We’ve recently been made aware of an increase in anonymous hoax emails and online reports posted to multiple companies through their internal reporting systems. The wording of these posts were identical and alleged violation of SEC insider trading regulations. The report reads as follows:
I have proof that insiders within your organization will cause the corporation’s stock price to fall on June 18th, 19th, and 20th for their personal profit. Their actions constitute a clear violation of SEC insider trading and market manipulation rules. I will follow up on Monday.
Whether filed via email or through an online reporting and case management system, fictitious reports may pose a heightened IT security threat. The “reader” does not always suspect the report is a hoax.
A prior example highlights the real-world consequences of these hoaxes. In 2021, a researcher submitted a fabricated report through multiple company hotlines as part of an academic experiment – without the organizations’ consent or knowledge. The stunt led to wasted investigative resources, including cost of outside counsel for a number of companies and reputational risk for the companies involved. And we are aware of at least one other academic research project that posted fraudulent claims to company reporting systems to evaluate corporate responses before 2020.
Whether reports are part of a misguided academic research project on reporting systems, or attempts to circumvent your organization’s security, potentially fake reports should be handled with care.
When these patterns are discovered, we receive questions from customers asking if it is safe to send and receive follow-up messages with the reporter via EthicsPoint or WhistleB without risk to the company’s systems. The answer is a qualified yes. It is safe to send and receive follow-up messages in EthicsPoint and WhistleB. However, it is advisable not to provide additional information to the reporter until you have verified that the submission is legitimate.
If you decide to communicate with the reporter, we recommend using the case management system for this function instead of using a company email system. This creates an additional level of separation between your organization and any potential attacker. As part of our security protocols, all attachments uploaded into the EthicsPoint and WhistleB systems are scanned for known malware.
4 steps to take if you suspect a hoax report
That said, information entered as responses to the reporter should be as sanitized as possible. When in doubt, seek the advice of counsel, IT and auditors before responding. Following are four recommended steps to take if you receive a suspected hoax report through your case management system.
- Use caution when responding to the reporter: While NAVEX hotline and case management systems are secure, and communications between your investigators and an anonymous reporter within these systems are secure and protected, we advise that you use caution when copying and pasting any information provided by a reporter. Be extra cautious about clicking links provided by the reporter. Any attachments provided by the reporter will be scanned by our systems, but links or text that you paste into your browser or email system may contain unsafe information.
- Limit information provided to the reporter: Limit information about you or your organization when communicating with these reporters. All follow-up messages should be limited to requests for additional information without providing any additional context or direct contact details. We recommend against providing email addresses, phone numbers, or even names of your investigation team if you are unsure of the report’s validity.
- If you are receiving a high volume of potentially hoax reports, evaluate removing online searchable capability for a period of time: This search capability allows a reporter to go online and search by an organization’s name or program name to file a report. You may want to consider removing the public search capability and directing your employees to go straight to your custom program URL. NAVEX Customer Support can assist with this change if needed.
- Delete reports that are identified as a hoax. Some hoax reports are obvious, but some can seem very real. If the details of a report you receive look or read like those known to be hoax reports, use caution. If it is deemed to be a hoax, we recommend deleting the case from your system.
We know the importance of a safe and secure anonymous reporting system and that organizations take all cases submitted seriously. So, while the increase in hoax reports is concerning, it should not prevent any organization from maintaining a robust reporting system that protects your employees and organization. It just takes a little more diligence.
