The Scammer Threat to Your Hotline: Updated


Post By: Ted Banks, Partner, Scharf Banks Marmor LLC, Chicago

As was posted on July 17, several major companies reported getting fake hotline reports. There were a few variants, but the text within each variant was identical. Once the report was determined to be fake, it left people scratching their heads.  Nobody was really sure of the end game of whoever sent it out.  But we may have an answer.

Several of the companies that originally received the fake report have now received a message from one Ofir Gefen, who purports to be a Ph.D. candidate at the National University of Singapore. The messages were, according to Gefen’s email, part of a study to test response times of public companies based on whether the hotline call related to conduct that might benefit the company (e.g., bribery) or the language in the report.  Gefen said “Once the claim was made, we’ve only recorded your initial response and did not pursue the matter any further. Thereby interfering with your day-to-day business as little as possible.” He admitted that this study involved a deception, and that there were no real people involved. He tracked response times, and then said (to reassure the companies that received the message) that all identifiable information would be scrubbed, and then the data would be uploaded to Amazon Mechanical Turk (MTurk), which I had never heard of before.

Amazon describes this service as follows:  “Amazon Mechanical Turk (MTurk) is a crowdsourcing marketplace that makes it easier for individuals and businesses to outsource their processes and jobs to a distributed workforce who can perform these tasks virtually. This could include anything from conducting simple data validation and research to more subjective tasks like survey participation, content moderation, and more. MTurk enables companies to harness the collective intelligence, skills, and insights from a global workforce to streamline business processes, augment data collection and analysis, and accelerate machine learning development.”

I guess the explanation make sense, but there are a lot of unanswered questions. Mr. Gefen claims that his research was evaluated by the University’s Internal Review Board, but I find that hard to believe. Is it ethical to send false information to a person or company that will cause the expenditure of many hours of investigation at a significant cost?  (Can you shout “fire” in a crowded theater just to see how people react?). According to a very quick review by a faculty member at USC, the basis for approving this research is unclear.  Research involving deception of the subjects usually requires advance approval. It is possible that it was approved on the basis of having minimal risk, and the notification given to the “victims” after the study concluded?

But the whole thing troubles me. After admitting that deception was part of this study, can we rely on Gefen’s promise to remove identifying information about a company? I’m completely baffled about the role the MTurk plays in all of this. Even if there is no nefarious purpose to this project, it certainly raises questions about the procedures at the National University of Singapore. At the end of the day, the net result of this project is to undermine trust in a reporting system, which is never an acceptable price to pay.