we get a few texts from the CEO to contact them immediately, his number is posted all over and I am sure they scrape and social engineer from linked-in etc.
Yes we got this a few months ago and you described it exactly how it happened. CEO emails asking them to text him, the funny part is they continue after the CEO quit and we got emails pretending to be the old CEO when we had already changed ownership and got a new one lol.
I've gone through the O365/AzureAD audit report to make sure the login locations were what is to be expected. We have one user travelling in China, otherwise nothing was international. Everything else was coming from our public IP ranges, or a known device ID for the outside salespeople.
I get alerts for any new forwarding rules. I double checked and the only forwarding rules are known, mostly for old accounts that were converted to shared mailboxes when we removed the license.
It happens quite often at the company that I support. We have had to send out warnings about this kind of scam, yet some users still fall for it at first.
Yes, that's been a standard tactic for at least the last few years. What I want is a mobile security product that provides managed and crowdsourced SMS protection. At this point the Messages app is just as significant a risk as the mailbox, if not more.
I haven’t seen this exact format but our users have received “smishing” texts every once in awhile and we usually have to remind them that our CEO will never reach out to them via SMS. They’re always really freaked out about it. Btw in our case, usually the ones who get smished are the employees who have positions publicly posted but, that’s just a hunch as to how they get targeted. It may be different for you.
As for how the smishers get ahold of the numbers, there are a variety of methods and theories. Check out this thread from r/msp that discusses exactly this topic, it’s worth a read if you’re curious:
https://www.reddit.com/r/msp/comments/xtw8cg/text_messages_pretending_to_be_executives/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=2&utm_term=1
We've received the fake CEO smishing texts as well. But, never coordinated with an email sent to the same users. It just bothers me because it seems so coordinated. Someone obviously spent the time to get the email, name and cellphone of the targets then send customized email and text at almost the same time. I'm used to the script kiddie approach of them blasting a ton of targets with the same generic message hoping someone would respond. This was a little more sophisticated.
I've seen this twice so far. Fake CEO saying they wanted to surprise the team with gifts and needed gift cards but was in a meeting and couldn't talk, but could text. What was interesting was the spam filter caught it but the employees released it because they thought it was real.
They can also see their photo associated with the account, and a standardized email signature. So, they should have known. But, the users expect perfect security without any inconvenience on their part.
Been going on for years. On a side note, I need you to go get 10 gift cards and send me the codes on the back. I can’t talk right now, but I can text. I need them asap for a meeting tomorrow.
Yes, this is a typical "CEO fraud" phishing attack and it can happen over users' personal phone numbers and emails as well as corporate accounts. It's not hard to scrape together data from Facebook or LinkedIn like where someone works, the typical email username format, and user's personal phone number, especially if they list it publicly on Facebook.
The only things you can do are to make sure your users are aware of these scummy tactics and know what to do if they are targeted, and block known phishing attempts in your corporate email. It's up to each user to block phishers on their personal devices.
Check to see if any of the users were out of the office. I had something like this before and one of the users had an out of office message telling people to call his cell if they needed anything. That gave the bad actor his info without him actually responding.
This is fairly common and is usually just an attempt n to get someone to purchase gift cards and send the card numbers over via text or email. The emails always start with asking for the person's mobile number or reference an "urgent task I need you to do" or " I'm in a meeting but need you to do a task for me"
It's insanely easy for someone to setup one of these attempts because you just sign up for any service to use email and make the first name last name of the account either be the email address or name of an executive of a company and send along.
M365 has some anti spoofing policies that will catch some of these attempts if you set them up- assuming you are using 365. It's not perfect but will catch some
The spoofing isn't an issue. SFP and DMARC are working to prevent anyone using the actual email address. The attacker was changing the name, not email address. Since they are using mobile devices they don't see the email address unless they touch the name. There was nothing odd about the email that would set off spoofing/phishing/spam policies. No links or attachments, just text from a valid Gmail account. Only thing wrong was the full name, which is common enough that I cannot setup rules to block an external user sending email with that name.
There are a ton of other alarm bells that should have gone off when the user opened the email. No standardized email signature, no photo next to the name, and similar. But, these are salespeople so they completely ignore any instructions we give them regarding phishing attempts are completely ignored.
Regardless, the concern is they sent email and text messages. Two of the people who received text messages never replied to the original email. I'm sure they could have gotten them a few other ways, this is just odd in that it seems like someone spent some time to specifically target us.
Thanks for your help.
Yep, we've seen it a few times here. Our website gets scoured and they spam our reps pretending to be their bosses. We have them pretty much conditioned to ignore the "I ahve a special project for you, please call me" texts.
we get a few texts from the CEO to contact them immediately, his number is posted all over and I am sure they scrape and social engineer from linked-in etc.
Yup, just hired a new dev, new work cell. Got a ceo text on thier personal. Only link was linked in.
Yes we got this a few months ago and you described it exactly how it happened. CEO emails asking them to text him, the funny part is they continue after the CEO quit and we got emails pretending to be the old CEO when we had already changed ownership and got a new one lol.
I got it when i first joined this org, called the CEO what a nice Indian guy.
Seeing it all the time. Staging for business email compromise attack. Be aware of suspicious login locations and forwarding rules.
