What’s happening
Attackers are sending text messages that impersonate your team (e.g., “I’m in a conference, can’t talk—do you get my text?”). The goal is to push you into sending money, buying gift cards, sharing account information, or giving up authentication codes.
Example opener: “Hi , I’m in a conference and can’t talk on the phone. Let me know if you got this text.”
Usually there is no evidence that employee phones or contact lists were hacked. Criminals typically scrape names/titles from public webpages (like “Our Team”), LinkedIn, and press releases, and buy phone numbers from data brokers. SMS does not verify the sender’s identity, so it’s easy to spoof.
Red flags
- Unknown or changing phone numbers (often local-looking but not ours).
- Vague/urgent language (“Are you available?”, “Can you help quickly?”).
- Requests for secrecy or bypassing normal process.
- Any request for gift cards, wire payments, bank changes, or 2‑factor codes over text.
- Links to “document” or “payment” pages you weren’t expecting.
What to do if you receive one
- Do not respond. Don’t click links or call numbers in the text.
- Verify using a known channel: Call your regular [Company] contact using the number you already have on file, or email security@[company].com.
- Report the message:
- Email a screenshot (include the sender’s number and time) to support@castlerocksky.com
- In the U.S., forward the message to 7726 (SPAM) to alert carriers.
- Block the sender:
- iPhone: Open the message → tap the number → Info → Block this Caller. If shown, tap Report Junk.
- Android: Open the message → ⋮ menu → Block & report spam (wording varies by device).
If you already interacted
- Sent money or gift cards? Contact your bank/card issuer immediately. If gift cards were involved, contact the card brand’s support. Consider filing a report at reportfraud.ftc.gov (U.S.).
- Entered a password anywhere? Change it now and enable 2‑factor authentication (2FA) if not already on.
- Shared a 2FA code? Treat the account as compromised—change the password and review recent activity.
- Told them personal/financial details? Notify us at support@castlerocksky.com so we can help assess risk and next steps.
How to verify a real message
We keep communication predictable to help you verify authenticity:
- We do not use SMS to request payments, gift cards, bank changes, or authentication codes.
- Sensitive or financial requests are done through our official systems, and require call‑back or dual approval using known contacts.
- Official email comes from @companycompany.com domains. When in doubt, reply via a thread you already have with us or call your usual contact.
Examples of scam messages
- “I need a quick favor—can you buy some gift cards for client gifts?”
- “We need to process an urgent wire; what’s your banking contact?”
- “Share the verification code you just received so I can log in.”
- “Open this DocuSign/OneDrive link urgently for board materials.”
Frequently asked questions
Was the system hacked?
It’s very unlikely unless you have clear proof that the attackers know details that would be impossible to know any other way. Attackers combine public names/titles with purchased phone lists and bulk-text scripts. They will also scrape information from your company website and your LinkedIn connections to build an attack profile.
The number looks local—does that mean it’s real?
No. Attackers rent/rotate local numbers to appear trustworthy.
Can you block all of these?
We continuously report and work with carriers, but SMS lacks strong sender authentication. Your caution and verification are the best defense.
Shareable summary (copy/paste)
We’re aware of fraudulent texts impersonating our team (e.g., “I’m in a conference—can’t talk”). These are scams. We won’t ask for payments, gift cards, bank changes, passwords, or 2‑factor codes over SMS. Don’t respond; report to your security team, forward to 7726, and block the sender. If you interacted with a message, contact us right away.
