Sure, but the boss can go wrong by creating an incentive structure in which questioning a message “from the boss” is unsafe.
Successful anti-phishing campaigns instill not only doubt (“Is this actually from the boss?”) but also permission to act on that doubt (“I’ve got the boss’s cell phone number already; when I’m not sure if the message is from the boss, I’m supposed to call the boss and check, with no chance of bad consequences for pestering her.”)
The office worker has gone wrong already by panicking and failing to ask, “Is this actually from the boss?”
Always be asking “What am I looking at?”
Sure, but the boss can go wrong by creating an incentive structure in which questioning a message “from the boss” is unsafe.
Successful anti-phishing campaigns instill not only doubt (“Is this actually from the boss?”) but also permission to act on that doubt (“I’ve got the boss’s cell phone number already; when I’m not sure if the message is from the boss, I’m supposed to call the boss and check, with no chance of bad consequences for pestering her.”)