Trusting third parties with our information

Photo by Sergiu Nista on Unsplash

We’ve noticed a disturbing trend here at our startup in the past 12 months or so. We’ve been growing and adding new team members, and almost without fail, almost all our new starters are getting hit with a scam email within a few days of starting at our company. Here is one such example:

As you can see, the email appears to come from me, and is asking our team member to do a certain task, however upon closer inspection, the email address the request came from is not mine, and this email is obviously trying to phish for more information to organise some sort of deeper level scam.

Luckily, our team members are a really bright bunch, and so far, no one has fallen for this scam yet, but as we grow, this will become a bigger problem, so we have included a briefing about this on our onboarding flow for all new hires.

My view is that one of our third party providers is leaking or selling our email information to some nefarious party. The reason for saying this is that these are the following facts:

  • As a fully remote company, we use a lot of third party services to manage our support, documentation, project management etc. - all new hires have to sign up for about 5 or 6 different services using their newly assigned work email address

  • The main people being targeted are brand new employees with a brand new email address, and they are usually hit with these requests within 48 hours of starting with us

  • The only employee who wasn’t the subject of these spam emails was a contractor who used her own existing email and didn’t sign up for our other third party services at all

So someone, somewhere, is getting hold of new emails in our organisation, and targeting these team members knowing that they are fresh starters, and probably not familiar with the way we work here yet, and thus are more susceptible to falling for this trick.

We will shortly be setting up a ‘honeypot’ email and slowly logging on to third party services one by one over the course of several weeks to see if we can narrow down just who is leaking or selling our data to the wider internet.