my team received a suspicious text — and we wonder if our boss sent it as a way to secretly gain info

by Alison Green on April 8, 2025

A reader writes:

This one’s weird. I would love your thoughts, if you can.

Some of my coworkers and I got a text from an unknown number addressing us by our first names and asking us to rate the company we work at. It was different than the usual company survey text in that it wanted a direct response rather than following an outside link, and it came from what looked like a personal phone number rather than the five-digit number the company will use. The whole thing seemed suspicious, especially since we all just completed the monthly multiple question survey the week before.

My coworker looked up the number in the white pages and found it belonged to some lady we’d never heard of. I tried looking further to see if I could find her name associated with the company but have had no luck. I thought about bringing it to our manager’s attention, but we are suspicious it may have something to do with her.

For some context, my manager, Lucy, is a bit of a martyr. We constantly hear about her conflicts with her own boss and fellow managers, how HR ignores her, her family drama, how much of a loser she is (her words), and why doesn’t anybody come talk to her with her open-door policy? One time we had a new relief worker call out at the last minute (things happen, right?), and Lucy’s immediate reaction was to suggest it was done just to spite her, as if it was a personal vendetta against her. At the beginning, I felt sorry for her; now I’m just tired of hearing it and disturbed that she even shares some of these things with us.

Lucy’s always telling us how bad corporate says we are but that she sticks up for us and puts her own job at risk, so she can fix everything. I keep telling myself she means well. Maybe she does, but the words and gestures just feel hollow now, especially when you know she complains about people behind their backs and uses emotional manipulation tactics.

Not surprisingly, over half our staff has quit without replacements, in part because of Lucy, and in part likely because of the growing bad reputation circulating the company (a story worthy of another letter). Odd that no one wants to apply to work here.

Getting back to the text, Lucy obsesses over these surveys (likely due to pressure from above), but with her track record, none of us would be surprised if she was enlisting someone to help her ferret out info regarding who said what. The other day she asked me not to talk to her boss about any concerns I had with the way things were operating, as if I’m supposed to lie when asked a question. This was because Lucy’s boss cornered my coworker one day, and when asked a question, my coworker answered honestly while trying to be fair with the response. Lucy later got defensive and started telling everyone how my coworker threw her under the bus, acting like she was joking, but she clearly wasn’t.

Obviously, none of this is any sort of proof of Lucy being connected to the text, and we can’t just accuse her, so we all have decided to ignore the texts for now, but I wonder if it would be worth reaching out to someone to ask about the legitimacy of them. I suppose it could be a spam thing, but why would spam ask us to text back a number between 1 and 10 to rate the company?

If this is indeed an illegitimate survey being sent to employees, the company should know, right? If so, whose attention should I bring it to? Would this still be an HR issue? Oh, and then there’s Lucy. I can already picture her being upset that I didn’t tell her about the text first, which I guess makes her problem number two, or rather the main problem. I really try to ignore her drama and keep things professional, but she’s exhausting. Thoughts?

For starters, yeah, definitely don’t respond to the text!

And you might as well check with HR. It would be perfectly reasonable to say to someone in HR, “My team all got texts asking us to rate the company but it didn’t look like company texts normally do and it came from a different number than usual. I wanted to check if this is legitimately from the company, or if it might be a phishing attempt or something else I should report.” And forward a screenshot of the text to them so they can see it.

I don’t know that anything will come of it — if it’s not from them, they might just write it off as spam and not investigate. But hopefully you’ll at least get a clear answer about whether it was from the company or not.

If Lucy hears you asked HR about it and is upset that you didn’t talk to her first, don’t get drawn into any drama or intrigue. Just say, “Oh, I just figured it was an HR thing if someone is spamming employees.” (Say this in a slightly bored, uninvested tone, like this is all incredibly unremarkable and not anything you’re spending any time thinking about — i.e., the opposite of a “we all suspect you’re behind this” vibe.)

Obviously, though, your Lucy problem goes way behind the question of this one text. Realistically, there might be nothing you can do about that … but it’s worth considering whether you can fill in anyone above her on the problems with her management, and in particular on the fact that she asked you not to talk honestly with her boss. (If I were her boss, I’d be very, very interested in hearing that. Whether or not her boss is depends on what that person is like as a manager, but the whole “cornered your coworker and asked a question that she answered honestly, which then set off Lucy” thing suggests that that person might be open to hearing more.)

You may also like:
{ 154 comments }

{ 154 comments… read them below }

  1. juliebulie*

    It’s kind of OP to imagine that Lucy means well, but I see no evidence of that. Lucy is looking out for Lucy and not you, except to retain her vanishing headcount. As for the text, it’s very tempting to use it to play a joke on her. (Don’t do it. But maybe entertain yourself thinking about it.)

    1. Bird names*

      Yeah, this sentence “Lucy’s always telling us how bad corporate says we are but that she sticks up for us and puts her own job at risk, so she can fix everything.” stood really out to me regarding her behavior. This is right of every abuser’s handbook.
      Lucy doesn’t mean well at all and I think the LW is also mostly aware, but due to having to deal with this nonsense constantly it’s probably difficult to get the necessary distance to let it really sink in. Good for LW for reaching out for advice, not answering the text and considering looping HR in as well.

      1. juliebulie*

        HR and IT both, because if it’s not from Lucy, it could be pretty serious. I get all kinds of spam on my phone, but not relating to my actual employer. That’d worry me.

        1. Bird names*

          That too, yeah. And as others have pointed out (thanks Middle Managing Cog), it’s a great avenue for plausible deniability as to why LW didn’t think to bring it up with Lucy first.

