This stuff is still incredibly easy to do to this day. I was the general manager of a retail office store chain and we would frequently have calls come in forging fake complaints but asking for the district or regional manager's first and/or last name. The attacker would then call another store in the region claiming to be "Mr. Head Manager".
Most associates knew or had seen the names (they were required to be posted in the break room) but often times never met the people in question. The attacker got associates and other shift/associate managers to do everything from giving up secure information on the registers to ring up gift cards.
It was happening two to three times a week in our district at times despite weekly training and conference calls on the subject. Some people are just born to be duped.
Nah, all people are born to be duped. Nobody can be vigilant all the time. There's a point where you have to let down your guard and trust that there's no monster ready to pounce on you from the shadows. Vigilance has its own costs that often work against the tasks at hand, and can really fry your body if held high for too long.
As GM you may have been especially vigilant about this issue because you saw yourself as the steward of your store(s), but those associates weren't in the same position and were bound to be more lax on net.
It doesn't sound like these social engineering attacks tanked the company, so whatever dynamic existed between everyone seemed to work adequately.
My take is "don't use the same channel for internal coms as for customer coms". That way training could make it clear:
* Supervisor communication will always come through Slack, or email or some other mechanism.
* Never trust that the identity of anyone on the phone is someone internal unless you initiated the call.
Wow, I wonder if that is what happened to my company's domain a decade ago. We lost control of our domain due to social engineering at GoDaddy. It was really, really tense as we worked to get control back. We got lucky and we able to retrieve the domain later that day.
I also have heard of such a story. A friend of mine did something similar a long time ago.
Someone posted malicious stuff on his website, which showed up when googling my friends name. This costed him quite some business.
He knew the email address of the website owner, and the provider where the website was hosted.
So he registered the same email address under a different free email hosting provider. Then he sent the website hoster an e-mail where he told them about a new email address and if they could change it. With that he could reset the password and delete the website.
I've mentioned this before[1], we once had a domain stolen because somebody called GoDaddy and was able to get the 2FA code removed with a phone call and they had some leaked email credentials for the account.
We had to call GoDaddy and cancel the domain transfer, they would give us no information on how it happened.
Most companies can be SE'd. Think of a company that controls whatever you consider the most sensitive internet infrastructure - them too. Whatever you imagine is secure is probably not, because somewhere a human is in control of it.
Who was defrauded? Not the old domain owner, he just got a legit email and decided to sell.
Maybe they committed some other crime against GoDaddy, but I'm not a lawyer and I'm not sure what. They impersonated a call center manager, but I'm not sure if that's against the law. After that the employee willingly told them things.
The problem at hand here is social engineering. Your cryptocurrency scheme (and, to be clear, this is your own scheme you're promoting here) is not a solution to social engineering.
Most associates knew or had seen the names (they were required to be posted in the break room) but often times never met the people in question. The attacker got associates and other shift/associate managers to do everything from giving up secure information on the registers to ring up gift cards.
It was happening two to three times a week in our district at times despite weekly training and conference calls on the subject. Some people are just born to be duped.