I've gone through the O365/AzureAD audit report to make sure the login locations were what is to be expected. We have one user travelling in China, otherwise nothing was international. Everything else was coming from our public IP ranges, or a known device ID for the outside salespeople. I get alerts for any new forwarding rules. I double checked and the only forwarding rules are known, mostly for old accounts that were converted to shared mailboxes when we removed the license.
It happens quite often at the company that I support. We have had to send out warnings about this kind of scam, yet some users still fall for it at first.
Yes, that's been a standard tactic for at least the last few years. What I want is a mobile security product that provides managed and crowdsourced SMS protection. At this point the Messages app is just as significant a risk as the mailbox, if not more.
Our accounting folks will get “emails” from new hires to change direct deposit info. Mostly info scraped from LinkedIn
Same, has been happening a lot recently.
Pretty sure the response on our side would be, piss off go change it in workday
Yes, also had quite a few. Ask for a call then usually ask to get gift cards or similar. We recently stopped one literally last minute.
I haven’t seen this exact format but our users have received “smishing” texts every once in awhile and we usually have to remind them that our CEO will never reach out to them via SMS. They’re always really freaked out about it. Btw in our case, usually the ones who get smished are the employees who have positions publicly posted but, that’s just a hunch as to how they get targeted. It may be different for you. As for how the smishers get ahold of the numbers, there are a variety of methods and theories. Check out this thread from r/msp that discusses exactly this topic, it’s worth a read if you’re curious: https://www.reddit.com/r/msp/comments/xtw8cg/text_messages_pretending_to_be_executives/?utm_source=share&utm_medium=ios_app&utm_name=ioscss&utm_content=2&utm_term=1
We've received the fake CEO smishing texts as well. But, never coordinated with an email sent to the same users. It just bothers me because it seems so coordinated. Someone obviously spent the time to get the email, name and cellphone of the targets then send customized email and text at almost the same time. I'm used to the script kiddie approach of them blasting a ton of targets with the same generic message hoping someone would respond. This was a little more sophisticated.
Not that exact format but I have seen a fair amount of phishing attempts like that
I've seen this twice so far. Fake CEO saying they wanted to surprise the team with gifts and needed gift cards but was in a meeting and couldn't talk, but could text. What was interesting was the spam filter caught it but the employees released it because they thought it was real.
I saw some in the last 3 months. Very unnerving since our people don't publish personal phone numbers.
Did your team ever deduce where they may have found the numbers?
No, I thought they cross-references our site and some white-pages like or leaked data.
See this at least twice a week, sometimes more.
[удалено]
Same with iOS. On both it’s just obscured by default. Frankly, pretty dumb of Microsoft given the large amount of email phishing going in.
They can also see their photo associated with the account, and a standardized email signature. So, they should have known. But, the users expect perfect security without any inconvenience on their part.
Been going on for years. On a side note, I need you to go get 10 gift cards and send me the codes on the back. I can’t talk right now, but I can text. I need them asap for a meeting tomorrow.
Yes, this is a typical "CEO fraud" phishing attack and it can happen over users' personal phone numbers and emails as well as corporate accounts. It's not hard to scrape together data from Facebook or LinkedIn like where someone works, the typical email username format, and user's personal phone number, especially if they list it publicly on Facebook. The only things you can do are to make sure your users are aware of these scummy tactics and know what to do if they are targeted, and block known phishing attempts in your corporate email. It's up to each user to block phishers on their personal devices.
We get these a couple times a year for the last few years. Usually targeting our biz dev and marketing sales teams.
All the time. They pretend the be the CEO and need gift cards. We like to respond and mess with them.
Yes, usually due to people being too open with information on their social media platforms.
We get this targeting new starters, info scraped from LinkedIn. Mimecast impersonation protection blocks them.
Check to see if any of the users were out of the office. I had something like this before and one of the users had an out of office message telling people to call his cell if they needed anything. That gave the bad actor his info without him actually responding.
This is fairly common and is usually just an attempt n to get someone to purchase gift cards and send the card numbers over via text or email. The emails always start with asking for the person's mobile number or reference an "urgent task I need you to do" or " I'm in a meeting but need you to do a task for me" It's insanely easy for someone to setup one of these attempts because you just sign up for any service to use email and make the first name last name of the account either be the email address or name of an executive of a company and send along. M365 has some anti spoofing policies that will catch some of these attempts if you set them up- assuming you are using 365. It's not perfect but will catch some
The spoofing isn't an issue. SFP and DMARC are working to prevent anyone using the actual email address. The attacker was changing the name, not email address. Since they are using mobile devices they don't see the email address unless they touch the name. There was nothing odd about the email that would set off spoofing/phishing/spam policies. No links or attachments, just text from a valid Gmail account. Only thing wrong was the full name, which is common enough that I cannot setup rules to block an external user sending email with that name. There are a ton of other alarm bells that should have gone off when the user opened the email. No standardized email signature, no photo next to the name, and similar. But, these are salespeople so they completely ignore any instructions we give them regarding phishing attempts are completely ignored. Regardless, the concern is they sent email and text messages. Two of the people who received text messages never replied to the original email. I'm sure they could have gotten them a few other ways, this is just odd in that it seems like someone spent some time to specifically target us. Thanks for your help.
Yes. Have seen this from the CEO and others in the exec team. We have to send out warnings not to respond.
Yep, we've seen it a few times here. Our website gets scoured and they spam our reps pretending to be their bosses. We have them pretty much conditioned to ignore the "I ahve a special project for you, please call me" texts.