Courts are now looking at whether individual employees – and not just corporate officers – could personally be on the hook for business email compromise (BEC) scams.
A prime example is the high-profile U.K. lawsuit Peebles Media Group Ltd v. Patricia Reilly.
Where does blame lie?
According to the lawsuit, Patricia Reilly, an employee, received emails from a hacker impersonating her boss and requesting wire transfers. Reilly wired more than $250,000 before realizing it was a scam. The company fired Reilly – and is now suing her for the $138,000 that wasn’t able to be recovered.
It’s arguing that Reilly was careless and should’ve known better. She, in response, is claiming she was never trained by the company to spot fraud.
Though the court has yet to make a ruling, this case shows how BEC scams are spiraling in new directions.
And though this case is taking place across the pond, it probably won’t be long before similar court cases start popping up in the U.S., seeing as email scams keep growing more prevalent.
IRS weighs in
And in light of the continual growth of scams, the Service issued a news release with current details. IRS wants you and your staff to especially look out for BEC scammers who pose as:
- businesses asking you to pay a fake invoice
- employees wanting you to re-route a direct deposit, and
- someone you know/trust (e.g., an executive) requesting a wire transfer.
As IRS ramps up phishing awareness and the U.K. court case plays out, it’s vital to ensure the proper training is conducted and the right message is shared at your company right now.
Here are questions to reflect on, both within your own department and on a larger scale.
- Do all employees (A/P, A/R, Payroll, purchasers, managers, etc.) involved in payments have a thorough understanding of BEC scams and how to spot them?
- Does the company provide annual or quarterly training on scams? Are all employees included in this?
- Are employees ever tested with real-life examples of email scams?
- On the technological side, are there proper cybersecurity measures in place to help identify and thwart scams? Are these measures up to date?
- Do employees know who to contact at the company if a phishing attempt is uncovered? And do they know to report phishing attempts to IRS by sending it to firstname.lastname@example.org?
- Is there a step-by-step procedure to follow in the event of a scam (alert local law enforcement, contact insurance, etc.)? Is this procedure well publicized?
- Does company policy outline consequences (mandatory training, removal of system access, etc.) for those who repeatedly fall for scams?