August 12, 2021

Whistleblower Hoax: Mystery Solved?

Our friends at WilmerHale tipped us off to this email message, which purports to be from the author of the hoax whistleblower emails received by a number of public companies over the past few months. The message says that the false reports were part of a research project led by a PhD student at the National University of Singapore. What’s this research project all about? This excerpt will give you the gist of its supposed purpose:

The purpose for the investigation was to see whether firms responded differently based on the identity of the sender and the route of the plane we send seemingly identical messages from both customers and employees raising concerns ranging from alleged bribery fraud and accounting mistakes. we varied the email to suggest that in some claims firms are perhaps benefiting from the alleged misbehavior whereas in others it is completely to their detriment.

We then compared the differences in response time the quality of the response and the language used. Importantly throughout our experiment, we’ve made sure no real names are used to not harm any real employee. The claims brought forth were completely fictitious and deliberately did not bare enough details to necessitate the launch of an investigation. Once the claim was made, we’ve only recorded your initial response and did not pursue the matter any further. Thereby interfering with your day-to-day business as little as possible.

Don’t you just love that these experts on the workings of U.S. public company whistleblower programs blithely state that their deception “did not bare enough details to necessitate the launch of an investigation”? Then they have the gall to pat themselves on the back for structuring their charade to “interfer[e] with your day-to-day business as little as possible.” If you ask me, there’s enough self-serving manure in this explanation to fertilize Nebraska.

There’s always the possibility that this communication is itself another hoax (it comes from a gmail account, not a university address).  If it is, then the plot has thickened considerably.  On the other hand, if it is legitimate, it’s either the most disingenuous CYA attempt I’ve ever read or an admission of breathtaking recklessness on the part of everyone involved in signing-off on this research project.

I’d be willing to wager that the aggregate fees and expenses recipient companies incurred in determining whether and how to investigate these false whistleblower allegations are easily in the hundreds of thousands of dollars. The cost could be even higher once you factor in the cybersecurity concerns raised after companies realized this was a hoax. The email says that companies are “free to withdraw their data” from the study, but must let the researchers know within a month.  Frankly, if I received this, the only thing I’d be tempted to send to these folks within a month is an invoice.

If you do choose to reach out to the researchers, it’s probably best to contact the university by means of a hard copy letter, given the potential concerns about the authenticity of the email & the possibility that we might still be dealing with some kind of elaborate phishing scheme.

John Jenkins