June 11, 2021
Whistleblower Hoax Hitting Ethics Inboxes! How To “Fact-Check” Complaints
Big thanks to member Sundance Banks for alerting us to what appears to be a pretty widespread whistleblower hoax, and to others who have provided more background over the last few days, including WilmerHale’s Susan Muck & Kevin Muck. Many companies maintain an email inbox at which employees can submit concerns about accounting or compliance matters, in addition to their third-party ethics hotline. An anonymous gmail account has been pinging those inboxes with a message that starts like this:
Dear Ethics Committee,
I am a long-time employee, but for the purpose of this report, I request to remain anonymous. I also do not want to name the person this report is about, at least for the time being. I would like to bring to your attention an incident that happened a while back to see whether it warrants any action on my part.
My boss, whom I’ve worked with for years now, and in any respect had been a stand-up person I look up to, has confided in me about stock trading they’ve made the past year. He/She shared with me the fact that they’ve bought and sold a significant amount of [our company’s shares/one of our major business partner’s shares]. When I asked how often they traded and how much money did they earn, he/she just smiled and said: “let’s just say I know something others don’t. That’s what working in this company for __ years will get you”, indicating how long they worked in the company. A couple of days later, he/she called me to their office for a quick chat. We began talking about normal work affairs, but towards the end of the conversation, the boss asked me to close the door. When I did, he/she brought up the conversation about the stock trading again, telling me it’s probably for the best I don’t share this with anyone. I immediately responded that I didn’t and had no intention to do so. I also mentioned that this is not my business. The boss looked at me for a while and said that they knew they could count on me. They also mentioned that I am a very good employee and that he/she really appreciates me. The boss has been nothing but nice to me since then.
The message continues for a few more paragraphs and honestly seems pretty believable. But it quickly came to light as a scam when several companies contacted outside counsel about next steps, and the lawyers recognized that multiple clients were receiving very similar submissions. At least 25 companies have received this – the full number is likely much higher. Until Snopes starts debunking fake whistleblower messages, what should you do – or not do – if you receive this email or something like it?
1. Contact your outside counsel – a key takeaway here is that outside counsel can be very helpful in spotting commonalities that could be red flags.
2. Don’t respond until you’ve verified that the submission is legit – this is tricky, because whistleblower submissions typically trigger a cascade of policies & procedures, including prompt notification of directors and outside auditors, and responding to the whistleblower to get more information. But if you get this exact email, know that even regulators agree that it isn’t genuine and companies shouldn’t spend resources responding. They don’t want you engaging with potential criminals, if you can help it.
3. Don’t provide additional info to the whistleblower until you’ve verified that the submission is legit – again, this is delicate, but even responding with seemingly benign info could give the scammer points of contact in the legal, compliance or finance departments for future phishing schemes or illegitimate requests for money transfers.
4. Don’t download files or click on links – this version of the email doesn’t contain any files or links, but if you’ve already responded and received any sort of follow-up communication, don’t open it.
5. Alert your directors & auditors – this incident underscores the need for strong cybersecurity training and good email hygiene, and they should be on the lookout for scams.
6. Don’t forward the email – the scammer may be able to collect more email addresses if you do that. Copy & paste the content into a new message – or take a screenshot – if you need to share something that seems suspicious.
A very troubling aspect of this hoax – in addition to it coming at a time when the White House has warned all companies to be on high-alert about cybercrime – is that it undermines an important system that companies and regulators rely on to prevent wrongdoing. I don’t want to suggest in any way that you ignore whistleblower complaints – but in light of this, it’s probably worth doing a gut-check with outside counsel before responding. I’ve been told that regulators are also taking this incident very seriously.
Quick Poll: What’s the Fake Whistleblower’s Endgame?
Like a chain email that just won’t stop, or one of those Facebook “warnings” from 2009 that periodically recirculates for no apparent reason, the endgame here is a bit of a mystery. Vote for your favorite theory in this anonymous poll:
– Liz Dunshee