Are Corporate Employees That Fall For Scams – Victims Or Negligent?

An Analysis of the Consequences of Being Scammed in the Corporate Context

Primary Category: Editorial/Commentary

Author:
•  Tim McGuinness, Ph.D. – Anthropologist, Scientist, Director of the Society of Citizens Against Relationship Scams Inc.

About This Article

A conversation with a leading cybersecurity training company highlighted the prevalent belief that employees responsible for cybersecurity breaches are reckless and negligent. However, this perspective can harm organizational security by creating fear and inhibiting employees from actively participating in remediation efforts.

Table of contents

Recognizing employees as victims of sophisticated social engineering tactics rather than as culprits can foster a more supportive environment, leading to better prevention and recovery from cyberattacks.

It is essential for companies to provide proper education on social engineering, offer compassionate support post-incident, and engage employees collaboratively in cybersecurity efforts to enhance overall security and reduce trauma.

Are Corporate Employees That Fall For Scams - Victims Or Negligent? - 2024

Are Corporate Employees That Fall For Scams – Victims or Negligent? How Employers Treat Their Employees After A Scam Matters!

Originally Published September 1, 2020

In a recent conversation with a leading cybersecurity training company, we explored the predominant notion that employees who fail to follow corporate policies and procedures, that lead to cybersecurity breaches are reckless, negligent, and at fault.

Increasingly, we have seen that companies are holding their employees financially responsible for mistakes that allow for cyberattacks getting through defenses, such as phishing scams, business email compromise scams, ransomware attacks, etc.

Is this view correct?

Or is it, in fact, decreasing security by forcing employees to be fearful of cybersecurity as a threat to their own well-being and employment?

I am a Director of the largest cybercrime victims’ assistance organization called SCARS (www.AgainstScams.org) and I would argue that everyone that falls for scams – either personally or in a corporate context are victims, and deserving of consideration as victims.

Additionally, I would argue that companies that fail to recognize this fact are undermining their own efforts to create a more secure environment.

Far too often corporate cybersecurity policy-makers devise policies that attempt to impose liability on their own employees for their failures. Such liability can include sanctions from loss of employment to severe financial liabilities. In fact, in recent years we have seen companies suing their own employees for BEC scam losses.

Blaming the victim is never a way to stop incidents from happening.

The reality is every employee is just a human being and in the case of scams, social engineering and manipulation are far more powerful than individuals in most cases. Policies that fail to recognize this are doomed to failure. No one can simply mandate perfection under threat from their employers. It just does not work.

Boards across all industries must recognize that their employees are not the problem, though they are a vulnerability. And when they are attacked they are victims every bit as much as the business or institution itself. By recognizing this simple fact, organizations can begin to better understand that they and their employees are unified in their inherent vulnerabilities and can address them more collaboratively, instead of an imposition from the top down.

This is important, not only from a prevention perspective but especially during the mitigation of an attack in progress. If employees feel that they will be targeted by their employer for cybersecurity breaches, they are less likely to actively participate in remediation during an attack, and in fact, may hide essential evidence in an effort to protect themselves or claim they were not involved. It may result in employees being more likely to cover up incidents and not involve cybersecurity specialists immediately when time is of the essence. This costs critical time when it is needed most. It also creates an “every man for themself” mentality, instead of an “all for one” approach.

Post-incident we see all too often that the employees involved in these incidents are condemned by other employees and management, defamed, and even potentially referred to corporate legal for action. This creates a climate of fear following cyber incidents instead of focusing everyone’s attention on future prevention. It can also significantly traumatize employees causing loss of future effectiveness and eventual departure from the organization.

Human beings will always be vulnerable to social engineering and manipulation – all of us are.

Developing protective behaviors against it takes more than a policy and a couple of hours of mediocre training on the subject.

It is necessary that employees be shown how social engineering and manipulation actually work on them, their friends, their families, and societies. With an understanding of the real mechanics, employees become empowered to see their vulnerabilities clearly and are much more willing to adopt new defensive behaviors. This removes the climate of cyber-fear and replaces it with a shared comprehension of the need for unity and mutual support. Every employee will make mistakes, and instead of focusing on blame, every organization should recognize this as a fact.

Organizations need to recognize that their employees are every bit as much a victim when these attacks occur as the organization itself. When companies can make this leap to recognize this, then they can truly take a giant step towards full sharing of responsibility for prevention, mitigation, and post-incident recovery.

They must also recognize that employees, as victims, also need help after an incident.

Cybercrimes traumatize their victims, in some cases profoundly, and just like with physical crimes employees can be in need of professional support. However, the anticipatory fear that organizations impose on their employees through their policies and threats of financial or other liability only adds to the trauma after the fact. Human Resource departments need to be part of these conversations and recognize that like any crime victim, cybercrime victims need and deserve compassion and support and not condemnation and accusations. Not only because of the trauma imposed by truly reckless accusations but also because this creates a hostile working environment that can bring the liability back onto the company itself.

