The Latest Cyber-Threat—Boss Phishing

Years ago the most complex email fraud going on was an email claiming to be from a prince in the Democratic Republic of the Congo who had misplaced the family fortune of diamonds … but if you would pay his processing fee of $10,000 he could get it back and share it with you. 

Cyber crime has evolved since those days, continuing to develop ever more sophisticated threats to our technological security. The latest is called "Boss Phishing."

This practice is a tactical, well thought out and an extremely methodical ploy. 

Here's how it works. The criminal registers a fake domain resembling that of your organization. It's usually one letter or a word off, but close enough to pass a casual glance, From there a fake email account is created and that's when it gets devious. The perpetrator of this kind of fraud trolls public records, social media and your website looking for who's the boss (not Tony Danza)  and the name of the accountant. 

In advanced examples, I have seen specific projects mentioned, which adds even more credence to the attack. For example, "Tom (accountant) send me 25,750 dollars to the account below so I can pick up more concrete for the Johnson project in St Pete from Bob (the boss)." 

Most targets avoid this fraud by consulting an IT professional or by noticing the domain is off. But some organizations, where the corporate culture may dictate that you do what the boss says, no matter what, might fall victim to this attack. For other organizations, it might be standard operating procedure to frequently move cash around. 

We have a pretty thick layer of checks and balances at our firm so we have had some good laughs over the question of what we would do if the boss asked a member of the executive team to send a large sum of cash. The answer would be, "No." (No ma'am, that is.) 

A common misconception is that people think they have been “hacked” if they get this kind of email. You have not. Simply do not reply to the email. Contact your IT professional and report the incident to our friends at the Florida Department of Law Enforcement – Cyber Crimes unit. 

Let me know if you have any questions, and be safe out there! 

Blake H. Dowling is chief business development officer for Aegis Business Technologies. He writes and consults for a variety of local organizations. You can reach him at

Categories: News