By the summer of 2021, compliance officers had spent nearly a year and a half helping their organizations navigate the challenges of COVID-19, as well as the new or heightened risks associated with remote work and enhanced safety protocols. And maybe because we needed more excitement this summer, a series of anonymous - and as it turns out, suspicious - allegations of collusion, accounting fraud and kickbacks started showing up in executive and board member inboxes as well as the companies’ online reporting systems.
As we would come to learn, these particular reports were actually fictitious and issued from a single source as part of an academic research project on reporting systems. There was no truth behind the allegations; all were fake. And, it wasn’t the first time this has happened.
Let’s take a step back to late spring of this year. At that time, a significant number of companies began receiving anonymous reports of suspected financial misconduct – some sent directly to the companies’ general counsels or executives, others to the reporting systems. Many were deemed serious enough to be referred to outside counsel for investigation and advice. One law firm that was asked to review these reports and advise was WilmerHale. As reported in TheCorporateCounsel.net on June 11, 2021, attorneys Susan Muck and Kevin Muck, partners at WilmerHale, realized a number of their clients had received the exact same reports. In its story, CorporateCounsel.net exposed the hoax and published a warning to its readers. The publication even asked readers to vote on ‘’What’s the Fake Whistleblower’s Endgame?” Two-thirds of respondents thought it was malware or phishing. Numerous other law firms then published warnings about the hoax reports.
Many of the law firms’ clients that were becoming aware of the hoax are also NAVEX Global customers. Some came to us looking for guidance and reassurance about the security of our systems. Others had questions about the possibility of malware attacks submitted through an online report in some way. At that time, we published a blog post warning about the hoax reports. We also offered additional steps that organizations could take, including a recommendation that targeted organizations consider removing some public access to their web reporting link until the issue was resolved. Importantly, we did not make these recommendations lightly, as it could limit some reporting. But this is the age of cyberattacks, and these hoax reports were being received around the same time the SolarWinds hack was in the news. Better safe…
But for us, the story did not end there. In one way, it was just beginning. This finding presented three challenges for organizations that take reporting and incident management seriously. Specifically:
- Where were these hoax reports coming from, and why?
- How can organizations protect their internal systems from hoax reports like this?
- What is the best practice for identifying fake reports while still being diligent about authentic reports that require investigation?
The team at WilmerHale ultimately solved the mystery when one of its clients received an email claiming to be from a PhD student at the National University of Singapore (NUS). This student indicated the report was part of a research project that had been reviewed and approved by the NUS Institutional Review Board (IRB). TheCorporateCounsel.net published this information in August to surprisingly little fanfare from the compliance and legal communities, possibly because many were skeptical about the admission email. Was it a hoax, too?
This additional information sent us on a mission of our own: first, to verify the accuracy of this admission email, and second, to understand the scope of what had happened. After several contact attempts, NUS finally responded with the following verification:
[Redacted] is a student at the National University of Singapore (NUS). The University has reviewed [the student’s] research study and the study has been terminated. Please be assured that any data collected in relation to this research study will not be used. We apologise for the inconvenience that this research study may have caused to your company.
The good news is organizations were not experiencing malware attacks, nor had the misconduct alleged in the hoax reports actually occurred. The bad news is this research was far beyond an “inconvenience” and was premised on a major miscalculation of anticipated costs and potential consequences to the targeted organizations and their compliance and legal teams. As we see it, the list of serious or potential harms this hoax report fiasco either caused or could have caused is long. Here are some:
- Internal costs. Costs related to the time and resources spent investigating the reports’ allegations and assessing potential new cyber risks were significant.
- Consideration and resources diverted away from real reports. Due to the nature and seriousness of these reports, they would have received the highest levels of organizational attention to the detriment of authentic report investigations.
- Hard costs for outside counsel and external audit. Noting the number of law firms that published warnings on this issue, many companies would have incurred significant legal costs before discovering the hoax. We also learned that some skeptical external auditors were not easily convinced that these serious reports were fake, so additional costs were incurred here, too.
- Loss of trust in reporting systems. Executives and others frustrated by the waste of time and resources could lose trust in the validity of the reporting mechanism, impacting future support for these systems.
