Not necessary. It can just be coincidence. It happened to me in different occasion, where I helped a 60y old to set up online dating. She was very active without care. So, her contact book has been accessed by some dating app and then me got a few unwanted WhatsApp calls by foreign numbers.

So, may be she told a few people her new work number. They saved it to their devices, which had an malicious app running.

Not necessarily you're compromised. May be her contact is listed in your webpage? That happened to me too, where the employer decided to put clear text href email address publicly on the website. The machinery acted quickly. By finding information like "sales" or "customer service", connections can be made. So Phishing is more effective.

But still. For me, it would be an alarm sign to trigger an investigation. If there is no public listing of contact information, then its likely in the inner rings. Because.. knowing that you're CEO and writing in your name to a new mobile number, it looks like spearphishing.

The only way to protect is to train train train. Why did she mark it as spam in slack? Because she used her suspectsissity and her feelings. Let her tell the others how she came to the conclusion it's spam. There won't be much she will tell (I think) but it will raise sensitivity with others, because they'll remember the story..

Often it isn't you that is leaking data but one of your suppliers or customers which also have contact info of your employees. If you have many suppliers and customers, you can be sure that the names, positions and contact information of your employees is available to hostile third parties at some point.

It could also be a data from a broker because those do sell such data as well and online services sadly do not care too much for privacy.

We often get spam where attackers even faked our mail signatures (the one you put at the end of your mail, not the signature to verify your domain).

"That cannot be a real mail from the boss, he would never be that friendly"

If this is her personal phone number, then it's likely available from any number of "legitimate" data brokers; plus likely would be part of various database dumps you can buy on the dark web. It's pretty easy for someone who knows what they're doing to spend a few minutes of research on social media to find several employees of a small company, lookup their personal contact info, and message them claiming to be the company's CEO.

To protect your employees, let them know that either a) you'll never call or text their personal phone number; or b) if you call or text, it will always be from a known good phone number (which they can put in their phone's contacts).

There's always the possibility that someone inside the company plays games...

It sounds like your systems are compromised somewhere. What does your cybersecurity program look like?

(I thought) We had a secure approach (in terms of guarded 2FA credentials, no credential sharing, security training, etc), but this has me concerned. The only place we store phone numbers of employees is in Gusto, to my knowledge, plus my personal Contacts and whoever that employee has shared their contact with personally.

I'm also unsure how concerned to be about this...

Perhaps it's from the other end, and the employee's phone number and employment-info is insufficiently-private on social media?

Some scam-bot could be set to notice notice when people change jobs, use the company name to look up names of CEOs etc, and then fire off messages.