        2. Ama*

          Yeah it very well could be a spammer trying to confirm they have phone numbers of actual employees so they can be spoofed for an attack that actually asks for money or confidential info.

        3. Teapot Connoisseuse*

          Could add that they’re concerned that employee information has leaked from either the company or (if relevant) the provider the company uses for its regular surveys.

        5. Skippy*

          I do– and ones that make reference to people’s correct job titles. Spam has gotten really well done

          1. I'm just here for the cats!!*

            I’d say it’s IT and HR because not only could this be a phishing attempt it could also be compromised information. The texts had each person’s name and it sounds like it came to their personal cell phones (unless they have work phones.) That means someone has their name and the phone number of everyone on the team.

        6. Tiger Snake*

          They know your name, they know your phone number, they know your coworkers, and they know who you work for.

          There’s a lot for IT and the company to be worried for here, even if it was from Lucy. Like – did she send each text message individually or use an app, and what are that app’s terms of service? There’s more than one flag waving in the wind if a manager’s doing something like this.

          1. just some guy*

            Depending on where this is, there could also be legal considerations here re. misuse of personal information.

            e.g. under the law where I am (not USA), if I as a manager have access to my staff’s personal phone numbers via the staff directory, it would generally be against the law for me to use that for my own personal purposes. I doubt a bogus “survey” would be considered acceptable use.

        7. linger*

          Almost in passing (and not directly connected to the Lucy problem), OP notes that the company has a “growing bad reputation”, which might be relevant: if that is something that might have sparked some external investigation of the company or its management, then this attempt to contact employees could be more than a random spam attack. Regardless, OP and other coworkers should not respond to any cold call with an uncertain origin, except to notify HR and IT.

      2. Slow Gin Lizz*

        Came here to say the same thing and it bears repeating: OP, Lucy does NOT mean well. And I’d be willing to bet real money that she’s not sticking up for you with corporate at all, she’s likely throwing you all under the bus with corporate. It’s entirely possible that corporate is actually saying you are good workers but she is telling you they’re saying you’re not so that you’ll side with her if things go wrong.

        1. Georgia Carolyn Mason*

          Yeah, “everyone hates you but I defend you” is BS 99.9999999999% of the time. It’s way more likely that corporate isn’t talking about your team at all, or it only comes up because Lucy is complaining. I have no idea whether the text is Lucy or outside malicious actors, but that “everyone’s talking smack about you” crap is crap.

  2. Beth*

    Seconding Alison’s advice to reach out to whoever handles phishing at your company (it’s security or IT for me, not HR). This looks enough like a phishing attack that it’s very justifiable to escalate along that route. If that is what it is, you’ll look great for protecting your company from it. If it turns out it is Lucy, odds are either your security team will trace it back to her, or the investigation will put her on alert that this is a bad/risky management strategy.

    1. lyonite*

      Yeah, as weird as the boss is, I could totally see this as the opening salvo of a phishing scam. Like, once you’ve responded to the innocent question, you’re set up to believe the number is legit when they say you need to get some gift cards for the CEO, or something. Either way, since there are so many of these scams going around, it would be completely normal to report this to HR/IT, even if it does turn out to be your boss.

    2. Productivity Pigeon*

      Yeah, I’m not disputing that Lucy is a terrible boss and it *might* be her behind the text but I think there’s more reason to believe it’s ”just” a standard phishing attempt.

      In a way, it doesn’t matter if it’s Lucy doing the phishing or some Nigerian prince. Report it as a phishing attempt using whatever proper channels the company has and leave it to them to work out.

      1. Fluffy Orange Menace*

        I would also agree that it’s likely phishing IF everyone got it, but it IS weird that ONLY OPs team did, from the sounds of it. Yes, it could be targeted phishing, but not knowing what the OPs team does, we don’t know if that makes sense, i.e. do they have access to financials? Or are they a CDRL delivery team that doesn’t make a whole lot of sense to phish. I’m inclined to lean towards it being boss lady. I have a pay as you go phone that I use when I go on vacay, or places I don’t want to take my data loaded smart phone to and I’d be tempted to call the number and see who answers, since that phone can’t be linked to me and it sounds like it was a full phone number and not the abbreviated 5 digit text only numbers…. But maybe that’s just me… endless curiosity!

        1. Strive to Excel*

          The phishing attempts are getting surprisingly good. We’ve been getting emails pretending to be from our voicemail transcription service that have even copied our company logo.

          1. JustaTech*

            Wow, I got one of those yesterday!

            I also got a text from someone claiming to be my old CEO (who I personally despise, but he doesn’t know that) that was clearly setting up to be one of those “go buy gift cards” scams.

          2. H3llifIknow.*

            Are these on personal or work phones? I got the vibe from the OPs letter that it was on personal numbers. That’s HIGHLY coincidental if the only people getting the texts were on that team. Phishing is usually very targeted or very shotgunned. The fact that it was a very narrow subset of the company only, and on personal numbers that wouldn’t necessrily be linked to that company makes it highly unlikely it’s phishing. It really just isn’t very sophisticated. There’s no link to click to “take a survey” and download malware, there’s nothing other than submitting a 1-10 number and that’s not a typical phishing attack M.O. Been doing cyberscecurity since before it was called cybersecurity and this has “Lucy” written all over it, to me.

        2. Beth*

          Phishing attempts don’t just target people with sensitive data access. Any access is useful.

