iqthink

Phishing Risks in Salesforce Environments

As one of the world’s leading CRM platforms, Salesforce often serves as the central system for managing customer data, sales operations, and integrations with other business systems. This central role makes Salesforce environments particularly valuable ta

Michael Williams
March 14, 2026
CRM

Phishing Risks in Salesforce Environments — What Organisations Should Know

As one of the world’s leading CRM platforms, Salesforce often serves as the central system for managing customer data, sales operations, and integrations with other business systems. This central role makes Salesforce environments particularly valuable targets for attackers seeking access to sensitive information such as customer records,pricing data, and commercial forecasts.

Importantly, most attacks do not involve breaking into Salesforce itself. Instead, they rely on phishing, stolen credentials, or users unknowingly granting access to malicious applications.

Salesforce has recently introduced stronger controls around connected apps and OAuth access, helping organisations better manage how third-party tools connect to their environments. While these improvements strengthen the platform, security still depends on how well organisations manage user access, integrations, and overall governance.

In this newsletter, we highlight common phishing risks targeting Salesforce and outline practical steps to reduce exposure.

How Phishing Attacks Target Salesforce

Many Salesforce-related security incidents begin with relatively simple tactics that exploit user trust rather than technical vulnerabilities.

Fake login pages

Attackers send emails that appear to come from Salesforce or an internal IT team, prompting users to log in via a link. These links lead to phishing sites designed to capture credentials.

Malicious connected apps

Users may be asked to authorise a third-party application that claims to enhance productivity or reporting. Once authorised via OAuth, the app can potentially access Salesforce data without needing the user’s password again.

Credential reuse and API access

If attackers obtain valid credentials, they can access Salesforce through the API and extract large amounts of data very quickly using automated scripts.

Mobile phishing (smishing and vishing)

With many users accessing Salesforce from mobile devices, phishing attempts via SMS or phone calls are becoming increasingly common. On mobile devices, it is easier for users to overlook suspicious URLs or approve unexpected login requests.

Practical Steps to Reduce Risk

Organisations can significantly reduce their exposure to phishing attacks by implementing a few key controls:

Restrict login access where possible

Use IP restrictions and session policies to limit where and how users can login. Restricting access to trusted network IP ranges can significantly reducethe risk of unauthorised access if user credentials are compromised.

Review connected application regularly

Audit authorised connected apps and their OAuth Policies, track login attempts to uninstalled apps,and remove integrations that are no longer required.

Apply the principle of least privilege
Avoid granting excessive permissions such as “Modify All Data” unless absolutely necessary.

Run periodic Salesforce security Health Checks
Salesforce provides built-in tools such as Health Check, Login History, and Setup Audit Trail to help organisations monitor security posture.

Implement Salesforce Authenticator

If you are not using SSO, then this provides an additional layer of security with two-step verification.

 

What To Do If You Suspect a Compromise

If suspicious activity is detected, organisations should act quickly:

  1. Inform your IT department.
  2. Review login history and audit logs to identify the source of access.
  3. If you are not using SSO, reset the user’s password, otherwise your IT team can help secure the affected user.
  4. Revoke active sessions and OAuth tokens.
  5. Disable suspicious connected applications.

If suspicious activity is detected,Salesforce Support can assist with deeper investigation using detailed event logs and activity analysis. For more information visit the Salesforce Help Article.

Final Thoughts

Salesforce provides powerful security capabilities, but protecting an organisation’s data ultimately depends on how those controls are configured and governed. As phishing techniques continue to evolve, regular security reviews, user awareness, and careful management of integrations remain essential for keeping Salesforce environments secure.

Please reach out to us if you would like help reviewing your Salesforce security posture or have any concerns.

-> enquiries@iqlink.co.uk

 

 

 

 

 

Related posts

Some of our related articles.

CRM

Phishing Risks in Salesforce Environments

As one of the world’s leading CRM platforms, Salesforce often serves as the central system for managing customer data, sales operations, and integrations with other business systems. This central role makes Salesforce environments particularly valuable ta
Michael Williams
March 14, 2026
CRM

Integration is the key to real CRM value

iQlink's Michael Williams provides practical advice and a reality check on CRM integration.
Michael Williams
July 31, 2025
CRM

The psychology of using CRM

Our CRM expert Dave Harris skips the logic and looks at the real psychology behind using a CRM system.
Dave Harris
April 9, 2025