Recent compliance-related news coverage has identified an increase in anonymous hoax emails and online reports posted to companies through their internal reporting systems. Whether filed via email or through an online reporting and case management system, these fictitious reports may pose a heightened IT security threat because the “reporter” is presumed to be an employee. The “reader” does not always suspect the report is a hoax.
Here at NAVEX Global, we have received questions from customers asking if it is safe to send and receive follow-up messages with the reporter via EthicsPoint or Alertline without risk to the company’s systems. The answer is a qualified yes. It is safe to send and receive follow-up messages in EthicsPoint and Alertline. However, it is advisable to not provide additional information to the reporter until you have verified that the submission is legitimate.
If you decide to communicate with the reporter, we recommend using the case management system for this function instead of using a company email system. This puts an additional level of separation between your organization and any potential attacker. As part of our security protocols, all attachments uploaded into the EthicsPoint and Alertline systems are scanned for known malware.
That said, information entered as responses to the reporter should be as sanitized as possible. When in doubt, seek the advice of counsel, IT and auditors before responding. Following are four recommended steps to be taken if you receive a suspected hoax report through your case management system.
1.Use caution when responding to the reporter. While NAVEX Global’s hotline and case management systems are secure, and communications between your investigators and an anonymous reporter within these systems are secure and protected, we advise that you use caution when copying and pasting any information provided by a reporter. Be extra cautious about clicking links provided by the reporter. Any attachments provided by the reporter will be scanned by our systems, but links or text that you paste into your browser or email system may contain unsafe information.
2.Limit information provided to the reporter: Limit information about you or your organization when communicating with these reporters. All follow-up messages should be limited to requests for additional information without providing any additional context or direct contact avenues. We recommend against providing email addresses, phone numbers, or even names of your investigation team if you are unsure of a report’s validity.
3.Remove online searchable capability: This search capability allows a reporter to go online and search by an organization’s name or program name to file a report. You may want to consider removing the public search capability and directing your employees to go straight to your custom program URL. NAVEX Global Customer Support can assist EthicsPoint and Alertline customers with this change if needed.
4.Delete reports that are identified as a hoax. Some hoax reports are obvious, but some can seem very real. A recent article from The Corporate Counsel explains that while many companies see only a single hoax report, outside law firms who serve multiple clients have started to detect patterns. If the details of a report you receive look or read like those known to be hoax reports, investigate thoroughly. If it is deemed to be a hoax, we recommend deleting the case from your system.
Among the more useful articles with advice on how to handle hoax cases once they have been identified is this one published by TheCorporateCounsel.net titled: Whistleblower Hoax Hitting Ethics Inboxes! How to “Fact Check” Complaints.
We know the importance of a safe and secure anonymous reporting system and that organizations take all cases submitted seriously. So, while the increase in hoax reports is concerning, it should not prevent any organization from maintaining a robust reporting system that protects your employees and organization. It just takes a little more diligence.