Salesforce.com is warning customers that they may be the targets of malicious software or phishing scams, after one of its employees was tricked into divulging a corporate password.

In a note to customers, Salesforce said that online criminals have been sending customers fake invoices and, starting just a few days ago, viruses and key logging software. The e-mails were sent using information that was illegally obtained from Salesforce.com.

The San Francisco-based firm, which has offices in Europe, Latin America, Japan and Australia, insisted that the embarrassing incident had not originated from an application or database “security flaw” at Salesforce.

It said that confidential details leaked via the scam included “first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com”.

In addition, “a few days ago, a new wave of phishing attempts that included attached malware — software that secretly installs viruses or key loggers — appeared and seemed to be targeted at a broader group of customers,” the company disclosed in the notice.

“That’s why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness.”