          For example, if a phisher can gain access to any employee’s email, they can use it to reach out to others in that organization 1) with a legit email address that won’t raise suspicions, 2) with a sense of the org’s communication norms, since they can review the employee’s past emails, and 2) without as much security, since most organizations have less intense firewalls on internal emails than external ones. They can use that to increase their odds of success with higher value targets within the organization, or even with any client organizations that trust the employee whose email they phished.

          It still could be Lucy! But OP really is on solid ground escalating it as a potential phishing attack–there’s no reason (other than their distrust of Lucy) to think it isn’t.

          1. Fluffy Orange Menace*

            Oh it should definitely be reported, but the coincidence of it ONLY being OPs team vs the larger corporation is suss. If I wanted to phish an organization, I’d make sure I hit all the targets, otherwise it looks weird that only “the HR dept. got this email; why didn’t the rest of us get to weigh in on the company.” But that’s me. OP definitely should escalate, but still be wary of Lucy.

    3. RIP Pillowfort*

      Yeah our IT department handles all our tech both computers and phones. So this would be something we’d escalate to them.

    4. Judge Judy and Executioner*

      I also suspect phishing. The first day I started a new job, the CEO texted me to see if I could help him. I said, “Of course!” Then he asked me to buy Apple gift cards, and I reported it to IT. It’s a good habit to always report strange texts or emails to IT.

    5. Six for the truth over solace in lies*

      This is a common vector for pig butchering scams too. The people who reply with a low score for the company are potential marks for a better fully-remote opportunity.

      1. Six for the truth over solace in lies*

        …hit enter too soon. A fully-remote opportunity that is a long-game scam.

    6. Observer*

      Seconding Alison’s advice to reach out to whoever handles phishing at your company (it’s security or IT for me, not HR). This looks enough like a phishing attack that it’s very justifiable to escalate along that route.

      Very much this. It looks like phishing, and that is always a risk, bit to you personally and to your company.

      And if Jane gives you grief about it, that is absolute proof that she is not just a poor manager who means well, but one who is acting in really bad faith.

    7. Kuddel Daddeldu*

      Absolutely!
      In my company, we are trained to report any suspicious email, text, or call to IT. Any email urging you to click on a link that’s not on our company domain automatically qualifies. IT also runs several phishing tests per year.
      This has the somewhat humorous consequence that whenever someone in the company decides to use a new cloud service, IT receives a lot of phishing reports (and rightfully so; that someone did not do their homework).

  3. Ganymede II*

    Or report it to IT as phishing (because it might actually be! this is the kind of messager phishers do use) and if Lucy does ask, you can say it seemed suspicious and you are all very concerned about IT security.

    Other than that – agree with everything Alison wrote. You have a Lucy problem.

    1. Snow Globe*

      I think it’s highly unlikely that every person on the team received the exact same phishing text.

      3. Hannah Lee*

        IME phishing efforts can be targeted to an organization or even a particular group in an organization. The phishers are seeking a weak link, a chink in the company’s security and with broadcast a message a group of targets hoping someone will reply, click, open the attachment, whatever gets them to the next step of the attack.

        Several people who work at my company, who all report to the CEO, have gotten identical texts as I have before all within a few days, purporting to be from the CEO or some other trusted contact and asking us to do xyz or provide abc information.
        It is not a reach to suspect that’s what OP’s text are, even if it’s just Lucy in the end.

      4. Beth*

        This is actually plenty normal. Phishers look for this kind of information–things that will make people say “Well, how would a scammer know X?”–to legitimize their messages. If employees say what team they’re on in their linkedin profile, or the phisher managed to get into a less-secure part of the company’s documents, or there’s information in public records or online about team structure, it’s not that hard to connect those names to emails/phone numbers and produce targeted attacks.

        It could also be Lucy being sketchy! But I wouldn’t rule out a legit phishing attack based on the information OP shared.

        1. Bird names*

          Huh, so if it turns out it’s legit (as in legit scam) Lucy’s behavior would’ve partly inoculated them thanks to the team’s suspicion overall.

          1. Beth*

            Yep! If the team sees suspicious behavior and automatically thinks “Lucy must be being weird again, I’ll ignore it” instead of “Something’s weird, let’s have IT check on it,” that could risk actual phishing attacks going unreported.

      5. Whoopsie*

        It’s possible. If one of their emails is compromised, it’s easy to start with messaging their immediate and regular contacts (like team members) and then widen the net. And if it is legit, like others have said, the OP is demonstrating commendable caution in this age of frequent and malicious phishing attacks.

      6. NameWithheld*

        It may be a fake phishing by IT, we get identical versions of that all the time.

        1. MsSolo (UK)*

          Yeah, my immediate response would be “oh, IT are doing a SMishing test, gotta make sure I follow the process to the letter to report it and they’ll send me a little Well Done email in half an hour”.

        2. amoeba*

          Yup, my first reaction was “phishing test”. We get those regularly, so if they’re not a thing in LW’s company, I get why they wouldn’t go there as quickly but hey, maybe they decided to start doing them!
          Just report it by whatever means you’d use for suspicious e-mails (we actually have a “report suspicious email” button in Outlook, but otherwise, probably ask IT on how to proceed? If there isn’t a standard way to do that, honestly, there should be…)

      7. RIP Pillowfort*

        Honestly having been through this (both real and simulated) you can get the same phishing emails and texts as others.

        It’s basically casting a wide net to see who they can get to fall for it. It does mean something is already compromised to get so many people in the net. Which is why you should report it. We’ve had a couple of times where an outside consultant gets compromised and they start spamming our worker’s inboxes with phishing attempts.