- Skewed compliance reporting metrics. During the time period before the hoax was discovered, metrics related to these types of serious cases would be inaccurate.
- Reduced availability of one of the internal reporting options. Organizations that took proactive steps to protect their computer systems from malware may have restricted online access to their reporting systems.
- Self-reporting a hoax case to regulatory agencies. Given the nature of the allegations, some companies may have gone so far as to self-disclose the reports to the SEC, causing enforcement agencies to review or investigate something that did not happen (again, diverting resources away from investigations into real matters). Organizations under enforcement actions may have been required to report all such serious allegations to the government before conducting their own investigations.
- Inspire more copycat “research.”
The last point is not hypothetical. It is quite possible that this research project was itself copycat research. In 2020, a Harvard University professor, Eugene Soltes, published a paper in the Journal of Accounting Research titled Paper Versus Practice: A Field Investigation of Integrity Hotlines. Professor Soltes exploited the same methodology by submitting fake reports to the hotlines and helplines of 250 firms and noted that:
[T]he final inquiries covered four different sources of potential misconduct: financial misconduct, bribe/kickback, harassment, and discrimination.
Professor Soltes went on to describe the project:
I also sent multiple scenarios to each sample firm in an effort to ascertain the responsiveness of their hotline overall, rather than to a specific inquiry at a particular time.
Professor Soltes’ research was subject to approval from the IRB of Harvard University (his employer) and University of Chicago (the owner of Journal of Accounting Research). Following is the rationale from the research paper (emphasis mine):
The project was deemed as not human subject research by my university’s institutional review board. [Footnote 12: As viewed by the Institutional Review Board (IRB), reporting scenarios to corporate hotlines is not submitting to “people,” but rather to “firms.” Under Department of Health and Human Services and Food and Drug Administration regulations that guide IRBs, this would not be human subject research.] However, given the potential deception involved in the study, I faced a subsequent review by the university’s general counsel that raised concerns regarding liability associated with the project. The most salient of these concerns was around fraudulent misrepresentation (i.e., a false representation of material fact with knowledge of its falsity, made for the purpose of inducing the plaintiff to act on it, which the plaintiff relied upon to its damage). To mitigate the potential for damages, the scenarios were designed in a way to make it unlikely that a firm could engage in a substantive or costly investigation without additional information.
In the admission email, the NUS student provided a similar rationale, “The claims brought forth were completely fictitious and deliberately did not bare enough details to necessitate the launch of an investigation” (emphasis mine).
Unfortunately, this type of rationale is a serious miscalculation of the true costs and impact to organizations and the people who manage investigations of reports. We asked NUS how many companies received these fake reports, but they would not share this information. However, noting that 250 companies received multiple fake reports from Professor Soltes’ research, it is easy to conclude significant time and money were spent on these reports – especially those that were allegations of regulatory violations where companies are more likely to bring in outside counsel. Further, what these researchers do not understand is that when a serious allegation is made with little specific information, companies may spend more time and money trying to figure it out because of the seriousness of the claim and the dearth of information provided in the fictitious reports.
The true financial impact of the NUS hoax report campaign may never be known. But engaging outside counsel to help investigate and substantiate a serious claim will cost a company thousands of dollars in legal fees. Assuming several hundred hoax reports were sent, the expenses triggered by this research likely run into the millions. And, as we noted, it wasn’t the first time. Further, this calculation does not even consider the potential effect an accounting fraud report (substantiated or not) might have on company stock price had these reports been made public.
Academic Reforms are Needed
Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should.”
- Dr. Ian Malcolm (from the film Jurassic Park)
This type of research methodology must be re-evaluated by the academic community – and their IRBs – to ensure that internal reporting systems are not abused under the banner of academic field research again. NUS declined to provide us with their IRB documents citing confidentiality, but, as described above, the Harvard researcher provided more insight into the decision-making process of his IRB and the university general counsel’s office.
While academic research drives many positive improvements in business processes, the misinformation, misrepresentations and miscalculations present here were significant. One thing we know for certain is that many people were impacted, and their organizations were, too. Perhaps academic institutions could use this story as a business ethics case. Regardless, this learning opportunity is now the reverse situation where businesses must impose a check on academia.