Would you reimburse an employee who fell for a phishing scam?

post reply Forum Index » Jobs and Careers
[Post New]05/03/2019 10:25
quote
Anonymous
Good god this isn’t hard

1) Employee fell for a very simple phishing scam
2) Employee didn’t use good judgement
3) Employee didn’t verify request despite it being weird and uncharacteristic
4) Employee used own funds without checking with anyone
5) Company warned employees 2 weeks ago
6) IT systems were not breached in any way

It sucks for them, but no. This is no different than if someone emailed the employee at their gmail address from another gmail address and they feel for it. The only relationship toy eh company is that the company’s name was used - without their knowledge.
[Post New]05/03/2019 11:32
quote
Anonymous
OP, how much was the loss? I think you said thousands, maybe give us a range — e.g., $1-3k, $3-7k, $7-10k. Does your company have an insurance policy covering cyber breach/eCrime? If so, it’s possible that you have some coverage for the loss there, but it would depend on the policy and you probably have a deductible/retention associated with it so it would have to be more than the deductible/retention amount.

If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.
[Post New]05/03/2019 11:35
quote
Anonymous
Anonymous wrote:OP, how much was the loss? I think you said thousands, maybe give us a range — e.g., $1-3k, $3-7k, $7-10k. Does your company have an insurance policy covering cyber breach/eCrime? If so, it’s possible that you have some coverage for the loss there, but it would depend on the policy and you probably have a deductible/retention associated with it so it would have to be more than the deductible/retention amount.

If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.


Just re-read and saw where you said $2k. Even if you have coverage, that’s probably not much more than your retention, if not less.
[Post New]05/03/2019 11:45
quote
Anonymous
Anonymous wrote:
Anonymous wrote:OP, how much was the loss? I think you said thousands, maybe give us a range — e.g., $1-3k, $3-7k, $7-10k. Does your company have an insurance policy covering cyber breach/eCrime? If so, it’s possible that you have some coverage for the loss there, but it would depend on the policy and you probably have a deductible/retention associated with it so it would have to be more than the deductible/retention amount.

If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.


Just re-read and saw where you said $2k. Even if you have coverage, that’s probably not much more than your retention, if not less.


We do have cyber coverage but the loss is the same as our retention.
[Post New]05/03/2019 11:46
quote
Anonymous
Anonymous wrote:Definitely not. Your employee is a moron.


This. Is the person older? Still should have known.
[Post New]05/03/2019 11:47
quote
Anonymous
Anonymous wrote:
Anonymous wrote:Definitely not. Your employee is a moron.


This. Is the person older? Still should have known.


Op commented that the person is under 40 .
[Post New]05/03/2019 11:48
quote
Anonymous
The responses here are interesting: either be humane and pay or absolutely don't pay. Some of the responses seem cruel and inhumane and don't seem to care that this may be a lot of money to someone and that they were acting in good faith even if foolishly. Why be so cruel and not try to help the employee in an honest mistake? If anything, the phishing attack was against the company, not the individual employee. If the employee was acting in good faith, why would the company not help? Seem abusive, cruel, inhumane and brutal to "absolutely" punish the employee.
[Post New]05/03/2019 12:08
quote
Anonymous
Reimburse the employee, but have THEM give the next presentation on cyber threats/phishing scams as a 'lesson learned.'

I would also make it clear in future trainings that the company is NOT RESPONSIBLE for personal monetary losses from phishing schemes.

In the end, you never know if someone might be part of the 'ring' (i.e. Cathy says she was phished by a scam email and gives $2K of her own money, she knows her small business employer will take pity on her and reimburse her, PLUS she gets a cut from the scam artist.) I'm not saying that happened here, but if your company has a policy that doesn't hold employees accountable, then they could find ways to take advantage.
[Post New]05/03/2019 13:08
quote
Anonymous
I think your only argument for reimbursing is that it's the first time and can be used as a lesson and reiteration. And that the company won't pay again.

It really sucks.