      8. Observer*

        I think it’s highly unlikely that every person on the team received the exact same phishing text.

        That’s actually fairly typical. The fact that the whole team got it is actually a significant signal that something is off in HR, in a big way. If someone reported this to me, I’d be flipping out. And one of the things I’d be doing is talking to our HR folks, and also checking with other departments to see if any other department had this happen to them.

        Of course, it could also just be the manager being a loon. But the other is quite possible and something that any competent IT / CISO person needs to know about and investigate.

      9. Tiger Snake*

        As someone who works in that field: I do think it’s likely every person on the team received the same phishing text. That’s classic spear phishing 101. It’s very, very common to target a certain group of people in an organisation – that’s not limited to just your C-suite, it’s any group of particular interest or vulnerability.

        Customising phishing to your target is what it’s all about, and its why the wrong idea that all spam is badly spelt Nigerian princes is so dangerous.

      10. Oniya*

        Why would a phisher put in the effort to do more than bare personalization? Name and job title is enough to make it ‘look personal’. Social media phishing scams are frequently that level of boiler-plate.

        As far as it being ‘only that team’ – we recently had a training unit at work about ‘spear-phishing’, which has that sort of narrow targeting. OP doesn’t mention what their team works on, but it’s not out of the question that it might be of interest to some malicious party.

      11. Loki*

        In the times of GenAI, it’s a simple matter for anyone to generate ten messages with the same content which use slightly different wording.

  4. Benihana scene stealer*

    I’d probably just delete and block the number. Sounds like there are many other things wrong with Lucy other than this one text, so I wouldnt’ get bogged down in the details of this one

    1. Artemesia*

      nah. It might well be a phishing scam and HR needs to be aware in case som eother department is targeted. AND if it is from your boss — well HR needs to know that as well.

      1. Marion Ravenwood*

        Or it’s a test from IT to see if you engage with the scam and if you need to do more training. (I’ve worked at companies where that was a thing via email, so it wouldn’t surprise me if places where mass texts are regularly sent out also used that medium.)

    2. Kay*

      Every place I’ve ever worked absolutely wants things like this to be reported (typically to IT/Security) and they often do “tests” like this to make sure we aren’t accidentally creating a way for data to be exposed or scams to be perpetuated. If it is company authorized there is usually a preceeding notice going out saying “you will get this communication that looks weird, its legit, do what it says”, otherwise, the electronic security team wants to know.

      The benefit in this case is that it works out great in all ways for the LW (aside from still being stuck with Lucy for the time being).

      1. Kyrielle*

        Yup! And having worked at a place that regularly did phishing tests, but also regularly sent messages that could look suspicious without reaching out ahead of time, reporting the latter to IT just gets you a confirmation that it’s real. (And a note to whoever sent whatever through whichever service that their message had N people worried it was phishing, probably.)

  5. Data analyst*

    Also- how did this texter get all of your teammates’ names and cellphone numbers? If it’s not publicly available, then Lucy or someone else giving out the employee’s personal contact information from an internal list could be a privacy/security violation- something that a competent HR or IT team may be very concerned about.

    1. I'm Suspicious*

      We actually had that happen in a Defence unit (not US) where a data breach made available names, addresses, and personal details including our home and mobile phone numbers. It was a major investigation into how it happened (some idiot put a spreadsheet on their home computer) but all our details were out there. It was horrendous to manage, a lot of people changed email addresses, phone numbers etc.

  6. Synaptically Unique*

    People who do both report on supposed problems and on their supposed intervention at the same time are often/usually lying or at least distorting the truth. It’s a tactic intended to make you both afraid of going above them (what would be the point if the big bosses think you all suck) and thankful to remain employed on team hell. Agree that this is a terrible boss and you should try to get out.

    1. Slow Gin Lizz*

      Ah, yes, excellent point. Like the car mechanic who told my friend she had about $6k worth of repairs she needed to do and then when she expressed reluctance to do so offered to buy the car from her. She then got 2nd and 3rd opinions on repairs and it turned out the first company was, surprise, surprise, totally lying. She had about $1500 worth of repairs, which she did, and is still driving the car 2 years later.

      1. Paint N Drip*

        Ah, the ‘you’re really in a pickle… but I CAN HELP YOU’ school of scammers

        1. Joana*

          Yup. There are similar ones in publishing. Person submits to a literary agent (who isn’t actually a legit agent) who says their book isn’t ready for publication, but they totally know this great editing agency to send it to! Which turns out to be either them with another business name or someone giving them kickbacks for referrals. But either way the editor is usually about as legit as the agent.

        3. londonedit*

          Yep, there’s a classic one here where cowboys will knock on the door of an elderly person and say ‘Oh, hello, I’m a roofer and I’m doing some work in the area, and as I was walking past your house I noticed your roof is in a terrible state. Really bad, you’ve got broken tiles up there, those are really dangerous, you’ve probably got damp in your loft already, those tiles are going to fall off if you don’t fix them soon. But the good news is that I’ve got a bit of spare time this afternoon, do you want me to go up there and have a look and give you a proper quote?’ So then the ‘roofer’ gets a ladder and goes up on the roof and conveniently knocks things about a bit, and says ‘Oh dear, yes, it really is bad up there, my advice is to get that fixed straight away – it’s not an easy job but if you want I can come back tomorrow and get it done, it’ll cost you £1500 but it’s best to get it all sorted isn’t it’, and then lo and behold once they’ve got the money they either disappear completely or they go back up on the roof and make some sort of half-hearted attempt to ‘fix’ things (probably making it worse than it ever was before in the process – seeing as there was probably absolutely nothing wrong with the roof in the first place).

