Jump to content
OkieTech

Email impersonation at work by IT

Recommended Posts

Scenario: email was sent to multiple external vendors containing company data. Emails were send as an individual employee because they were from that employee's email address (multiple employees have experienced this). Employees had no knowledge and had not given approval for IT staff to send an email on their behalf.

 

Is this fraud or something else? Can the employee hold the company liable for any emails past, present or future as a result of this misuse? What happens if proprietary data is disbursed via this same process making it look like an employee but is really an automated IT process? What if the employer has received this report in writing and does nothing to address?

Share this post


Link to post
Share on other sites
1 hour ago, OkieTech said:

Is this fraud or something else?

 

How could we possibly know (although it's obviously "fraud or something else")?  All you told us was that the e-mail "contain[ed] company data."  Without knowing all of the relevant facts and circumstances, answering your question is impossible.

 

 

2 hours ago, OkieTech said:

Can the employee hold the company liable for any emails past, present or future as a result of this misuse?

 

What employee?  Your post expressly refers to "multiple employees."  What does "hold the company liable for any emails" mean?

 

 

2 hours ago, OkieTech said:

What happens if proprietary data is disbursed via this same process making it look like an employee but is really an automated IT process?

 

Not sure how you expect a complete stranger to answer this hypothetical.

 

 

2 hours ago, OkieTech said:

What if the employer has received this report in writing and does nothing to address?

 

What report?  Address what?

 

You're obviously going to have to do a much better job describing what you're talking about.

Share this post


Link to post
Share on other sites

So I don't understand what clarification you want because you didn't provide concise feedback and want a detailed background of each phrase.

 

Here is the clearest I can/will make this as to not divulge unnecessary information. An employer sent multiple emails as multiple different employees on at early am hour on a weekend from the employees email addresses. The employees had no knowledge and had not given consent to an email to be sent as them instead of a shared mailbox or a noreply address. Add to it that the emails provided company data to vendors and was not an isolated internal email.

 

Given this information is there anything here besides ethical violations? Are there laws protecting email security for employees? If so, do they protect the employee from fraudulent emails sent by someone else posing as that employee? If so and if this was reported, does the employee have any recourse if the employer fails to fix the issue?

Share this post


Link to post
Share on other sites

If the ABC Company sends an email to vendors from Joe Smith's email, as long as Joe Smith is an employee of ABC company and they use the email granted to Joe Smith by ABC (i.e. joe.smith@abc.com) the employer has not violated any laws. Joe Smith does not own the email; ABC Company does.

Share this post


Link to post
Share on other sites
1 minute ago, cbg said:

If the ABC Company sends an email to vendors from Joe Smith's email, as long as Joe Smith is an employee of ABC company and they use the email granted to Joe Smith by ABC (i.e. joe.smith@abc.com) the employer has not violated any laws. Joe Smith does not own the email; ABC Company does.

 

How is that legal and not fraud? That logic means that Google or an employee of Google could send an email from your gmail account acting as you and not face any legal recourse.

Share this post


Link to post
Share on other sites
3 minutes ago, cbg said:

I didn't say they could do it from the employee's gmail account. I said they could do it from the employer-owned email.

I didn't say you said that. I said given that logic it means that a scenario involving Google as the company and gmail as the email service has the same result. Employee or end user shouldn't matter considering there are conditions around both. If you think it does not have the same result, please explain why.

Share this post


Link to post
Share on other sites

Google is not in an employer-employee situation with those people they provide gmail addresses to. You are not employed by gmail; gmail provides you with the email as a service and there are specific terms of service that you both agree to when you sign up. That is a completely different relationship than an employer providing the employee with an email, to be used for business purposes only, for the duration of the employment.

Share this post


Link to post
Share on other sites
16 minutes ago, cbg said:

Google is not in an employer-employee situation with those people they provide gmail addresses to. You are not employed by gmail; gmail provides you with the email as a service and there are specific terms of service that you both agree to when you sign up. That is a completely different relationship than an employer providing the employee with an email, to be used for business purposes only, for the duration of the employment.

So correct me if I misunderstand but you believe that if an employee provides an employee anything then the employee has no reasonable expectation to privacy or protection from misuse? (Same could apply if in T&Cs with service providers.) Specifically the company can read and/or send whatever they want, whenever they want, to whomever they want, as whomever they want without recourse, correct?  So how does an employee ensure they aren't accountable for those and/or any emails sent? If multiple people can send as that employee without knowledge or consent, how can one prove or disprove the authenticity of any email past, present or future especially when it comes to data being sent outside the org?

 

In summary it looks like is an employee is sending data out in mass at odd days and times but really its an automated process that is either spoofing the address or accessing the mailbox and sending on behalf. (Spoofing is just sending an smtp message with that as email whereas on behalf of required actual ms exchange permissions) Data misuse and/or mishandling is a fireable offense and is something an employer could sue the employee for if there were losses or damages as a result of data sharing.

