Are Corporate Employees That Fall For Scams Victims Or Negligent?
Reprinted from LinkedIn
A SCARS Position Statement – September 1, 2020
In a recent conversation with a leading cybersecurity training company, we explored the predominant notion that employees who fail to follow corporate policies and procedures, that lead to cybersecurity breaches are reckless, negligent, and at fault. Increasingly, we have seen that companies are holding their employees financially responsible for mistakes that allow for cyber-attacks to get through defenses, such as phishing scams, business email compromise scams, ransomware attacks, etc.
However, is this view correct?
Or is it, in fact, decreasing security by forcing employees to be fearful of cybersecurity as a threat to their own well-being and employment?
I am a Director of the largest cybercrime victims’ assistance organization called SCARS (www.AgainstScams.org) and I would argue that everyone who falls for scams – either personally or in a corporate context are victims, and deserves consideration as a victim.
Additionally, I would argue that companies that fail to recognize this fact are undermining their own efforts to create a more secure environment.
Far too often corporate cybersecurity policy-makers devise policies that attempt to impose liability on their own employees for their failures. Such liability can include sanctions from loss of employment to several financial liabilities. In fact, in recent years we have seen companies suing their own employees for BEC scam losses. However, blaming the victim is never a way to stop incidents from happening.
The reality is every employee is just a human being and in the case of scams, social engineering is far more powerful than individuals in most cases. Policies that fail to recognize this are doomed to failure. No one can simply mandate perfection under threat from their employers. It just does not work.
Boards across all industries must recognize that their employees are not the problem, though they are a vulnerability. And when they are attacked they are victims every bit as much as the business or institution itself. By recognizing this simple fact, organizations can begin to better understand that they and their employees are unified in their inherent vulnerabilities and can address them more collaboratively, instead of an imposition from the top down.
This is important, not only from a prevention perspective but especially during the mitigation of an attack in progress. If employees feel that they will be targeted by their employer for cybersecurity breaches, they are less likely to actively participate in remediation during and attack, and in fact, may hide essential evidence in an effort to protect themselves or claim they were not involved. It may result in employees being more likely to cover up incidents and not involve cybersecurity specialists immediately when time is of the essence. This costs critical time when it is needed most. It also creates an “every man for themself” mentality, instead of an “all for one” approach.
Post-incident we see all too often that the employees involved in these incidents are condemned by other employees and management, defamed, and even potentially referred to corporate legal for action. This creates a climate of fear following cyber-incidents instead of focusing everyone’s attention on future prevention. It can also significantly traumatize employees causing loss of future effectiveness and eventual departure from the organization.
Human beings will always be vulnerable to social engineering – all of us are. Developing protective behaviors against it takes more than a policy and a couple of hours of mediocre training on the subject. It is necessary that employees be shown how social engineering actually works on them, their friends, their families, and societies. With an understanding of the real mechanics, employees become empowered to see their vulnerabilities clearly and are much more willing to adopt new defensive behaviors. This removes the climate of cyber-fear and replaces it with a shared comprehension of the need for unity and mutual support. Every employee will make mistakes, and instead of focusing on blame, every organization should recognize this as a fact.
Organizations need to recognize that their employees are every bit as much a victim when these attacks occur as the organization itself. When companies can make this leap to recognize this then they can truly take a giant step towards full sharing of responsibility for prevention, mitigation, and post-incident recovery.
They must also recognize that employees, as victims, also need help after an incident.
Cybercrimes traumatize their victims, in some cases profoundly, and just like with physical crimes employees can be in need of professional support. However, the anticipatory fear that organizations impose on their employees through their policies and threats of financial or other liability only adds to the trauma after the fact. Human Resource departments need to be part of these conversations and recognize that like any crime victim, cybercrime victims need and deserve compassion and support and not condemnation and accusations. Not only because of the trauma imposed by truly reckless accusations but also because this creates a hostile working environment that can bring the liability back onto the company itself.