  7. Ping*

    A suspected phishing attempt is a really good reason to report it. Could be an attempt at social engineering — get someone who is disgruntled, slowly get them to give info on the company until you’re able to have whatever corporate espionage info you want.

    Even if there’s that much drama going on that you have suspicions that it’s related to your boss, knowing that someone is out there texting employees should be a concern for the company. If they happen to uncover it was the boss, great. If not, it might show some other tactic being employed against the company. (Either way it’s not going to do the company’s reputation any good for this sort of thing to be happening and go unaddressed!)

    1. BlueWolf*

      Yes, we were recently warned of an active phishing attack against our company. Someone will call and pretend to be someone from IT in order to try to gain access to company systems. You can’t be too careful these days. I’ve also noticed a major uptick in spam texts to my personal cell phone in recent weeks. Job scams, generic messages from random numbers trying to get you to respond, etc.

      1. Anon for this*

        This happened to a few of our clients. Unfortunately for the 1st, it worked. The hack and subsequent payment made international news. It also worked on the second, even though the news had already been reported, but was able to negotiate pretty quickly for a quiet settlement, although if anyone takes a close look at the books it is obvious. The 3rd took things VERY seriously and had enough of a start after the news hit about the 1st to lock down the company and hire enough backup security people to thwart the attack. As in they deployed in person security techs prowling offices on the regular, shut down good portions of the tech systems – you name it. It was a wild ride and the methods – so simple that people who were in the know still got duped.

        Stuff like this happens yet I still hear how people put up such a fight when told to confirm wiring instructions… sigh…

    2. LoraC*

      Yup, if they’re using employee names, then it sounds like some kind of spear phishing. I worked at a government contractor that handles PII for countless citizens and we were regular targets of these kinds of attempts.

      1. Anon SubK*

        And even if you’re not at that org, if you’re at a company that regularly does business with a high-value org like that, that can make you a target. I work for a small business that works regularly with big defense contractors, and it’s impressed on us that the goal isn’t necessarily to do anything to our system, it’s to get access to things like our email and file share that would let them do things like send a malicious file to our big partners from a known, ‘safe’ sender.

  8. Middle Managing Cog*

    We get so many phishing emails at my workplace that we can report them wtih the click of a button AND they run tests on us occasionally to see who clicks, ignores, or reports.

    Me, I’d be passive-aggressive. I’d screenshot it and forward it to the IT department and HR with “A number of us got these suspicious texts. It looks like we’re being targeted by some form of scam, any you may want to send out a warning email.”

    Do it with that wide-eyed innocence of someone who is Just Trying Their Best To Be Safe Online.

    1. many bells down*

      Ugh, same. Apparently the minister is always “in a meeting” and desperately needs iTunes gift cards for something. They must think churches are a really soft touch.
      Especially funny to get one when I’m actually in a meeting with the minister. Oh sure “superminister111@yahoo”, I totally believe that’s you.

      1. 2 Cents*

        I got one while working as a contractor for a company where I 100% know the CEO has no clue who I am. It was hilarious.

        1. The Formatting Queen*

          I was temping for a company for all of a day and a half when I got one of these. What gets me is how on earth did they even get my email address – I barely even knew it at that point, it had a lot of extra crap in it besides my name because I was a contractor. I don’t even think it had been shared with the temp agency yet.

      2. Nightengale*

        I got one of those “I need a favor” once from someone in a national organization I am in who occasionally comes to my city to visit family. It seemed plausible she was actually in town and needed something that I could help with because I was local. Until the something turned out to be Apple gift cards.

        What is funny is about 4 years later she was in town and legitimately needed a favor and her initial e-mail subject was exactly the same as that fake one had been.

    2. Madame Desmortes*

      I teach my students how to filter the fake phishes straight to trash.

      It can take some doing to force your email client to show you the full message headers, but once you pull THAT off, you can usually discover a header added by the fake-phish vendor that’s filterable.

      Haven’t seen one of those things in years, don’t miss ’em.

    3. Momma Bear*

      Same. We’re supposed to report anything phishy so I would send it to IT. Let them track it down.

    4. roann*

      Hell, I’d go ahead and copy Lucy on this email! Want her to be in the loop that her team may have been the subject of a phishing attempt! For Safety!

    5. MigraineMonth*

      I get the idea, but that isn’t passive-aggressive. It isn’t even malicious compliance. Reporting a suspicious text the way you’re supposed to report phishing attempts is actually just regular compliance.

      I’m not saying you can’t get in trouble for following a reasonable policy in a reasonable way, but there’s a high chance of your boss looking like a loon if she tries to discipline you for it.

      1. EchoGirl*

        And that’s assuming OP is even correct about Lucy being involved. I understand why OP is suspicious, but as others have said, it’s also entirely plausible that this actually is a phishing scam and Lucy has nothing to do with it.

    6. PayRaven*

      Yep, same!

      I often report emails that I’m pretty sure are legit but are just annoying, just for the satisfaction.

    1. Bruce*

      Hey Bruce, looks like I should come up with a more unique name to use on this site :-)

  10. RVA Cat*

    Do NOT answer the texts and report them.

    But if you were to reply, the only answer is “This company goes all the way to 11!”

    2. Goldenrod*

      “the only answer is “This company goes all the way to 11!””

