Scammers take advantage of modern work environments, where most communication happens over email, text, and phone—and plenty of coworkers we’ve never met in person. One way to sidestep falling for a “workplace impersonation scam” is to know that if you get a call, message, or text supposedly from a co-worker or manager asking you to buy gift cards, you’re likely getting scammed. Always verify odd requests in person or directly if you’re in doubt.
Ever heard of a “boss scam”? It’s when someone pretends to be your manager or an exec and asks for a quick favor.
They’ll usually message you saying they’re tied up in a meeting and then comes the ask: buy gift cards or send money, and they’ll “pay you back.” The scam works when you share the gift card codes or send the funds—and by then, the money’s gone.
It might sound obvious in hindsight. But in the moment, it works because we’re wired to respond to authority—especially when it’s someone tied to our paycheck. Plus, scammers have an answer for everything and anything that might make their targets doubt them.
Boss scams like these have been around for years. Now, they’re expanding: impersonating other colleagues in your workplace, too.
Workplace impersonation scams, explained
In a workplace impersonation scam (also known as an imposter scam), a con artist posing as a co-worker or a related subcontractor contacts you, a real employee.
The scammer instructs you to do something that ultimately compromises your—and/or the company’s—identity, security, and finances. The goal of these scams is typically to:
Siphon off money from you or the company
Steal your identity for exploitation
Install ransomware or malware on your device, or the company’s devices
Gain access to the company’s systems for future scams
Because our places of work, job titles, and coworkers are often posted online (think: company websites, social media, and networking sites like LinkedIn), it’s easy for scammers to find out who to impersonate and who to target. Customizing scams in this way makes the con artist seem like an insider.
And the way we work today makes it even easier for scammers with:
Remote employees
Satellite offices
Communication that’s centered on email, text, and calls
A high volume of messaging
An expectation that communication will be sent, received, and responded to around the clock
A real-life company impersonation scam
When one Allstate Identity Protection member got a call from “cybersecurity specialists” warning her that the company had experienced a data leak and subcontracted them to clean up, she was alarmed. Though some of her PII had been compromised, the caller said, they were on it. She was advised to expect a second call, this one from someone in the company’s accounting department.
She waited patiently, and when her phone rang, she confirmed her personal financial account information with the caller. As an added precaution, she was told to transfer funds from her cryptocurrency account to “the company’s” in order to “verify and test the connection.” She decided this sort of made sense because she used direct deposit.
Don’t worry, the caller advised, we’ll reverse the payout immediately. Unfortunately, the whole setup was a scam, start to finish. On the positive side, when we paired her with a dedicated, expert restoration specialist, we were able to properly walk her through the actual recovery process.
How to protect yourself from a workplace impersonation scam
The first defense is to dial up your suspicions when you are in work mode.
Just as you were taught criteria to review before opening the front door as a kid, ask yourself screening questions like these when you review work communications and/or take a work call.
Who is this?
Do I know this phone number, name, or email address?
Have I ever been contacted by this person or by anyone from their purported department before?
What are they asking for?
Do they want me to click on a link or download an attachment?
Are they asking me to share personally identifiable information (PII) or company information?
Are they telling me about a data leak, a scam that’s circulating in the company, or some other dramatic scenario?
Do they want me to pay for something? Have they mentioned gift cards, cryptocurrency, or wire transfers?
Are they asking me to redo something I’ve already done, like share my bank information with HR for direct deposit?
Do they want me to keep their request private?
How are they asking?
Is the phone number or email address in an uncommon format for your company?
Does the caller or sender seem to be using their personal number or email address?
If too many suspicious questions come to mind, cease communications and contact your IT team using a number or email address you trust.
Five tips to avoid falling for a workplace impersonation scam
Experts agree there are a host of ways to avoid a potential employer-related scam and, should you have been pulled in, correct any damage that might have occurred. For starters:
Don’t react rashly. Scammers bank on the pressure that employees naturally feel when influential departments (HR, accounting, legal, etc.) or their supervisors contact them. They will try to leverage such pressure, along with urgency and consequences, to make you act quickly or to make you think you can’t disengage.
Hover over the email sender’s name and any embedded links to check out names, address formats, and URLs. The sender’s name and hyperlinked text might check out at a glance. But if the ones that appear when you hover over them don’t match or sync with the one you see in the message or usually use for this person or department, disengage.
Verify the person is who they say they are and that they are in the department they claim to be from. Use your company directory or search engine to contact them or their department directly. (Don’t redial their number or reply to their email or text.) Use the contact info you normally use if it’s someone you’ve been in touch with before.
Ask your IT department whether there are scams going around the company related to the communication you received.
Screen any contact info they gave by typing it into a search engine along with the word “scam” to see if anything comes up.
What to do after a workplace impersonation scam
When in doubt, pause and get a second opinion. With Allstate Identity Protection, you have access to real people who can help you figure out if something’s legit before you take action.
If you do fall victim to a workplace impersonation scam, start with your IT department. Ask them for the company-specific steps that your organization takes when such problems arise.
More than likely, they will have you forward all communications to them, delete them from your devices, and block the scammer. They might also share a scam alert with the rest of the company so others can protect themselves.
Before you delete anything, take screenshots and screengrabs of the communications for your own records, especially if your personal devices were used.
Beyond that:
Lock your credit reports with the credit report bureaus.
File scam reports with the Better Business Bureau and the Federal Trade Commission.
Contact your financial institutions and follow their procedures if you lost money.