By Ted Banks, Partner, Scharf Banks Marmor LLC, Chicago
Anyone involved with an employee reporting systems (we’ll call them hotlines for short) is accustomed to dealing with less-than-perfect reports. Calls or emails may come in without sufficient information to allow an investigation, or the report may relate to an HR rather than a compliance problem, or it simply may be false. There is a new wrinkle to the false report problem that deserves careful attention. These have been summarized in TheCorporateCounsel.net, and reported by members of the North Shore Compliance Officers’ Roundtable (a Chicago-area group).
Scammers are now submitting false reports that, at first glance, appear to be legitimate. Of course, this normally results in an investigation. At best, this becomes a huge waste of time when the report proves to be bogus. If a specific individual is named, there is a risk of the false anonymous accusation hurting the reputation of the named person, or worse. With any suspicious email that comes in, there can be a document attached or web link included, both of which may do bad things.
How do you tell if a report is not legitimate? Look for details that don’t seem right. Phishing emails are often revealed by spelling or grammar errors, but employees who make reports to hotlines may innocently make those mistakes, too, so that is not necessarily a giveaway. Look for facts that don’t make sense with regard to the company that would suggest the use of a form. One member of the North Shore group reported that she was suspicious of a report “because it referenced information not at all pertinent to our business – we’re in healthcare and issue referenced and indicated inappropriate vendor communications with a superintendent of schools.”
There seem to be some “standard” fake report texts that are being circulated, which include the following language:
“My boss, whom I’ve worked with for years now, and in any respect had been a stand-up person I look up to, has confided in me about stock trading they’ve made the past year.” [It then goes on to detail inside trading activities]
“A while back, a few of us went to grab drinks after work, and a conversation soon ensued. We were discussing work matters, and specifically our client relationships, and things of that nature, when Doe leaned over and whispered so that only I could hear that the best way to retain your clients is to keep them happy if I know what they mean.” [It then goes on to detail how to give gifts – inappropriate of course — to a good customer.]
“Recently, I found out that for invoices in at least one firm, (I found out it happened multiple times) he adds a large upcharge before having us send them out. I have no idea what he claimed under that upcharge, but I’m sure of it, because a buddy of mine working in that firm in their accounting department confirms it. I did a little digging and found that the invoices are always billed to the same customer- a big company we have been working with for a long time.” [It then goes on to provide more details.]
If you get a message that you are sure is phony (like being a carbon copy of one of these), there is no need to respond. If you are unsure, it probably does not hurt to respond (if your system allows it) to see if you get any more information. Most senders of the phony messages do not respond. But if they do respond and ask you for information, don’t bite. Like a law enforcement investigation, it is your job to ask the questions. If it is a phony report, treat it like a phishing email: don’t click on links or open attachments, and don’t forward the message. You may wish to engage outside counsel for advice. The phony reports should be included in your regular hotline reports to management or the board, unless they want to hear about them sooner. Your documentation may be as simple as “We investigated and determined that the report was not legitimate [for the following reasons] and closed the file.” If the number of phony reports seems to be increasing, that fact should probably be reported.
If in doubt, investigate, but with care. The dilemma, of course, is that anything that undermines a trusted method of reporting anonymously is scary. Attempts to learn the identity of the sender basically run counter to a company’s promise of anonymity – and if it is easy to do so, then there is a problem with your reporting system. For now, the best course is to be careful and if something causes you to become suspicious look for the bread crumbs of fakeness, and get help if you are not sure how to proceed.