      THIS. I’d be soooo tempted to mess with (potentially) Lucy in my response. LOL. But don’t do it, it makes way more sense to just ignore…

  11. 5 Stars*

    Ooh, I genuinely wonder if you work for my former boss. Everything in this letter describes them precisely. It’s probably not the same person, but definitely the same playbook.

    My old boss absolutely would have sent sketchy texts fishing for information. Then they would have used any responses (or even alleged responses) to further a bizarre and insecure personal agenda.

    Telling HR seems worthwhile, although it was a good path to getting fired in my former job. Anyone who went to HR or the grandboss was out within the next 2-3 months. My boss was very good at sucking up to the right people and knowing which manipulation tactics worked best…

  12. 2 Cents*

    OP: Report the text to HR/IT. Delete/block the number (maybe take a screenshot for posterity). Understand that Lucy is not your friend, is not a great manager, and is manipulating you (“I do so much, corporate is evil, and I get no recognition!”), and if you can’t get out and leave, at least CYA in your interactions.

  13. A Pinch of Salt*

    per many hours warch Catfish—Plug the number into CashApp/Venmo/PayPal…they never cover those tracks…

  14. Michele*

    I don’t believe that Lucy means well.

    I would bet that it’s not corporate saying how bad you all are but Lucy saying it to corporate. The bit about “joking” about being thrown under the bus pinged my radar as something the guilty do to deflect suspicion.

    Everything you write sounds like a person playing both sides and desperately needing them not to talk to each other.

  15. Bruce*

    My company sends emails that test if we can be fooled by phishing emails, but this one sounds even more suspicious than those…

  16. Not A Manager*

    I am a bad, bad person but my first thought would be to respond to the text from your own anonymous burner number. Say all the stuff you want to say. They asked for it, no?

  17. Jellyfish Catcher*

    Your current employer has some issues. Begin searching for another
    position in a different company Do not discuss that or any general unhappiness
    with your current job.

  18. Observer*

    LW, Allison is totally on the mark here.

    Go to HR and present it as an “Is this legitimate or is it Spam or maybe even phishing?” question.

    If your boss gets on her high horse, don’t say anything about her but “This looked like it could have been a spam text, so we needed to check with HR” And just keep repeating “We always need to check if something about the company came from the company” while trying to get away from the conversation. But do not engage or get into any real discussion with her!

    I agree that it might be a good idea to tell someone above you what is going on, but maybe wait till you find another job.

    And you *should* be looking for a new job. True, the job market is not the strongest it has ever been, but it’s also not the weakest. So even if you don’t find something tomorrow, you should be able to find something in due time. It’s not clear if your boss is a clear anomaly or not. But the fact that your department is clearly so far down on staffing and nothing seems to have been done about it is an orange flag for me. So job searching makes sense.

  19. umami*

    ‘My coworker looked up the number in the white pages’

    I mean, this is as far as I’ve gotten, and I had to laugh because when I was recently visiting my mom and promising to get a repairman to her house, I said to look it up in the yellow pages. I did not mean literally, but even my 80-year-old mom was like, um, we don’t have those anymore lol.

    1. Joana*

      I mean, I think there’s an online version of it now that’s still called yellow pages. But other than that yeah. Except for some small pockets I thought we were passed publishing people’s names, numbers and addresses for everyone to see! At least without a paywall. It’s still pretty easy to get personal info if you have a few dollars to throw at it.

      1. Seeking Second Childhood*

        unfortunately phone numbers are all over the google results. They are often jumbled, but they have a frightening amount of real info.

        By jumbled, I mean things like I am shown having my late father-in-law’s cell phone as well as my old landline.

    2. Geriatric Rocker*

      No more Yellow Pages?! What do I put my computer monitor on now??

      …Nanny, what’s a monitor?

  20. Dolphins*

    The last time a former job got hit with a phishing text that a coworker fell for (gift card scam), it turned out to be specifically targeted towards our company—by a disgruntled ex-employee. In IT. Who had previously been fired (for very valid reasons). And was already harassing other employees (who had nothing to do with his firing) via other means. So this was yet something else to add to the FBI investigation (like I said, he was fired for very valid reasons).

    Anyway: do NOT respond to the text or click on any links in it. Tell IT about the text before you even tell HR. Don’t even get into who you think sent it, just say that you all got this text that seems very weird and like a phishing scam.

    The other stuff with Lucy is more of a “umm maybe just focus on polishing up the old resume” to be honest?

  21. learnedthehardway*

    The right way to deal with a suspicious email is to forward it your IT or cyber security department, and flag that you are concerned that this a phishing exercise. While it doesn’t seem to have a hyper link, there are more ways to scam people than just taking over their computer. One is something called “social engineering”, where people try to build a relationship or influence your actions to get what they want. In this situation, for example, I can imagine someone naively sending an honest but negative review, and then being blackmailed with the threat that not providing insider information will result in their honest review being shown to their manager.

    1. Kuddel Daddeldu*

      Well put!
      You are absolutely right (part of my job is cyber security consulting).

  23. Three Flowers*

    You could go to IT and report it as a data security issue (which it is–somebody is misusing all your phone numbers). You don’t have to mention any suspicions. Let the cybersecurity geeks do their job, they will go to HR with the evidence if necessary, and you’ll have the excuse of being a good corporate citizen who just thought there was a data breach and wanted to do their part to protect the company.

    Lucy sounds exhausting.

  24. pally*

    Assuming Lucy sent these emails, it might be interesting to watch how long it takes for Lucy to get antsy over no one responding. Maybe she’ll send everyone a follow-up email.