Share this post


Link to post
Share on other sites

Who owns the email address? (Hint - it's not the employee)

Who owns the company data? (Hint - it's not the employee)

Who owns the IT system that was used to transmit it? (Hint - it's not the employee)

Who has the contracts with the vendors? (Hint - it's not the employee)

 

Do I think this is something appropriate for the employer to do? No, I don't. Is it in violation of any laws? No, it's isn't.

 

 

Share this post


Link to post
Share on other sites
Just now, cbg said:

Who owns the email address? (Hint - it's not the employee)

Who owns the company data? (Hint - it's not the employee)

Who owns the IT system that was used to transmit it? (Hint - it's not the employee)

Who has the contracts with the vendors? (Hint - it's not the employee)

 

Do I think this is something appropriate for the employer to do? No, I don't. Is it in violation of any laws? No, it's isn't.

 

 

So again, how does an employee protect themselves from accusations or misrepresentations of events and/or communications that are fraudulent as they were not authored or sent by the actual employee? (Hint - looking for an answer)

Share this post


Link to post
Share on other sites

He doesn't do so, pro-actively. When and if he is actually held accountable for an email he didn't send out, he takes the facts as they are and not as he anticipates they might be in the future, and takes appropriate action then.

Share this post


Link to post
Share on other sites
6 hours ago, OkieTech said:

So again, how does an employee protect themselves from accusations or misrepresentations of events and/or communications that are fraudulent as they were not authored or sent by the actual employee? (Hint - looking for an answer)

 

Finding a job where the employer does not engage in that kind of use of the e-mail. Absent that, he cannot prevent accusations of misuse, only respond to any such accusations if and when they arise. 

Share this post


Link to post
Share on other sites
14 hours ago, OkieTech said:

So I don't understand what clarification you want because you didn't provide concise feedback and want a detailed background of each phrase.

 

Well...what I want are clear facts.  Determining whether something is or isn't legal requires a clear explanation of all relevant facts.  It doesn't help that you play fast and loose with grammar, spelling and punctuation.

 

 

14 hours ago, OkieTech said:

Here is the clearest I can/will make this as to not divulge unnecessary information. An employer sent multiple emails as multiple different employees on at early am hour on a weekend from the employees email addresses. The employees had no knowledge and had not given consent to an email to be sent as them instead of a shared mailbox or a noreply address. Add to it that the emails provided company data to vendors and was not an isolated internal email.

 

Ok....so Bob (who is apparently an IT guy) sends out a bunch of e-mails.  However, instead of sending them so that it's clear the e-mails coming from "Bob," he sends the e-mails so that they appear to be coming from Cindy, Dave, Edward, etc.  Right?  Cindy, Dave and Edward did not consent to Bob doing this.  Apparently, the e-mails were sent to "vendors."  Correct?  You told us that some "company data" was included in the e-mails.  What was that "company data"?

 

 

14 hours ago, OkieTech said:

Given this information is there anything here besides ethical violations?

 

Given the ambiguous information provided to this point, there is no way to know.

 

 

14 hours ago, OkieTech said:

Are there laws protecting email security for employees?

 

None that would apply based on the unclear and ambiguous information provided thus far.

 

 

14 hours ago, OkieTech said:

How is that legal and not fraud?

 

Fraud is the making of a false statement of fact that causes another to act in reliance on the statement and to his/her detriment.  With that in mind, I assume you can see that what you've described thus far does not even come close to fitting within that definition.

 

Using my example above, if Cindy, Dave and Edward have a problem with Bob sending out e-mails under their names, their recourse is to report the matter to their supervisors and/or Bob's supervisor.  It's an internal company issue, not a legal issue.

Share this post


Link to post
Share on other sites

In the absence of facts let me propose a perfectly proper use of the company's email system.   Bob, Carol and Dave are purchasing agents for the Acme Dynamite Company.  Ed, director of IT, is instructed to advise all vendors selling products to the firm that in  the future all products should be shipped to a new distribution center.  Ed sends emails to all the vendors associated with Bob, Carol, and Dave informing of them of the new procedure.  The emails appear to come from Bob, Carol, and Dave since Ed chooses to  use their company e-mail accounts.

 

I am sure any number of similar scenarios could be constructed.  The point being, facts matter.  So if the poster is unwilling to say what the emails were generally about, it is impossilbe to comment on the propriety of the IT department's action.

Share this post


Link to post
Share on other sites
51 minutes ago, RetiredinVA said:

In the absence of facts let me propose a perfectly proper use of the company's email system.   Bob, Carol and Dave are purchasing agents for the Acme Dynamite Company.  Ed, director of IT, is instructed to advise all vendors selling products to the firm that in  the future all products should be shipped to a new distribution center.  Ed sends emails to all the vendors associated with Bob, Carol, and Dave informing of them of the new procedure.  The emails appear to come from Bob, Carol, and Dave since Ed chooses to  use their company e-mail accounts.

 

I am sure any number of similar scenarios could be constructed.  The point being, facts matter.  So if the poster is unwilling to say what the emails were generally about, it is impossilbe to comment on the propriety of the IT department's action.

