Anonymous
05/02/2019 19:35
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Somebody posted this exact same scenario but they were the employee.
New poster: this also happened at my workplace last week. An older coworker bought 2 gift cards though the provided link, which sent her bank info and the gift card codes to the scammer. She thought they were for an incentive program.
Anonymous
05/02/2019 19:33
Subject: Would you reimburse an employee who fell for a phishing scam?
I'd reimburse because I'd feel bad if I didn't. Then I'd said an email stating someone fell for the scam (leave out names). Reiterate the signs of a scam, give specific directions of who to call or what to do if they get something suspicious, that even if it appears to be a legitimate email, please check with X person before spending money, do not hit reply to an email before verifying whether or not it's spam, and most importantly, going forward if someone does fall for the scam and does not do the proper steps beforehand, they will not be reimbursed
Anonymous
05/02/2019 18:33
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:The confounding factor here is you admit that your company is not doing a good job of blocking such phishing emails. I think you should reimburse them.
My DH got the same phishing email from his boss. He laughed out loud.
This is like falling for the Nigerian prince scam.
Forgot to finish. Would you reimburse for that too?
Also, by responding, his email got flagged as live. It will be sold to scammers at a premium because they found a confirmed idiot. He’ll be getting lots more phishing emails and they will be more sophisticated than the gift card one.
Are you going to reimburse that too?
Anonymous
05/02/2019 18:27
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:Our company has been getting a lot of phishing emails lately. We are working hard with our IT vendors to deal with this and have sent two high priority emails to staff telling them to be careful, explaining what these scams are and what to look out for, and giving steps of what they should do if they receive one.
Over the weekend an employee got an email at their work email address that looked like it was coming from the CEO, asking them to purchase gift cards for him. The employee followed the instructions and wound up spending $2k of their own money on gift cards. When we discovered what happened we instructed the staff member to contact their credit card company, bank and the gift card vendor. All of these told him that since they bought the cards legitimately there is no recourse on their end. I instructed the employee to also file a police report.
From the company perspective we do not feel that we should reimburse the staff member for this cost. I feel terrible for them, but we had sent warnings about this very scenario. Also, the request itself was not anything our CEO would ever ask a staff member to do, so the staff member really should have known better.
Is there anyone that thinks the company should pay the staff member back? Is there anything else we can do?
This is a great topic. You should take your question to Ask A Manager.
FWIW I don't think the employee needs to be reimbursed, because the company warned everybody (twice!) shortly before the incident.
Already been done. See #2: https://www.askamanager.org/2019/02/my-friend-is-bombarding-me-with-urgent-messages-while-im-at-work-i-fell-for-an-email-scam-and-more.html
Anonymous
05/02/2019 18:26
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:The confounding factor here is you admit that your company is not doing a good job of blocking such phishing emails. I think you should reimburse them.
My DH got the same phishing email from his boss. He laughed out loud.
This is like falling for the Nigerian prince scam.
Anonymous
05/02/2019 17:44
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Our company has been getting a lot of phishing emails lately. We are working hard with our IT vendors to deal with this and have sent two high priority emails to staff telling them to be careful, explaining what these scams are and what to look out for, and giving steps of what they should do if they receive one.
Over the weekend an employee got an email at their work email address that looked like it was coming from the CEO, asking them to purchase gift cards for him. The employee followed the instructions and wound up spending $2k of their own money on gift cards. When we discovered what happened we instructed the staff member to contact their credit card company, bank and the gift card vendor. All of these told him that since they bought the cards legitimately there is no recourse on their end. I instructed the employee to also file a police report.
From the company perspective we do not feel that we should reimburse the staff member for this cost. I feel terrible for them, but we had sent warnings about this very scenario. Also, the request itself was not anything our CEO would ever ask a staff member to do, so the staff member really should have known better.
Is there anyone that thinks the company should pay the staff member back? Is there anything else we can do?
This is a great topic. You should take your question to Ask A Manager.
FWIW I don't think the employee needs to be reimbursed, because the company warned everybody (twice!) shortly before the incident.
Anonymous
05/02/2019 17:35
Subject: Would you reimburse an employee who fell for a phishing scam?
The company only pays if the company was in some way at fault. Just because the scammer used the CEO's name doesn't mean the CEO is responsible. The CEO had nothing whatsoever to do with this.
My mom was on the receiving end of one of these using my brother's name. She almost fell for it, but decided to check with his wife first (lolz on the dynamic there). But had she sent the money to the scammer, would you expect my brother to have to pay my mom back? What if the scammer used the next door neighbors name? The mayors name? Your child's teacher's name? Who reimburses if the scammer uses your spouse's name and you fall for it?
Only if the company is at fault in some way does the employee get reimbursed.
My mom was on the receiving end of one of these using my brother's name. She almost fell for it, but decided to check with his wife first (lolz on the dynamic there). But had she sent the money to the scammer, would you expect my brother to have to pay my mom back? What if the scammer used the next door neighbors name? The mayors name? Your child's teacher's name? Who reimburses if the scammer uses your spouse's name and you fall for it?
Only if the company is at fault in some way does the employee get reimbursed.
Anonymous
05/02/2019 17:21
Subject: Would you reimburse an employee who fell for a phishing scam?
OP, if you are certain the employee made a honest mistake and is otherwise good at their job you could consider compensating them at least partially. But I would question their judgement.
Anonymous
05/02/2019 17:19
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:I might fire them for being stupid. What if they had done something that damaged the company?
+1.
They could have compromised the whole network.
+1
Our IT folks are constantly reminding us to check with them before opening anything that looks even remotely suspicious.
Anonymous
05/02/2019 17:19
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Anonymous wrote:I might fire them for being stupid. What if they had done something that damaged the company?
+1.
They could have compromised the whole network.
This wasn’t really phishing per se, the employee just got scammed. No harm done to any computer systems.
I know someone who fell for this the first week at a new job. Didn’t know the company culture and wasn’t aware of the scam. I don’t think they had any recourse.
Anonymous
05/02/2019 17:18
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
I would not repay and on top of that, I would fire him/her.
Anonymous
05/02/2019 17:12
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:I might fire them for being stupid. What if they had done something that damaged the company?
+1.
They could have compromised the whole network.
Anonymous
05/02/2019 17:11
Subject: Re:Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:The confounding factor here is you admit that your company is not doing a good job of blocking such phishing emails. I think you should reimburse them.
Why would the employee not verify the request first and why would they spend such a large amount of their own money? We have a department credit card that is used for any purchases over $100. Many places have similar arrangements.
I would question their competence.
Anonymous
05/02/2019 17:10
Subject: Would you reimburse an employee who fell for a phishing scam?
Anonymous wrote:Is it routine for the CEO of your company to make such requests of staff? The employee should have verified the request first.
No
Anonymous
05/02/2019 17:09
Subject: Would you reimburse an employee who fell for a phishing scam?
For those who think the company should pay, what is your main rationale? Is it because it got past a filter in the company email? Or is it because the staff member thought she was doing something for the CEO?
If it is the former, would you feel the same way if it was a pfishing email that did not come from the CEO? In other words, if a more generic phishing email (one that did not spoof the CEO) came through to an employee on their work account and they fell for it, do you think the company should be responsible for that as well simply because it came through company email?
If it is the former, would you feel the same way if it was a pfishing email that did not come from the CEO? In other words, if a more generic phishing email (one that did not spoof the CEO) came through to an employee on their work account and they fell for it, do you think the company should be responsible for that as well simply because it came through company email?