  25. Zarniwoop*

    Survey about company not from company source is sketchy. Whether it’s from crazy boss or regular scammer doesn’t matter; IT, HR, security need to know ASAP.

    2. Zarniwoop*

      And if they trace it back to an unauthorized survey by Lucy they will Not Be Pleased, and your Lucy problem may get thoroughly solved.

  26. Petty Miss Demeanor*

    I’d bait her into admitting this was sent by her. Give a rating of 3 and see what happens. She’ll either do nothing or she’ll respond somehow. The response traps her and you have more proof for HR.

    1. Observer*

      No. Don’t try playing that game. If it’s a scammer, which is a real possibility, they will have you in knots in no time flat.

  27. H.Regalis*

    Ugh, Lucy. No wonder people are leaving. I’d rather go to the dentist than listen to that litany on a daily basis. I hope you can get out of there too, LW.

  28. Jan Levinson Gould*

    Lucy sounds like a female Michael Scott – insecure and weirdly scheming.

  29. The Other Evil HR Lady*

    So… a couple of things: it *could* have been HR. My last employer could send out both full-blown review and pulse checks. Since y’all just did a full-blown one, HR might want to test the waters in your particular department as a follow-up to whatever they found. It’s a thing, and the software might have co-opted a disused phone number, as it does.

    That said, it’s so wild to me that one of the first instincts among your department was to suspect your manager of spying! Just that alone is a BIG problem that you should bring to someone’s attention – if your group feels confident that there will be no retaliation. There are bigger problems there than whether this text was phishing or a scam, obvs, but they seem to come from above.

  30. Lana Kane*

    Lucy’s behavior is highly suspicious that there is something she’s trying to hide or cover up. I don’t think her team is a good place to be.

  31. HR Ninja*

    OP: I may have missed this detail in the letter, but is the company public facing? If it is, does Lucy have access to client information? Not to go too far off the deep end but if she’s willing to do this to her own team, there may be a chance she’s unhinged enough to reach out to clients to try and build her case against the company

    1. Observer*

      This is true. Which is another good reason to bring “We got this weird text” to HR / IT / InfoSec at your company. This way, whoever it’s from, the company can be protected if folks are competent.

  32. AfternoonSleepy*

    I feel like you can easily ignore it, and if it ever comes up be like “Yeah I got this really weird phishing attempt the other day. You know it’s super unsafe to answer those things”

  33. old lady*

    You’re working in the middle of a dumpster fire. Lucy only cares about Lucy. Don’t trust her to give factual info on your team to upper management. Look for another job – NOW!

  34. RagingADHD*

    As is often the case with manipulative people, the best way to respond is the way a normal person would in a normal situation.

    Weird anonymous message asking about the company? Report it to IT or HR, or whatever type of phish-test system or corporate security procedure is in the handbook.

    That’s just the best professional practice regardless of any personal issues. And it has the added bonus of putting the kibosh on any internal shenanigans (if that’s what they are).

    If it gets traced back to Lucy and she gets in trouble for it, you’ll hear about it. She’s playing dumb games and getting dumb prizes.

  36. Fluffy Fish*

    I would absolutely loop in HR and IT, not just that this is potential spam but since all your team got it as an Oh no, our company info might be compromised.

    If only you got it that would be one thing. But since your entire team got it that adds a different level of potential problem.

  37. Nameless*

    No competent IT org is going to be annoyed at you reporting something that looks suspicious (ie, like phishing) to them. I’d wager most cyber security folks wish their colleagues would report more.

    1. Plate of Wings*

      Absolutely! I recently reported something that looked like a major vulnerability, and even though it was a false alarm I could tell it was appreciated.

      I could not believe how profusely I was thanked for making a security department head frantically log in from home at 10pm his time lmao!

  38. Lemons*

    Phishing attempt was my first thought.

    I’ve gotten phishing texts in the past from my boss’s number that said “Hi Lemons, it’s [Boss]. Ny phone is acting up, can you call me at [suspicious number].”

    Also, the random lady might not be involved at all, spams use real people’s numbers all the time.

    1. Observer*

      Also, the random lady might not be involved at all, spams use real people’s numbers all the time.

      Very much this. Which points to phishing that your company should be aware of.

    2. WS*

      Yes, I once had someone call me up from New Zealand, really mad that I was trying to scam them. I had to explain about spoofed numbers but they actually took that pretty well!

  39. Richard Hershberger*

    Yes, Lucy is weird. But what jumped out at me is “we all just completed the monthly multiple question survey the week before.” Huh? What’s up with that?

    1. RagingADHD*

      If Corporate is having reputational issues, there are probably a lot of internal culture problems both contributing to and resulting from them.

      Lucy’s claim that “corporate is terrible” may be entirely true – even if her martyrdom is fictional.

    2. Seeking Second Childhood*

      I can’t believe I had to go down this far to find someone’s surprise if they are asking these questions on a monthly basis. That in itself makes this company odd.

      1. Nightengale*

        we get short culture surveys multiple times a year

        if only they actually led to a real culture change. . .

        1. fhqwhgads*

          We get it once a year. Occasionally every 6 months if they just changed something big.

  40. CzechMate*

    Somewhat funny, related story.

    I work at a university. I recently received an odd, obviously spammy, phishing-y email. Per our institution’s protocol, I forwarded it to the IT phishing email address and marked it as spam. I immediately received an email back saying, “Thank you for reporting the suspicious email. This was actually a phishing simulation designed to test our security awareness. Congratulations on spotting and reporting it!”

    So…it’s always entirely possible that it IS a bizarre internal test of whether you can spot spam.

