Not Every “Boss” is a Real Boss. You Could’ve Gotten This Email Too.

Some scams come quietly. Without viruses, threatening language or red exclamation marks.

We at ASData have our own experience with this. A situation happened to us that you’d usually expect from cybercriminals targeting big banks. Someone decided to pretend to be our boss and not in a simple way.

“Hello,
Do you have a moment? I’d like to work with you on an important task.
Please reply to my email and include your personal phone number so I can provide you with more information.
Thank you.
Štefan Chochláč”

The email was fairly well-prepared. The name and signature matched, and the tone of the message was neutral and appropriate for a collaboration request. The only inconsistency was the sender’s unofficial email address, which didn’t match our company domain. Instead, the email came from priacovnymail@gmail.com.

The email didn’t contain any viruses or malicious attachments. It was simply a polite offer to collaborate. However, this could have been just the first step in a larger scam. The attacker may try to build trust first and then follow up with more dangerous requests, such as links to harmful software, demands for sensitive information, or fake invoices.

This type of attack is called email impersonation. It means pretending to be someone else in an online environment. Attackers create emails that appear to come from a trusted person, whether it’s a boss, a colleague, a client, or a well-known brand.

It’s not always about hacking into someone’s account. In most cases, the scammer simply creates a similar-looking email address, often by changing the domain or altering a single character, hoping the recipient won’t notice. Unfortunately, they often succeed.

Similar incidents happen to large companies like Tatra Banka, Microsoft, Facebook, and Google. Scam emails are sent in their name, asking people to enter login details, confirm payments, or click on suspicious links.

While it’s not something we’re happy about, we realize that if it happened to us, a relatively small company, it can happen to anyone. That’s exactly why we’ve decided to speak up about it.

Here are a few key practices that can help protect both you and your company:

1. Always double-check the email address
   Don’t rely on just the display name. Click on the sender’s name to see the full email address. If it doesn’t match your company domain, be cautious.
2. Verify unusual requests
   If your colleague, boss, or client asks for something out of the ordinary, contact them through another channel like Slack, Teams, SMS, or a phone call.
3. Never send sensitive data via email
   Do not share passwords, personal information, or payment details over email.
4. Use company email addresses with your own domain
   Email addresses like name@companyname.com look more trustworthy and are harder to spoof.
5. Enable two-factor authentication (2FA)
   Not just for email, but for all accounts where possible. It adds an extra layer of protection and reduces the risk of unauthorized access.

In the (online) world, where an email can easily deceive even an experienced user, it pays to be paranoidly cautious now more than ever.

At ASData, we experienced this firsthand and that’s exactly why we decided to share this story publicly. Not out of fear, but because the only real defense is awareness. Be careful about who’s contacting you, and don’t blindly trust any message even if it seems to come from a legitimate source.

Have you had a similar experience or questions about online security? Write to us or reach out to experts. Your digital space deserves to be protected.