Our organization understands the fundamentals of cybercrime victims and strives to expand the role of victim support in all aspects of post-cybercrime remediation. This notion of an employee as a victim too is far from obvious for most of the corporate world. However, by adopting this posture, enterprises can better obtain the cooperation of employees in identifying vulnerabilities, better mitigating the damage from attacks, and reducing the traumatic impact on the organization and its employees. All of which leads to a more secure environment.

We welcome the opportunity to share this view and are open to helping organizations better understand it. Businesses and institutions are welcome to contact our nonprofit about how we can help you better understand the psychological impact of scams and how empowering your employees to be part of the solution instead of being viewed as the problem – this will help them achieve better, stronger, and more robust cybersecurity.

Our mission is to support scam victims whenever and wherever we can.

We hope that you can understand this shift in view and can find ways to internalize it in your own organizations. We are here to help.

Learn more

To learn more about scam victim blaming visit www.EndScamVictimBlaming.org

Important Information for New Scam Victims

If you are looking for local trauma counselors please visit counseling.AgainstScams.org or join SCARS for our counseling/therapy benefit: membership.AgainstScams.org

If you need to speak with someone now, you can dial 988 or find phone numbers for crisis hotlines all around the world here: www.opencounseling.com/suicide-hotlines

Statement About Victim Blaming

Some of our articles discuss various aspects of victims. This is both about better understanding victims (the science of victimology) and their behaviors and psychology. This helps us to educate victims/survivors about why these crimes happened and to not blame themselves, better develop recovery programs, and to help victims avoid scams in the future. At times this may sound like blaming the victim, but it does not blame scam victims, we are simply explaining the hows and whys of the experience victims have.

These articles, about the Psychology of Scams or Victim Psychology – meaning that all humans have psychological or cognitive characteristics in common that can either be exploited or work against us – help us all to understand the unique challenges victims face before, during, and after scams, fraud, or cybercrimes. These sometimes talk about some of the vulnerabilities the scammers exploit. Victims rarely have control of them or are even aware of them, until something like a scam happens and then they can learn how their mind works and how to overcome these mechanisms.

Articles like these help victims and others understand these processes and how to help prevent them from being exploited again or to help them recover more easily by understanding their post-scam behaviors. Learn more about the Psychology of Scams at www.ScamPsychology.org

SCARS Resources:

Psychology Disclaimer:

All articles about psychology and the human brain on this website are for information & education only

The information provided in this and other SCARS articles are intended for educational and self-help purposes only and should not be construed as a substitute for professional therapy or counseling.

Note about Mindfulness: Mindfulness practices have the potential to create psychological distress for some individuals. Please consult a mental health professional or experienced meditation instructor for guidance should you encounter difficulties.

While any self-help techniques outlined herein may be beneficial for scam victims seeking to recover from their experience and move towards recovery, it is important to consult with a qualified mental health professional before initiating any course of action. Each individual’s experience and needs are unique, and what works for one person may not be suitable for another.

Additionally, any approach may not be appropriate for individuals with certain pre-existing mental health conditions or trauma histories. It is advisable to seek guidance from a licensed therapist or counselor who can provide personalized support, guidance, and treatment tailored to your specific needs.

If you are experiencing significant distress or emotional difficulties related to a scam or other traumatic event, please consult your doctor or mental health provider for appropriate care and support.

If you are in crisis, feeling desperate, or in despair please call 988 or your local crisis hotline.

-/ 30 /-

What do you think about this?
Please share your thoughts in a comment below!

More ScamsNOW.com Articles

SCARS LINKS:   AgainstScams.org    RomanceScamsNOW.com    ContraEstafas.org    ScammerPhotos.com    Anyscam.com    ScamsNOW.com

reporting.AgainstScams.org    support.AgainstScams.org    membership.AgainstScams.org    donate.AgainstScams.org    shop.AgainstScams.org

youtube.AgainstScams.org    linkedin.AgainstScams.org    facebook.AgainstScams.org

PLEASE NOTE: Psychology Clarification

The following specific modalities within the practice of psychology are restricted to psychologists appropriately trained in the use of such modalities:

  • Diagnosis: The diagnosis of mental, emotional, or brain disorders and related behaviors.
  • Psychoanalysis: Psychoanalysis is a type of therapy that focuses on helping individuals to understand and resolve unconscious conflicts.
  • Hypnosis: Hypnosis is a state of trance in which individuals are more susceptible to suggestion. It can be used to treat a variety of conditions, including anxiety, depression, and pain.
  • Biofeedback: Biofeedback is a type of therapy that teaches individuals to control their bodily functions, such as heart rate and blood pressure. It can be used to treat a variety of conditions, including stress, anxiety, and pain.
  • Behavioral analysis: Behavioral analysis is a type of therapy that focuses on changing individuals’ behaviors. It is often used to treat conditions such as autism and ADHD.
    Neuropsychology: Neuropsychology is a type of psychology that focuses on the relationship between the brain and behavior. It is often used to assess and treat cognitive impairments caused by brain injuries or diseases.

