We Just got Scammed! You Did What?! Employees and Online Scams

Here’s a real life scenario from one of our members:

An employee receives an email from the CEO directing them to immediately purchase gift cards using their personal credit card. The email convincingly describes an urgent need to have this done immediately, to bypass typical protocols, and that the company will reimburse the employee. Further, the employee is directed to reply to the email with the gift card security codes to the CEO for safekeeping immediately upon purchase.

The employee does as directed. When the employee submitted their reimbursement request, it came to light that the CEO never made such a request. The employee fell for a fairly low-tech, but very costly, scam.  The employee spent thousands of dollars of personal funds, and the company had to decide how to respond. Should they let the employee be personally responsible? Should they reimburse the employee? Should any corrective action be taken against the employee?

What would you do?

Sophisticated scams like phishing and spoofing are ever increasing in complexity and frequency, and your employees are targeted. When an employee falls for predatory online scams while doing their daily work that costs their employer money, what recourse does the employer have?

As with most employee performance issues, what actions are taken depend on the specific facts of the situation and often what laws and workplace policies are in place. Employers’ strongest defense to holding an employee accountable to their workplace actions is to define policies and procedures they must follow in the course of their work. If the employee fails to comply, and this can be clearly identified and documented, then the employer is in a strong position to take disciplinary actions, including termination of employment and seeking financial redress from the employee.

To avoid such worst case scenarios, employers must take pro-active steps to protect their workplaces, including:

  • Draft a policy
    • Advise employees of their personal responsibility to be aware of and follow certain steps to safeguard the interests of the company.
    • Include who to contact in case of questions or how to deal with suspicious messages in any form.
    • Welcome and invite critical thinking of emails, texts, phone calls and voice messages.
    • If this is not part of a overall handbook update, you could have employees sign an acknowledgment of this policy, and place it in their file.
  • Define protocols
    • Develop clear protocols that all employees must follow when asked to spend money or make purchases.
    • Communicate such policies to all employees.
  • Train all employees
    • All new employees must be trained as soon as possible upon hire
    • Existing employees need ongoing training to be reminded of threats, policies, etc.
  • Define consequences for non-adherence to policy
    • Explain that not adhering to the policy is not acceptable
    • Depending on the specific facts of a situation, an employee may be held personally responsible to repay costs incurred by the employer, pursuant to a written policy and acknowledgment of that policy.
  • Vigilance
    • Online threats are constantly and quickly evolving
    • New approaches and training must be ongoing
  • Expertise
    • Cyber security must occur at all levels, from front line staff training to high level consulting
    • Develop internal expertise, as possible, and assign leadership on this topic to someone who can be held accountable to safeguarding the workplace against these threats.
    • If internal expertise is lacking, seek external assistance from qualified cyber security consultants.

With strong preemptive measures like the above in place, an employer is in a strong position to take action when an employee makes egregious errors/ takes callous actions/ wantonly ignores policies that incur expense to the organization.

For help developing workplace policies and practices to safeguard your workplace, contact Employers Council.