishing delivery and catch tools used in scams – En-Compass Cyber-Protection.
• Zero-Trust minded access controls so one bad click doesn’t become a full compromise – Network Setup, Configuration, Security & Support.
• Cleaner, safer workflows (so accounting data isn’t scattered everywhere – Cloud Data Solutions & Integration.
• Stable, secured infrastructure is where accounting data often lives – Server Performance & Security.
• Fast validation: when you’re unsure, you forward it—our job is to verify, not yours.
• Practical Improvements that reduce friction and keep staff productive – Productivity Solutions.

Want a simple internal policy that stop this fast?

Rule #1: NOBODY calls vendor phone numbers found in emails. If you are unsure, forward it to use for verifications before anyone clicks or calls. To explore options, browse TSGCS Services, or Contact Us to validate a suspicious email and put protections in place.