    1. Andytron*

      My company does those. you can usually tell because if you look at any of the links they will actually be somewhat humorous.
      Though once we received a survey that came for a super dodgy looking e-mail address that everyone must have immediately reported because HR followed up within the hour explaining that no, that was legit.

    2. Oldsbone*

      Just answer completely off the wall. “This used to be a great company to work for but I fear that it’s gone downhill since they reduced our PTO and the Lizard People took over. I saw my boss shed her human skin and devour a puppy in her office when I was early for my performance review. When she saw me, she changed my performance to ‘Below expectations’ and put me on a PIP! I’m the best employee this place has! Oh, gotta go, someone’s at my door…”

      Probably don’t actually do this….

    3. Nat20*

      Yeah, that seems somewhat common now. My husband’s company does so many fake phishing emails like that, at one point he and many others ignored/reported a “survey” that came from an external website & looked spammy as hell, but that turned out to be a legit survey HR wanted employees to take. Corporate was mad that so few people took the survey, but what did they expect! They were so pressed about constantly testing everyone on their email diligence that they “boy who cried wolf”-ed themselves.

  41. Lucy in the Sky…*

    Lucy sounds like a former mid level boss who used to call in to conference calls and lurk to see if anyone talked about them. We all knew boss was doing this & all agreed to never mention them. Like they were completely irrelevant to our projects. Wouldn’t be surprised if they did this kind of text phishing by now.

  42. Tiger Snake*

    Not sure how to get this seen, but since there’s all this talk about Phishing; it’s important to remind everyone that a phishing message can come in all sorts of shapes and sizes. It’s really hard to know for sure.
    So one thing to keep an eye out for is if there’s some kind of “Call to Action”. Whether its giving you a reason to respond and respond quickly.

    That can be emotional (‘your daughter’s voice asking for help’), it can be urgent (‘this is the last message before we initiate debt collection’), it can prey on expectations (‘we tried to deliver that package you were expecting but no one was home’), or it can prey on social conditioning and our deferral to authority, etc. Phishing wants to trigger your ‘I need to action’ rather than ‘I need to sit on this’ because they don’t want you to think about it.

    The best cultural shift we all need to adopt to deal with phishing is to learn to slow down, sit on things and try to apply critical thinking to see if a message makes sense and verify it through other sources before responding.

  43. I Have RBF*

    It really doesn’t matter whether Lucy sent it, a friend of Lucy’s sent it, or if it’s a stranger who got your numbers: It’s smishing (SMS Phishing.) You and your teammates are correct in not responding.

    However, most corporate IT Security departments would want to know about it! So you all need to report it, with screen shots, etc., to your IT Security department. If it’s an HR issue, they should report it to HR. But currently it’s an IT Security issue. If it’s legit, they’ll tell you, but I really doubt it is.

  44. I'm Suspicious*

    I really want to hear an update on this one!

    This sounds really suspicious, and is most definitely reportable to IT and I’d also loop in HR as well just to cover all bases. It might be Lucy, or it might be a serious data breach. Either way both departments need to know about it.
    I previously worked for a govt agency (not US) that occasionally sent out their own test phishing emails to raise awareness and teach people to be aware. But someone always knew what it was, there was no deception of HR or IT in those cases. It wasn’t a great situation, and to be honest I’m not sure it actually worked. This really doesn’t sound like a similar situation though.

  45. Nat20*

    Oh man, I hope we hear an update on this one at some point, because I can just smell the drama about it incoming. OP, please let us know if anything comes of this!

    Also I’m sorry you’re dealing with this – not just the text weirdness but the manager herself. People who are overly self-deprecating for attention are exhausting already; I can’t imagine what it’s like to work for someone like that.

    1. Observer*

      I would definitely be in trouble if I went to HR before my boss for something like this

      That’s a *huge* red flag. You should never need your boss’ permission to go to HR. And in fact that’s effectively illegal for some types of things.

      But in your shoes, I would go to IT instead as this is really a cybersecurity issue. Or do you need their permission to report a threat to IT as well.

  47. Wednesday wishes*

    Absolutely report the text to HR and to your IT department. Someone is accessing the personal phone numbers of your employees. Lucy or not, this is a serious breach of privacy, and/or a breach of your computer systems.

  48. Serious silly putty*

    Or you all COULD reply to the text:
    “I rank this company 11/10, thanks to the leadership of my amazing boss, Lucy. Anything negative you heard about her is definitely not true. She has never told us to avoid talking to higher-ups about our experience with her.”

  49. And thanks for the coffee*

    Wait, what?
    “just completed the monthly multiple question survey”

    You really have a monthly multiple question survey? Is there really something that changes enough that a monthly survey is needed? I’m imagining all the employee time spent as well s someone spending time on summarizing the data and comparing it to previous surveys.

  50. Random Awkward Memory*

    Back in grad school I had a professor who distributed an email list at the beginning of the semester so that the class could collaborate on projects, ask questions/study, etc. One night before something was due, we were discussing how it was a confusing assignment and some of the emails got mildly snarky about how the prof had poorly explained things in class, was disorganized, etc. The next day in class the professor went around the room quoting from the emails while standing next to the authors, embarrassing them while the rest looked on in horror. Later we (offline) traced all the email addresses back to their owners except one…the professor had included a personal spy email address on the list for…teaching us a lesson about watching what you say?! It wasn’t like she ever replied answering any our questions, was just lying in wait until someone let their guard down and said something critical. It was such a wild thing to do.

Comments are closed.