It’s week two of Cybersecurity Awareness Month and this week’s theme is “Fight the Phish!” 

Being a veteran computer and network security (cybersecurity) guy, this is a personally embarrassing story but it’s one that needs to be told as I server myself a slice of humble pie. I should have been more paranoid (is that an occupational hazard, or a job requirement?).

I was starting a new position and was out and about. I got an email from one of the executives on my phone, which had access to the corporate email server. The subject was… “I need a quick response.”

I normally don’t have a lot of interaction with my companies’ executives, but it happens.

I opened the email.

The message was, “Please send me your cell phone number.” I should have looked deeper into the From: field, but it was on the corporate mail system. The signature block looked correct.

I can think of reasons why an executive could send me an email, but not necessarily have easy access to my non-email contact info. I sent my number.

Then I received a text message. It said they were on a conference call, and that I needed to perform an urgent task.

At this point, I was a bit confused, which should really have sent my paranoia off the scale. But, I had never met this executive before. I asked what they needed.

The response was, “I need to get her a physical card. Can you check any store close to you there and text me from there?”

Okay, now I’m suspicious!

I asked, “What are physical cards, and who is ‘her’?”

The response was, “gift cards, a client.”

At this point, I knew I had made a mistake. I called my boss as I ran back to my desk and checked my email there.

What my laptop’s email client showed me that my phone did not was the sender’s email address. Someone had spoofed the executive’s email with a gmail.com address, not a corporate email address.

I was moments away from falling for a gift card scam. After all this time, it still stings.

How could all this have been avoided?

• You can verify unfamiliar email addresses on your phone (and desktop email clients)!
  • It helps if your phone’s email client shows the sender’s actual address and not just a name. Even if it doesn’t, replying to the message or trying to add the sender to your contacts could give you greater visibility to the underlying email address.
• Your company can have email security monitoring tools that can look for email addresses that don’t match corporate/internal users and email addresses, and block them, or at least alert you that it could be forged.

As my boss told me, this can happen to anyone, even YOU!

What can you do if you think you are being scammed?

Take a deep breath. Don’t panic. Look at the situation and think it through with a good dose of suspicion.

In this case, I gave my phone number to a scammer. It was the unusual task that tipped me off.

Thinking about the situation, executives tend to have assistants to take care of such things.

If your position is not executive assistant, or something similar, running errands is not usually a reasonable request, especially if you’re not in the same building with the executive who ‘needs’ you.

What should you do once you know you are being tricked?

Stop the communication! Block the sender (email / phone number), if you can.

I reported the email to the security team. I reported the scammer’s phone number to my wireless carrier.

Fortunately, I did not need to get a new phone number. That would have been annoying, as I’d had that number for a while!

This happened to me once.

The final step is to forgive myself and be happy that it wasn’t worse.

This is the first post in my series for MFGS Inc.’s Cybersecurity Awareness Month 2021 initiative, dedicated to sharing government-focused thought leadership, events, and resources around current cyber trends, as well as our available solutions, in order to help agencies securely achieve their missions.