Anonymous wrote:

Anonymous wrote:
You need to reimburse because it was the first time and you did not adequately explain.

You convene a company wide meeting which all must attend, you explain what happened, and you say that in the future, no one will be reimbursed.

What was not adequately explained? There were warnings sent out. Are you saying that it should have been explicitly stated that if someone spent their own money on a scam they wouldn't be reimbursed?

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Our company has been getting a lot of phishing emails lately. We are working hard with our IT vendors to deal with this and have sent two high priority emails to staff telling them to be careful, explaining what these scams are and what to look out for, and giving steps of what they should do if they receive one.

Over the weekend an employee got an email at their work email address that looked like it was coming from the CEO, asking them to purchase gift cards for him. The employee followed the instructions and wound up spending $2k of their own money on gift cards. When we discovered what happened we instructed the staff member to contact their credit card company, bank and the gift card vendor. All of these told him that since they bought the cards legitimately there is no recourse on their end. I instructed the employee to also file a police report.

From the company perspective we do not feel that we should reimburse the staff member for this cost. I feel terrible for them, but we had sent warnings about this very scenario. Also, the request itself was not anything our CEO would ever ask a staff member to do, so the staff member really should have known better.

Is there anyone that thinks the company should pay the staff member back? Is there anything else we can do?

This is a great topic. You should take your question to Ask A Manager.
FWIW I don't think the employee needs to be reimbursed, because the company warned everybody (twice!) shortly before the incident.

Already been done. See #2: https://www.askamanager.org/2019/02/my-friend-is-bombarding-me-with-urgent-messages-while-im-at-work-i-fell-for-an-email-scam-and-more.html

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:
You need to reimburse because it was the first time and you did not adequately explain.

You convene a company wide meeting which all must attend, you explain what happened, and you say that in the future, no one will be reimbursed.

What was not adequately explained? There were warnings sent out. Are you saying that it should have been explicitly stated that if someone spent their own money on a scam they wouldn't be reimbursed?

Yes - or something along those lines explicitly warning employees not to spend their own funds on company requests.

Your IT security sucks. And yes your employee should have exercised better judgment, but there's a reason that phishing scams are still around - people fall for them.

I'd use this as a teaching and learning moment. You need an in-person all hands and new guidance to employees - don't use personal funds, any weekend tasking won't be via email, whatever.

I think not reimbursing the employee could badly damage morale. It's just not a good look that your staff is left holding the bag because your IT security is so poor that a scammer successfully impersonated your CEO to the tune of $2k.

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:

Anonymous wrote:Our company has been getting a lot of phishing emails lately. We are working hard with our IT vendors to deal with this and have sent two high priority emails to staff telling them to be careful, explaining what these scams are and what to look out for, and giving steps of what they should do if they receive one.

Over the weekend an employee got an email at their work email address that looked like it was coming from the CEO, asking them to purchase gift cards for him. The employee followed the instructions and wound up spending $2k of their own money on gift cards. When we discovered what happened we instructed the staff member to contact their credit card company, bank and the gift card vendor. All of these told him that since they bought the cards legitimately there is no recourse on their end. I instructed the employee to also file a police report.

From the company perspective we do not feel that we should reimburse the staff member for this cost. I feel terrible for them, but we had sent warnings about this very scenario. Also, the request itself was not anything our CEO would ever ask a staff member to do, so the staff member really should have known better.

Is there anyone that thinks the company should pay the staff member back? Is there anything else we can do?

This is a great topic. You should take your question to Ask A Manager.
FWIW I don't think the employee needs to be reimbursed, because the company warned everybody (twice!) shortly before the incident.

Already been done. See #2: https://www.askamanager.org/2019/02/my-friend-is-bombarding-me-with-urgent-messages-while-im-at-work-i-fell-for-an-email-scam-and-more.html

Ask a Manager is spot on here.

Anonymous wrote: The human side of me says you should reimburse half. The business side of me says you should not because they have been worn twice, it was a Gmail address, it was a ridiculous request, it was completely outside of her job duties, it shows a complete lack of judgment. And not that it matters that they’re under 40 but I would expect an older person to fall for such a scam but not somebody who is under 40 and has been around technology for many years.

Like I said, on a personal level I feel badly for the employee. If your company is able to afford it, perhaps reimburse half. Would it be tax-deductible at the end of the year? I would also hold an all company mandatory training ASAP about computer security, phishing etc.