Anonymous
05/03/2019 13:48
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Given that warnings were issued and that the employee could easily have checked the email address and determined that the request was not a legitimate one, I would be inclined not to reimburse. That said, you should also consider the following:
- Will the employee quit or become disgruntled if he/she is not reimbursed? Would this "cost" you more than whatever you'd be willing to reimburse?
- Do you have a sense of what the other employees will think of you as an employer if you do not reimburse?
If any of the above matters to you, then I would reimburse, but only part of the loss (max. half), depending on the employee's personal circumstances (% of the loss relative to their wage, whether he/she supports a family etc.).
- Will the employee quit or become disgruntled if he/she is not reimbursed? Would this "cost" you more than whatever you'd be willing to reimburse?
- Do you have a sense of what the other employees will think of you as an employer if you do not reimburse?
If any of the above matters to you, then I would reimburse, but only part of the loss (max. half), depending on the employee's personal circumstances (% of the loss relative to their wage, whether he/she supports a family etc.).
Anonymous
05/03/2019 13:26
Subject: Would you reimburse an employee who fell for a phishing scam?
The question is whether the employee was the only one targeted, or he/she was the only one that responded to the email out of how many other received said email.
Anonymous
05/03/2019 13:24
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:The responses here are interesting: either be humane and pay or absolutely don't pay. Some of the responses seem cruel and inhumane and don't seem to care that this may be a lot of money to someone and that they were acting in good faith even if foolishly. Why be so cruel and not try to help the employee in an honest mistake? If anything, the phishing attack was against the company, not the individual employee. If the employee was acting in good faith, why would the company not help? Seem abusive, cruel, inhumane and brutal to "absolutely" punish the employee.
You realize there’s a good chance the employee was in on the scam right?
Word. If I knew I could get reimbursed for $2000, buy gift cards and not lose my job, I'd be in. J/K But you'd be surprised how many people would try.
Anonymous
05/03/2019 13:20
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:The responses here are interesting: either be humane and pay or absolutely don't pay. Some of the responses seem cruel and inhumane and don't seem to care that this may be a lot of money to someone and that they were acting in good faith even if foolishly. Why be so cruel and not try to help the employee in an honest mistake? If anything, the phishing attack was against the company, not the individual employee. If the employee was acting in good faith, why would the company not help? Seem abusive, cruel, inhumane and brutal to "absolutely" punish the employee.
You realize there’s a good chance the employee was in on the scam right?
Anonymous
05/03/2019 13:18
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:I think your only argument for reimbursing is that it's the first time and can be used as a lesson and reiteration. And that the company won't pay again.
It really sucks.
I think also with your boss, you want to go over the entire scenario - how valuable is this employee? How much trust have you lost in him/her? Does not reimbursing mean the employee loses trust in the company and will be gone soon? Etc.
Overall, as much as it sucks for the employee, I have to say I lean strongly toward not reimbursing, based on everything you have said here.
IF this person is the boss's assistant that's maybe the only way I would feel ok about reimbursing - that person may be more likely to follow orders, even if they are unusual, on the weekend, etc.
Nope. Especially if it’s the bosses assistant, they should know the bosses personal email. They should also be familiar with bosses communications style. If it’s the bosses assistant, that person needs to be fired - immediately!!!
Anonymous
05/03/2019 13:16
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:In my old job, IT sent out quarterly emails on phishing and even would send various employees phishing emails to test them and then talk to their manager and them.
Sorry but this person is an idiot or in on the scam. No CEO would ever do this. I wouldn't compensate him. If he leaves, no biggie as I'd be afraid what other gullible things he could do.
This is what you need to be worried about.
Immediately after you warm employees about phishing scams, the employee falls for a phishing scam?
He is either ver, very stupid or he thought this would be an easy way to get a couple grand.
Anonymous
05/03/2019 13:08
Subject: Would you reimburse an employee who fell for a phishing scam?
I think your only argument for reimbursing is that it's the first time and can be used as a lesson and reiteration. And that the company won't pay again.
It really sucks.
I think also with your boss, you want to go over the entire scenario - how valuable is this employee? How much trust have you lost in him/her? Does not reimbursing mean the employee loses trust in the company and will be gone soon? Etc.
Overall, as much as it sucks for the employee, I have to say I lean strongly toward not reimbursing, based on everything you have said here.
IF this person is the boss's assistant that's maybe the only way I would feel ok about reimbursing - that person may be more likely to follow orders, even if they are unusual, on the weekend, etc.
It really sucks.
I think also with your boss, you want to go over the entire scenario - how valuable is this employee? How much trust have you lost in him/her? Does not reimbursing mean the employee loses trust in the company and will be gone soon? Etc.
Overall, as much as it sucks for the employee, I have to say I lean strongly toward not reimbursing, based on everything you have said here.
