Is That Text from Your Director Really from Your Director?

It's 10am on a Tuesday. One of your staff gets a text that looks like it's from you. You're apparently out visiting clients, someone dropped the ball on gift cards for the team, and you need six $200 gift cards bought urgently. You'll be unreachable for a couple of hours - meetings - but you'll reimburse them by end of day. The message sounds like you. It has your name. It has a plausible reason. And it's marked urgent.

A surprising number of employees act on exactly this kind of message without stopping to check. The scammer isn't guessing wildly either. They've looked up your business, found out who's in charge, and crafted a message that feels plausible. The gift cards get bought, the numbers get texted back, and the money is gone. The employee is out of pocket. And the real you had no idea any of it happened.

This works because it's designed to work. Scammers use urgency and authority together. The message tells the employee that their director needs help right now, and that checking back isn't possible. That combination - pressure plus a blocked verification path - is intentional. It short-circuits the moment of doubt that would otherwise save someone from acting. The emotion of wanting to help, or not wanting to let someone down, does the rest. Security researchers estimate that without regular awareness training, roughly one in three employees will engage with a phishing message in some form. The more convincing the message, the worse that number gets.

The fix isn't complicated, but it does need to be deliberate. Staff need a simple, practised habit: any request involving money, gift cards, account changes, or urgent action gets verified through a separate channel before anything happens. Not a reply to the message. A phone call, a walk down the hall, or a message through a different platform. This one habit stops most of these scams cold. Regular training - run at least annually and updated as scam tactics evolve - keeps that habit fresh. It also helps staff recognise the warning signs before they're under pressure, rather than after.

If your team hasn't had a proper security awareness session recently, it's worth treating that as a gap worth closing. Phishing scams targeting staff through impersonation have become more convincing, not less. A well-run cyber security programme includes staff training as a core layer, not an afterthought. The technical defences matter, but a staff member who pauses and checks is one of the most effective protections a business has.

ITstuffed works with professional services businesses in Canterbury on exactly this kind of preparation. If you'd like a quick conversation about where your team stands, a 15-minute IT Fit Check is a good place to start.