If you haven’t noticed, email is getting more realistic and harder for people to detect social engineering.
For the last decade in IT, email has been a very big source of hacker activity and success. People continue to fall prey to social engineering attacks and it’s hard to fault them these days. For example, one person was emailing a person they thought was legitimate and it was a hacker. They were about to send money but then realized that something was off. They contacted the person they thought they were communicating with and confirmed it was a hacker.
Executives and VIPS in companies are often targeted and this has been increasingly difficult for companies. Protection after protection is rolled out, and hackers find a way to bypass those protections. At many companies, email threats are the #1 way that problems happen, and it is entirely preventable.
What I have seen is that when employees don’t have a clear sense of communication and boundaries things like this happen. No one in a company should expect the CEO to email or text them. If the CEO needs something they should send for that person so that communication is clear. In addition, companies that do simulations and testing need to let the IT department know when this is done. At one company I received a suspicious email and I asked in a group meeting if anyone else had received it and the security guy asked to talk to me privately. If you let your IT staff know then they won’t try to protect the company like I was doing.
Suspect everyone that you do business with, and only transfer money when you have called the person and it is clear that you are talking to a responsible person. Don’t trust that other people will protect you. When other companies get hacked, you get spam/malware and that is also your responsibility as well. If something seems off, call the person and ask.