IF this person is the boss's assistant that's maybe the only way I would feel ok about reimbursing - that person may be more likely to follow orders, even if they are unusual, on the weekend, etc.
Anonymous
05/03/2019 12:08
Subject: Would you reimburse an employee who fell for a phishing scam?
Reimburse the employee, but have THEM give the next presentation on cyber threats/phishing scams as a 'lesson learned.'
I would also make it clear in future trainings that the company is NOT RESPONSIBLE for personal monetary losses from phishing schemes.
In the end, you never know if someone might be part of the 'ring' (i.e. Cathy says she was phished by a scam email and gives $2K of her own money, she knows her small business employer will take pity on her and reimburse her, PLUS she gets a cut from the scam artist.) I'm not saying that happened here, but if your company has a policy that doesn't hold employees accountable, then they could find ways to take advantage.
I would also make it clear in future trainings that the company is NOT RESPONSIBLE for personal monetary losses from phishing schemes.
In the end, you never know if someone might be part of the 'ring' (i.e. Cathy says she was phished by a scam email and gives $2K of her own money, she knows her small business employer will take pity on her and reimburse her, PLUS she gets a cut from the scam artist.) I'm not saying that happened here, but if your company has a policy that doesn't hold employees accountable, then they could find ways to take advantage.
Anonymous
05/03/2019 11:48
Subject: Would you reimburse an employee who fell for a phishing scam?
The responses here are interesting: either be humane and pay or absolutely don't pay. Some of the responses seem cruel and inhumane and don't seem to care that this may be a lot of money to someone and that they were acting in good faith even if foolishly. Why be so cruel and not try to help the employee in an honest mistake? If anything, the phishing attack was against the company, not the individual employee. If the employee was acting in good faith, why would the company not help? Seem abusive, cruel, inhumane and brutal to "absolutely" punish the employee.
Anonymous
05/03/2019 11:47
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:Definitely not. Your employee is a moron.
This. Is the person older? Still should have known.
Op commented that the person is under 40 .
Anonymous
05/03/2019 11:46
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Definitely not. Your employee is a moron.
This. Is the person older? Still should have known.
Anonymous
05/03/2019 11:45
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:OP, how much was the loss? I think you said thousands, maybe give us a range — e.g., $1-3k, $3-7k, $7-10k. Does your company have an insurance policy covering cyber breach/eCrime? If so, it’s possible that you have some coverage for the loss there, but it would depend on the policy and you probably have a deductible/retention associated with it so it would have to be more than the deductible/retention amount.
If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.
Just re-read and saw where you said $2k. Even if you have coverage, that’s probably not much more than your retention, if not less.
We do have cyber coverage but the loss is the same as our retention.
Anonymous
05/03/2019 11:35
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:OP, how much was the loss? I think you said thousands, maybe give us a range — e.g., $1-3k, $3-7k, $7-10k. Does your company have an insurance policy covering cyber breach/eCrime? If so, it’s possible that you have some coverage for the loss there, but it would depend on the policy and you probably have a deductible/retention associated with it so it would have to be more than the deductible/retention amount.
If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.
Just re-read and saw where you said $2k. Even if you have coverage, that’s probably not much more than your retention, if not less.
Anonymous
05/03/2019 11:32
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
OP, how much was the loss? I think you said thousands, maybe give us a range — e.g., $1-3k, $3-7k, $7-10k. Does your company have an insurance policy covering cyber breach/eCrime? If so, it’s possible that you have some coverage for the loss there, but it would depend on the policy and you probably have a deductible/retention associated with it so it would have to be more than the deductible/retention amount.
If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.
If you don’t have any kind of cyber coverage, you should talk to your broker about that because recovery from cyber breaches can be incredibly expensive.
Anonymous
05/03/2019 10:25
Subject: Would you reimburse an employee who fell for a phishing scam?
Good god this isn’t hard
1) Employee fell for a very simple phishing scam
2) Employee didn’t use good judgement
3) Employee didn’t verify request despite it being weird and uncharacteristic
4) Employee used own funds without checking with anyone
5) Company warned employees 2 weeks ago
6) IT systems were not breached in any way
It sucks for them, but no. This is no different than if someone emailed the employee at their gmail address from another gmail address and they feel for it. The only relationship toy eh company is that the company’s name was used - without their knowledge.
1) Employee fell for a very simple phishing scam
2) Employee didn’t use good judgement
3) Employee didn’t verify request despite it being weird and uncharacteristic
4) Employee used own funds without checking with anyone
5) Company warned employees 2 weeks ago
6) IT systems were not breached in any way
It sucks for them, but no. This is no different than if someone emailed the employee at their gmail address from another gmail address and they feel for it. The only relationship toy eh company is that the company’s name was used - without their knowledge.