The poster is willing to share generalized scenarios with limited information to set the context and ask related questions. The poster is seeking advise and/or recommendations based solely on the information provided, but the poster will provide additional facts and/or details if the poster deems it is appropriate to the questions or necessary for a legitmate answer. At this time the poster does not feel it is necessary to provide an comprehensive report detailing every environment variable to include names, company, data contents or other specific details. The information should serve the intended purpose and allow for respondants to provide practical replies.

Share this post


Link to post
Share on other sites
2 hours ago, pg1067 said:

 

Well...what I want are clear facts.  Determining whether something is or isn't legal requires a clear explanation of all relevant facts.  It doesn't help that you play fast and loose with grammar, spelling and punctuation.

 

 

 

Ok....so Bob (who is apparently an IT guy) sends out a bunch of e-mails.  However, instead of sending them so that it's clear the e-mails coming from "Bob," he sends the e-mails so that they appear to be coming from Cindy, Dave, Edward, etc.  Right?  Cindy, Dave and Edward did not consent to Bob doing this.  Apparently, the e-mails were sent to "vendors."  Correct?  You told us that some "company data" was included in the e-mails.  What was that "company data"?

 

 

 

Given the ambiguous information provided to this point, there is no way to know.

 

 

 

None that would apply based on the unclear and ambiguous information provided thus far.

 

 

 

Fraud is the making of a false statement of fact that causes another to act in reliance on the statement and to his/her detriment.  With that in mind, I assume you can see that what you've described thus far does not even come close to fitting within that definition.

 

Using my example above, if Cindy, Dave and Edward have a problem with Bob sending out e-mails under their names, their recourse is to report the matter to their supervisors and/or Bob's supervisor.  It's an internal company issue, not a legal issue.

I won't get into some of the comments as this is not intended to be an academic paper. I believe the scenario does align with your definition because the vendor is taking an action due to the information/statements sent which are inaccurate (both contents and origination).

 

To elaborate more on your general definiation there are different types fraud and one is looking specifically at computer and identity fraud (not previously explictly stated, apologizes). This scenario is a misrepresentation of a person's identity that was done either by unauthorized access or spoofing then why are those things, outside of employement, something you report to the FTC, Local Law Enforcement, FBI, etc? How does employment change the scenario to make the deception acceptable? (Besides the fact that the company owns the computers, data, vendor accounts and IT services)

Share this post


Link to post
Share on other sites
10 minutes ago, OkieTech said:

The poster is willing to share generalized scenarios with limited information to set the context and ask related questions. The poster is seeking advise and/or recommendations based solely on the information provided, but the poster will provide additional facts and/or details if the poster deems it is appropriate to the questions or necessary for a legitmate answer. At this time the poster does not feel it is necessary to provide an comprehensive report detailing every environment variable to include names, company, data contents or other specific details. The information should serve the intended purpose and allow for respondants to provide practical replies.

 

Then you ought to see an attorney in your state so the specific facts can be reviewed to determine if the employee has any recourse here beyond quitting his job. An employee may not like that the employer is sending out e-mails via his company e-mail address (which then makes it appear the employee sent it) but most such e-mails sent would neither be illegal nor would they give the employee any civil claim against the employer. You seem insistent on trying to get an answer that it is automatically wrong for the employer to send out e-mails using company e-mail accounts assigned to employees, and you won't get that here because there is nothing in the law that makes that illegal in all instances. The facts matter, as has already been said before in this thread. So if you want a more detailed answer than this, see that attorney. That's your best bet for getting a specific answer as to whether your employer has crossed the line into something that is either a crime or a civil wrong. 

Share this post


Link to post
Share on other sites
3 minutes ago, Tax_Counsel said:

 

Then you ought to see an attorney in your state so the specific facts can be reviewed to determine if the employee has any recourse here beyond quitting his job. An employee may not like that the employer is sending out e-mails via his company e-mail address (which then makes it appear the employee sent it) but most such e-mails sent would neither be illegal nor would they give the employee any civil claim against the employer. You seem insistent on trying to get an answer that it is automatically wrong for the employer to send out e-mails using company e-mail accounts assigned to employees, and you won't get that here because there is nothing in the law that makes that illegal in all instances. The facts matter, as has already been said before in this thread. So if you want a more detailed answer than this, see that attorney. That's your best bet for getting a specific answer as to whether your employer has crossed the line into something that is either a crime or a civil wrong. 

Agreed. This was seeking some objective communal insight and advise on the general scenario to see what was an appropriate feeling, expectation and course of action. Since the replies are sided with the employer I'm trying to ensure an objective outcome by taking the alternate position to achieve the most comprehensive information possible. Your post is appreciated.

Share this post


Link to post
Share on other sites

No one's looking for you to identify persons or individuals by name.  I provided a hypothetical using made up names.  Most folks have no problem describing their situations in terms that do not identify anyone but which are sufficiently clear to allow for comment.

 

 

2 hours ago, OkieTech said:

the replies are sided with the employer

 

No they're not.  You've vaguely described a situation and asked if something illegal occurred.  Based on your vague descriptions, we have concluded that nothing illegal occurred.  However, we all noted that a more clear and complete description of the facts might change our conclusions.

 

Ultimately, it's up to you to provide relevant facts.  If you don't want to do that, there's little anyone here can do for you.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...