My small business faced a convincing phishing scam

Just when I thought I’d seen it all, a new phishing email landed in the official inbox of our small home office (SOHO) business, where my wife and I are directors. It was shockingly personalized and convincing—a true masterclass in social engineering.

The email appeared to be from my wife, instructing a wire transfer of ₹4.8 lakhs (about USD 5,760). If an accountant or assistant with access to our funds had received this, they might have acted immediately, thinking it was an urgent request from the boss.

The message was carefully crafted to sound urgent and personal: “Sent from my iPhone”, “I was in a rush,” “Urgent reminder from the recipient,” “My meeting has just started.” It ended with a request for confirmation—likely to ensure they have you engaged before sharing the account details. After all, why waste a good “mule account” by sharing it with just anyone?

‍There were subtle giveaways for the tech-savvy. It was purposely not perfect—the fraudsters don’t want to waste their time on the smart and careful. The sender’s email wasn’t my wife’s but a random Gmail address and she is not using an iPhone. Microsoft 365 had flagged it as junk. Plus, my wife wouldn’t mention a refund via check to her own business. And let’s be honest, if she needed something done, she wouldn’t be this patient and polite to me!

A few weeks before this, my assistant received a WhatsApp message from an account using my wife’s name and her photograph as the profile picture, asking inconspicuous questions about his tasks for the day. He responded with details and even a photo of a payment he’d made before realizing the number was unfamiliar. Fortunately, he called my wife immediately, and we avoided any damage.

It’s both fascinating and unsettling how sophisticated and personalized these fraud attempts have become. As a technology optimist, I believe the same AI techniques used to create these scams can also help protect us.

What can we do?

1. Always verify unusual payment requests through a different channel.
2. Check sender email addresses carefully.
3. Be wary of urgent financial requests, especially during “meetings.”
4. Trust your instincts—if something feels off, it probably is.
5. Stay vigilant, and let’s use our human intelligence to outsmart these fraudsters.
6. Most importantly, Without delay, even if you’re not a victim, report scam details to your local law enforcement portals. Our lawyer advised that doing so not only helps others but also protects you from potential misuse of your identity and prevents you from being implicated in unrelated crimes. In India, you can use the National Cyber Crime Reporting Portal; it took my wife less than a minute to file a report about the WhatsApp phishing attempt impersonating her.

Footnote:

Though not directly a solution to the above phishing scams, it is a good idea to use cyber security tools from Firefox maker Mozilla Monitor and Google Dark Web Report.