They knew my name and my boss's. I bit.

I work in an office and read emails from my boss every day, so when a message used their name, our project shorthand, and an urgent tone, I treated it like another deadline—not a trap.

The thread asked me to buy gift cards, wire funds, or send a sensitive file—quiet, do not loop anyone else, reply now. I was rushing between meetings and did not want to seem difficult, so I acted without walking down the hall.

Spear phishing researches titles and relationships, then spoofs senders to extract money or access. I lost money and felt exposed because the attack felt personal, not random spam.

Urgent requests were normal from leadership, so the email felt plausible. I told myself verifying would slow the team down.

When I mentioned the errand in person, my boss said they had never sent that email. That single confused look was when I knew I had been spear phished.

Shame hit hard until IT reminded me these campaigns fool trained staff. Reporting and new verification habits helped more than hiding it.

I now call people on numbers I already have for any unusual money or access request. I wish I had done that before I clicked Send.

• Verify urgent requests on a known number—never only by replying to the email.
• Report to IT and the FTC.

For more help, see our Report a scam page and Spot and avoid scams guide.