I'm the CEO of a 35-person company. Today, a new-ish employee on our team got a text from a random phone number, claiming to be me. She flagged it in Slack as spam, but it made me wonder...<p>Naive question: How did these spammers get my new employee's phone number? To send the text, they must have known that she started at my company, reporting to me, and gotten her phone number. I understand that it's easy to get emails of new employees since we each have a similar email address pattern, but phone number seems more difficult. If I search her phone number online, it's not listed anywhere publically. Is there any way to protect our employees from phishing attempts via text?
Not necessary. It can just be coincidence. It happened to me in different occasion, where I helped a 60y old to set up online dating. She was very active without care. So, her contact book has been accessed by some dating app and then me got a few unwanted WhatsApp calls by foreign numbers.<p>So, may be she told a few people her new work number. They saved it to their devices, which had an malicious app running.<p>Not necessarily you're compromised. May be her contact is listed in your webpage? That happened to me too, where the employer decided to put clear text href email address publicly on the website. The machinery acted quickly. By finding information like "sales" or "customer service", connections can be made. So Phishing is more effective.<p>But still. For me, it would be an alarm sign to trigger an investigation. If there is no public listing of contact information, then its likely in the inner rings. Because.. knowing that you're CEO and writing in your name to a new mobile number, it looks like spearphishing.<p>The only way to protect is to train train train. Why did she mark it as spam in slack? Because she used her suspectsissity and her feelings. Let her tell the others how she came to the conclusion it's spam. There won't be much she will tell (I think) but it will raise sensitivity with others, because they'll remember the story..
Often it isn't you that is leaking data but one of your suppliers or customers which also have contact info of your employees. If you have many suppliers and customers, you can be sure that the names, positions and contact information of your employees is available to hostile third parties at some point.<p>It could also be a data from a broker because those do sell such data as well and online services sadly do not care too much for privacy.<p>We often get spam where attackers even faked our mail signatures (the one you put at the end of your mail, not the signature to verify your domain).<p>"That cannot be a real mail from the boss, he would never be that friendly"
If this is her personal phone number, then it's likely available from any number of "legitimate" data brokers; plus likely would be part of various database dumps you can buy on the dark web. It's pretty easy for someone who knows what they're doing to spend a few minutes of research on social media to find several employees of a small company, lookup their personal contact info, and message them claiming to be the company's CEO.<p>To protect your employees, let them know that either a) you'll never call or text their personal phone number; or b) if you call or text, it will always be from a known good phone number (which they can put in their phone's contacts).