Fake Interpol Emails Trick Victims into Downloading Ransomware
Bitdefender’s antispam researchers have sounded the alarm on a dangerous new phishing campaign that uses fear and urgency to target small businesses.
By impersonating Interpol law enforcement, attackers are sending fake investigative emails that claim “suspicious or potentially fraudulent activities” with an included link to the supposed “evidence.”
Once clicked, instead of Interpol evidence, the victim is met with ransomware that locks down their computer and opens negotiations with the cybercriminals.
Here’s how it works and what you need to know to stay safe.
Summary
- Bitdefender has identified a new phishing campaign that impersonates Interpol authorities.
- The emails claim to contain evidence uncovered by Interpol, delivered via a malicious link.
- If clicked, the link installs ransomware on the victim’s computers.
- This Interpol phishing campaign targets small businesses across multiple sectors and regions, taking advantage of lower cybersecurity maturity in SMBs.
- Organizations can reduce risk through cybersecurity awareness training and layered security controls such as MFA and backup systems.
The Attack in Action
It starts with an urgent email. An Interpol investigation team claims it has uncovered some potentially fraudulent or suspicious activity associated with your organization during a compliance and security review.
The email urges the recipient to look into the matter to avoid potential financial, operational, reputational, or regulatory consequences.
The supposed “evidence” is provided through a Proton Drive link (a cloud-based storage service), along with the password needed to access the file. If the urgency wasn’t already a red flag, the combination of a password-protected file hosted on a file-sharing service should set off alarm bells (more on that below).
The email signs off by once again stressing the urgency of reviewing the evidence and requesting acknowledgment of receipt.
At first, it seems mostly official – as long as you ignore the urgency, the external link, and the fact that Interpol would never send an unsolicited email like this. For someone busy with their day-to-day work, it can be difficult to pick out these tells and can be an intimidating message. As Bitdefender’s Alina Bizga puts it, the email is “carefully crafted to create anxiety.”
Once the Porton Drive link is opened and the password is entered, the recipient becomes the victim as ransomware is downloaded onto their device. Files are quickly encrypted across the victim’s system before the following ransom message appears, according to Bitdefender’s researchers Viorel Vrabie and Andrei Mogage:
“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.
Do not delete any files or change their location. Do not scan your computer, as this may complicate the recovery process.
We are available only through Tox.”
Instead of demanding a flat ransom, the attackers use a third-party messaging platform to negotiate the ransom based on the organization’s size, the value of the data, and how much they believe the victim can actually pay. And as Bizga notes, “this approach has become increasingly common among ransomware operators.”
Altogether, this campaign uses classic phishing tactics such as urgency, fear, and the impersonation of authority. By targeting small businesses, attackers are counting on organizations that may not be prepared, with employees lacking cyber awareness training.
Who Is the Attack Targeting?
This Interpol phishing campaign targets small businesses across multiple industries and regions. Bitdefender has specifically observed attacks against the agriculture, technology, media, legal, and pharmaceutical sectors across the US, Europe, Asia, and the Middle East.
Why Small Businesses?
Just because a business is small doesn’t mean it’s not a target – quite the opposite.
Small businesses typically don’t have the resources that larger organizations do regarding cybersecurity. Just look at the average salary for a chief information security officer (CISO), which is between $250,000 and $400,000, according to Sophos and Cybersecurity Ventures’ annual 2026 CISO Report. For many small and midsize businesses (SMBs), that price is simply not realistic.
Then there’s the nature of how SMBs function. Compared to a larger enterprise with stricter permission hierarchies and access controls, SMBs typically have broader user permissions that allow smaller teams more flexibility. That means if one account is compromised, attackers can move through an entire organization much faster.
Add in the fact that many SMBs lack formal cybersecurity training programs, advanced tools, and dedicated IT staff, and the picture becomes clear.
It’s this lack of security maturity that the Interpol phishing campaign targets.
How You Can Stay Safe
Humans are far from infallible, and it’s our mistakes that lead to many security incidents. While no one is perfect, there are several ways you can improve the chances of spotting a phishing attack like this Interpol campaign.
- Provide consistent cyber awareness training: Regular security training has been shown to reduce employee-driven security incidents and breaches by up to 70%.
- Use multi-factor authentication (MFA): Multi-factor authentication is one of the easiest security measures to implement and can prevent up to 99.9% of account-based attacks.
- Keep software up to date: Software updates close security vulnerabilities that leave you open to attack.
- Use backup solutions: A robust backup solution means having reliable copies of your most important data that can be restored during an emergency.
- Know the signs: Urgent language in unsolicited emails from law enforcement (like Interpol) is a classic sign of phishing. Also watch out for anything that redirects you to a different website or prompts you to log in through an unfamiliar portal.
- Work with a managed service provider (MSP): By working with dedicated IT professionals, you can take the pressure and workload off your shoulders. MSPs offer everything covered above and more, typically at a monthly service fee.
What to Do If You Open a Malicious Link
Phishing attacks such as this Interpol campaign are designed to exploit human psychology, and they’re becoming increasingly harder to spot. Even the most cyber-savvy can still fall for one of these attacks.
We have an entire guide covering what to do if the worst happens, but here’s a quick rundown:
- Don’t panic: Mistakes happen, and staying calm will help you resolve the issue faster.
- Run a full security scan: Scanning your device is critical to identifying malware.
- Let IT know immediately: The sooner IT can isolate the affected system, the better the chances of limiting the damage.
- Tell your coworkers: Let your team know what happened so they can avoid the same phishing email and report it if they receive it.
- Change your passwords from another device: If your credentials may have been harvested, use a different device to update your passwords.
- Look out for suspicious activity: Watch for unusual logins, unauthorized account access, unexpected financial transactions, or other activity you don’t recognize.
The 20 MSP Keeps Small Businesses Secure
Staying secure can feel like a full-time job. For us, it is.
The 20 MSP offers our clients 24/7/365 security and support, including cybersecurity training, reliable backup systems, and advanced security software.
For a flat-rate monthly fee (and we truly mean flat-rate), you can keep your business secure without having to worry about staying on top of everything yourself.
If you need help keeping your business secure from cyberthreats, reach out today.
Want more tips like this?
Subscribe using the form on the right and get our latest insights delivered straight to your inbox.
About The 20 MSP
As a leading provider of managed IT services, The 20 MSP serves thousands of businesses nationwide, providing each one with white-glove service, secure and streamlined IT infrastructure, and 24/7/365 dedicated IT support. We believe in building lasting relationships with clients founded on trust, communication, and the delivery of high-value services for a fair and predictable price. Our clients’ success is our success, and we are committed to helping each and every organization we serve leverage technology to secure a competitive advantage and achieve new growth.