SCARS and the members of the SCARS Team do not engage in any of the above modalities in relationship to scam victims. SCARS is not a mental healthcare provider and recognizes the importance of professionalism and separation between its work and that of the licensed practice of psychology.

SCARS is an educational provider of generalized self-help information that individuals can use for their own benefit to achieve their own goals related to emotional trauma. SCARS recommends that all scam victims see professional counselors or therapists to help them determine the suitability of any specific information or practices that may help them.

SCARS cannot diagnose or treat any individuals, nor can it state the effectiveness of any educational information that it may provide, regardless of its experience in interacting with traumatized scam victims over time. All information that SCARS provides is purely for general educational purposes to help scam victims become aware of and better understand the topics and to be able to dialog with their counselors or therapists.

It is important that all readers understand these distinctions and that they apply the information that SCARS may publish at their own risk, and should do so only after consulting a licensed psychologist or mental healthcare provider.

Opinions

The opinions of the author are not necessarily those of the Society of Citizens Against Relationship Scams Inc. The author is solely responsible for the content of their work. SCARS is protected under the Communications Decency Act (CDA) section 230 from liability.

Disclaimer:

SCARS IS A DIGITAL PUBLISHER AND DOES NOT OFFER HEALTH OR MEDICAL ADVICE, LEGAL ADVICE, FINANCIAL ADVICE, OR SERVICES THAT SCARS IS NOT LICENSED OR REGISTERED TO PERFORM.

IF YOU’RE FACING A MEDICAL EMERGENCY, CALL YOUR LOCAL EMERGENCY SERVICES IMMEDIATELY, OR VISIT THE NEAREST EMERGENCY ROOM OR URGENT CARE CENTER. YOU SHOULD CONSULT YOUR HEALTHCARE PROVIDER BEFORE FOLLOWING ANY MEDICALLY RELATED INFORMATION PRESENTED ON OUR PAGES.

ALWAYS CONSULT A LICENSED ATTORNEY FOR ANY ADVICE REGARDING LEGAL MATTERS.

A LICENSED FINANCIAL OR TAX PROFESSIONAL SHOULD BE CONSULTED BEFORE ACTING ON ANY INFORMATION RELATING TO YOUR PERSONAL FINANCES OR TAX-RELATED ISSUES AND INFORMATION.

SCARS IS NOT A PRIVATE INVESTIGATOR – WE DO NOT PROVIDE INVESTIGATIVE SERVICES FOR INDIVIDUALS OR BUSINESSES. ANY INVESTIGATIONS THAT SCARS MAY PERFORM IS NOT A SERVICE PROVIDED TO THIRD-PARTIES. INFORMATION REPORTED TO SCARS MAY BE FORWARDED TO LAW ENFORCEMENT AS SCARS SEE FIT AND APPROPRIATE.

This content and other material contained on the website, apps, newsletter, and products (“Content”), is general in nature and for informational purposes only and does not constitute medical, legal, or financial advice; the Content is not intended to be a substitute for licensed or regulated professional advice. Always consult your doctor or other qualified healthcare provider, lawyer, financial, or tax professional with any questions you may have regarding the educational information contained herein. SCARS makes no guarantees about the efficacy of information described on or in SCARS’ Content. The information contained is subject to change and is not intended to cover all possible situations or effects. SCARS does not recommend or endorse any specific professional or care provider, product, service, or other information that may be mentioned in SCARS’ websites, apps, and Content unless explicitly identified as such.

The disclaimers herein are provided on this page for ease of reference. These disclaimers supplement and are a part of SCARS’ website’s Terms of Use

Legal Notices: 

All original content is Copyright © 1991 – 2023 Society of Citizens Against Relationship Scams Inc. (Registered D.B.A SCARS) All Rights Reserved Worldwide & Webwide. Third-party copyrights acknowledge.

U.S. State of Florida Registration Nonprofit (Not for Profit) #N20000011978 [SCARS DBA Registered #G20000137918] – Learn more at www.AgainstScams.org

SCARS, SCARS|INTERNATIONAL, SCARS, SCARS|SUPPORT, SCARS, RSN, Romance Scams Now, SCARS|INTERNATION, SCARS|WORLDWIDE, SCARS|GLOBAL, SCARS, Society of Citizens Against Relationship Scams, Society of Citizens Against Romance Scams, SCARS|ANYSCAM, Project Anyscam, Anyscam, SCARS|GOFCH, GOFCH, SCARS|CHINA, SCARS|CDN, SCARS|UK, SCARS|LATINOAMERICA, SCARS|MEMBER, SCARS|VOLUNTEER, SCARS Cybercriminal Data Network, Cobalt Alert, Scam Victims Support Group, SCARS ANGELS, SCARS RANGERS, SCARS MARSHALLS, SCARS PARTNERS, are all trademarks of Society of Citizens Against Relationship Scams Inc., All Rights Reserved Worldwide

Contact the legal department for the Society of Citizens Against Relationship Scams Incorporated by email at legal@AgainstScams.org