I think also with your boss, you want to go over the entire scenario - how valuable is this employee? How much trust have you lost in him/her? Does not reimbursing mean the employee loses trust in the company and will be gone soon? Etc.

Overall, as much as it sucks for the employee, I have to say I lean strongly toward not reimbursing, based on everything you have said here.

IF this person is the boss's assistant that's maybe the only way I would feel ok about reimbursing - that person may be more likely to follow orders, even if they are unusual, on the weekend, etc.

[Post New]05/03/2019 13:16
quote
Anonymous
Anonymous wrote:In my old job, IT sent out quarterly emails on phishing and even would send various employees phishing emails to test them and then talk to their manager and them.

Sorry but this person is an idiot or in on the scam. No CEO would ever do this. I wouldn't compensate him. If he leaves, no biggie as I'd be afraid what other gullible things he could do.


This is what you need to be worried about.

Immediately after you warm employees about phishing scams, the employee falls for a phishing scam?

He is either ver, very stupid or he thought this would be an easy way to get a couple grand.

[Post New]05/03/2019 13:18
quote
Anonymous
Anonymous wrote:I think your only argument for reimbursing is that it's the first time and can be used as a lesson and reiteration. And that the company won't pay again.

It really sucks.

I think also with your boss, you want to go over the entire scenario - how valuable is this employee? How much trust have you lost in him/her? Does not reimbursing mean the employee loses trust in the company and will be gone soon? Etc.

Overall, as much as it sucks for the employee, I have to say I lean strongly toward not reimbursing, based on everything you have said here.

IF this person is the boss's assistant that's maybe the only way I would feel ok about reimbursing - that person may be more likely to follow orders, even if they are unusual, on the weekend, etc.



Nope. Especially if it’s the bosses assistant, they should know the bosses personal email. They should also be familiar with bosses communications style. If it’s the bosses assistant, that person needs to be fired - immediately!!!
[Post New]05/03/2019 13:20
quote
Anonymous
Anonymous wrote:The responses here are interesting: either be humane and pay or absolutely don't pay. Some of the responses seem cruel and inhumane and don't seem to care that this may be a lot of money to someone and that they were acting in good faith even if foolishly. Why be so cruel and not try to help the employee in an honest mistake? If anything, the phishing attack was against the company, not the individual employee. If the employee was acting in good faith, why would the company not help? Seem abusive, cruel, inhumane and brutal to "absolutely" punish the employee.



You realize there’s a good chance the employee was in on the scam right?


[Post New]05/03/2019 13:24
quote
Anonymous
Anonymous wrote:
Anonymous wrote:The responses here are interesting: either be humane and pay or absolutely don't pay. Some of the responses seem cruel and inhumane and don't seem to care that this may be a lot of money to someone and that they were acting in good faith even if foolishly. Why be so cruel and not try to help the employee in an honest mistake? If anything, the phishing attack was against the company, not the individual employee. If the employee was acting in good faith, why would the company not help? Seem abusive, cruel, inhumane and brutal to "absolutely" punish the employee.



You realize there’s a good chance the employee was in on the scam right?



Word. If I knew I could get reimbursed for $2000, buy gift cards and not lose my job, I'd be in. J/K But you'd be surprised how many people would try.
[Post New]05/03/2019 13:26
quote
Anonymous
The question is whether the employee was the only one targeted, or he/she was the only one that responded to the email out of how many other received said email.
[Post New]05/03/2019 13:48
quote
Anonymous
Given that warnings were issued and that the employee could easily have checked the email address and determined that the request was not a legitimate one, I would be inclined not to reimburse. That said, you should also consider the following:
- Will the employee quit or become disgruntled if he/she is not reimbursed? Would this "cost" you more than whatever you'd be willing to reimburse?
- Do you have a sense of what the other employees will think of you as an employer if you do not reimburse?
If any of the above matters to you, then I would reimburse, but only part of the loss (max. half), depending on the employee's personal circumstances (% of the loss relative to their wage, whether he/she supports a family etc.).
post reply Forum Index » Jobs and Careers
Message Quick Reply
Go to: 

Search   Recent Topics   Hottest Topics