Our organization understands the fundamentals of cybercrime victims and strives to expand the role of victim support in all aspects of post-cybercrime remediation. This notion of an employee as a victim is far from obvious for most of the corporate world. However, by adopting this posture, enterprises can better obtain the cooperation of employees in identifying vulnerabilities, better mitigating attacks, and reducing the traumatic impact on the organization and its employees. All of which leads to a more secure environment.
We welcome the opportunity to share this view and are open to helping organizations better understand it. Businesses and institutions are welcome to contact our nonprofit about how we can help you better understand the psychological impact of scams and how empowering your employees to be part of the solution instead of being viewed as the problem – will help them achieve better, stronger, and more robust cybersecurity. However, our mission is to support scam victims whenever and wherever we can.
We hope that you can understand this shift in view and can find ways to internalize it in your own organizations. We are here to help.
Tim McGuinness, Ph.D.,
Director,
Society of Citizens Against Relationship Scams Inc.
Do You Need Support? Get It Now!
SCARS provides the leading Support & Recovery program for relationship scam victims – completely FREE!
Our managed peer support groups allow victims to talk to other survivors and recover in the most experienced environment possible, for as long as they need. Recovery takes as long as it takes – we put no limits on our support!
SCARS is the most trusted support & education provider in the world. Our team is certified in trauma-informed care, grief counseling, and so much more!
To apply to join our groups visit support.AgainstScams.org
We also offer separate support groups for family & friends too.
Become a SCARS STAR™ Member
SCARS offers memberships in our STAR program, which includes many benefits for a very low annual membership fee!
SCARS STAR Membership benefits include:
- FREE Counseling or Therapy Benefit from our partner BetterHelp.com
- Exclusive members-only content & publications
- Discounts on SCARS Self-Help Books Save
- And more!
To learn more about the SCARS STAR Membership visit membership.AgainstScams.org
To become a SCARS STAR Member right now visit join.AgainstScams.org
FAQ: How Do You Properly Report Scammers?
If you lost money: the way to report this is FIRST with your LOCAL POLICE – they are your first responders, and will be the ones to recover your money if at all possible!
Then report to:
- U.S. Secret Service – the Secret Service wants to talk to you Find the nearest U.S. Secret Service Field Office to you https://www.secretservice.gov/contact/field-offices
- Crypto Scams can also be reported by email to: CryptoFraud@SecretService.gov
- Victims who require further assistance may call 1-888-813-USSS
- Deaf and hard of hearing 202-406-5370
- U.S. Federal Trade Commission at https://reportfraud.ftc.gov/#/?orgcode=SCARS – the FTC will send a copy of your report to the FBI, so you don’t have to bother.
- SCARS on www.Anyscam.com – for worldwide distribution.
- SCARS no longer recommends reporting to the FBI
- NEVER REPORT YOUR CRIME TO ANY PRIVATE FOR-PROFIT COMPANY – THEY ARE ONLY INTERESTED IN EXPLOITING YOU
You can find more places to report here: https://romancescamsnow.com/reporting-entity-directory/
Disclaimer:
SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM. IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES. ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS. A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX RELATED ISSUES AND INFORMATION. This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such. The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use.
Legal Notices:
All original content is Copyright © 1991 – 2021 Society of Citizens Against Relationship Scams Inc. (D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge. SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide Contact the law firm for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org
Eu fui vítima de golpista que usaram fotos de uma soldada americana eu me apaixonei e estou traumatizado de ser enganado Tenho todas as conversas e fotos no meu celular não durmo mais a noite e estou tendo vários problema psicológicos com isso
Infelizmente, somos uma organização de idioma inglês/espanhol. Mas sugerimos que você visite http://www.RomanceScamsNOW.com para encontrar informações úteis de suporte e recuperação. Você pode traduzir todo o site para o português usando o botão de tradução.
Unfortunately, we are an English/Spanish language organization. But we suggest that you visit http://www.RomanceScamsNOW.com to find useful support and recovery information. You can translate the entire website into Portuguese using the translate button.