Last week, a reader we're calling Jack received two
emails from a law firm whose emails he occasionally received via the firm's
listserv, but with whom he'd never actually done any business.
Imagine his surprise when he opened the email and it
informed him that the firm planned to debit his bank account for just shy of
$3,000 that afternoon. The email instructed the reader to click on a link to
read the specifics of the invoice.
Believing the email might be a scam, Jack looked at the
return email address and saw that it appeared to have come from someone at the
law firm. Nevertheless, Jack knew he had never hired the law firm to do any
work for him.
Once he determined that the email was suspicious, Jack
knew enough not to click on the link. He thought it might be some sort of
phishing expedition where a third party had somehow hacked the law firm's or
listserv provider's account and sent out fake emails in an effort to collect
information or perhaps money from unsuspecting recipients.
Typically, Jack would just delete such an email and leave
it at that. But even though he had never done business with the firm, Jack knew
people who worked there. He also suspected that others had received the same
email. Was it enough to simply delete the mail, Jack wonders? Who should he
alert at the law firm to tell that he had received it?
Jack did not send out the mail and he has no direct
responsibility for the law firm's clients. Had he simply deleted the email he
would have done nothing wrong.
But the best right thing for Jack to do in response is to
alert the alleged sender of the email that he had received a suspicious email
from the firm. He can forward the email he received and indicate that he knows
he has no invoice due, but that he was concerned that the law firm's email
listserv had been compromised.
Too often, however, when people like Jack alert a person
or a firm that he or she has received such phishing emails, the person or
company contact doesn't respond, even if they indeed explore what happened
internally. Once Jack sends an email to the company to inform it of the issue,
the right thing is for someone at the firm to respond to Jack, thank him for
the alert, and assure him that he should ignore and delete the email.
But such a response doesn't go far enough. If that same
errant email went out to the entire listserv, the right thing for the firm to
do is to send another email out to the listserv, acknowledging the problem and
informing the recipients what they should do.
This list might include urging recipients not to click on
any links, changing passwords if they did click on the links, deleting the
emails from their inbox and trash, and either having their IT department or
their own selves run a virus scan. Offering a phone contact for someone at the
firm for follow-up questions wouldn't be a bad idea either.
When something suspicious happens, the right thing for
all involved is to reassure those who might have been caught up in the hack.
Jeffrey L. Seglin, author of The Right Thing: Conscience, Profit and Personal Responsibility in Today's Business and The Good, the Bad, and Your Business: Choosing Right When Ethical Dilemmas Pull You Apart, is a lecturer in public policy and director of the communications program at Harvard's Kennedy School.
Follow him on Twitter: @jseglin
Do you have ethical questions that you need answered? Send them to rightthing@comcast.net.
Do you have ethical questions that you need answered? Send them to rightthing@comcast.net.
(c) 2019 JEFFREY L. SEGLIN. Distributed by TRIBUNE CONTENT AGENCY, LLC.
No comments:
Post a Comment