Email with weirdly personal details - is this spam?
January 14, 2020 8:59 PM   Subscribe

I received an email at work with very specific accusations and no clickable links. It came from a gmail account. I reported it to work’s cybersecurity and they indicated it’s spam and blocked the sender but the details were so weirdly specific that I’m concerned. What would be the purpose of this?

I got an email this morning accusing me of having a conflict of interest with one of my staff because I have worked with them at a previous organisation. It claimed a bunch of petty stuff like they are frequently late and that I give them extra leave, none of which is true. When we recruited, we followed procedure, with candidates making application externally, being interviewed by a panel, etc. I disclosed our previous work relationship to my manager and other interview panel members at the time.

I would have just dismissed this as ridiculous spam except that:

A) It included the name of the previous organisation where we worked together
B) It used the specific term “you poached [employee]” - and I often jokingly use the word “poached” to refer to this staff member as it isn’t a secret that we’ve worked together previously.
C) My workplace is a large organisation and our division is currently going through a restructure which has turned nasty. My role and employee’s role are not under threat but others are.

If it’s not spam, it could be a malicious email from someone in our organisation, which is much more of a worry. Employee has proven useful and is valued and (as far as I know) gets on well with everyone. However this is a very stressful time for everyone, feelings are running high and people who aren't feeling appreciated in their roles might be resentful of those who are.

I asked our cybersecurity team if they'd seen this kind of thing before and got a vague reply that this kind of thing from gmail is usually spam. But I can’t think what it would achieve since there were no clickable links. Were they just waiting for me to engage before deploying, or something? Have you seen examples of this kind of spam before?
posted by andraste to Computers & Internet (18 answers total) 2 users marked this as a favorite
it sounds like someone is using linkedin or a similar source as an attempt at a con/leverage. perhaps to get you to share some corporate detail later. do not engage would be my advice.
posted by zippy at 9:18 PM on January 14, 2020 [7 favorites]

I wouldn't worry too much about it since it could be just spam drawn from LinkedIn etc.. If it is somebody in your organization seeking some kind of advantage, they will probably contact you again.

You could mention it to your manager just in case you get another message like it or something else happens to indicate that you and your staff member are being targeted. But until that happens, not engaging is the best strategy.
posted by rpfields at 9:40 PM on January 14, 2020

I'd report this to HR.
posted by Conrad Cornelius o'Donald o'Dell at 10:08 PM on January 14, 2020 [19 favorites]

not to be fear mongering, but with that level of detail and specifics, id more assume its an current unhappy coworker within your organization or a job candidate that was passed up who may feel your hiring of aforementioned employee may have been unfair under the circumstances, as long as you dotted your eyes and crossed your t's on the hiring processes, I'd shrug it off and hopefully it was just a one time venting from that unhappy person, I wouldn't bother responding either.
posted by edman at 10:21 PM on January 14, 2020 [6 favorites]

Best answer: I'll take another tack--why would you think it's spam? From what you're describing, it sounds much more like a nasty anonymous email that someone in your office has sent. If I have a dog named Blarney and someone emails me falsely accusing Blarney of eating their roses, I wouldn't assume it's spam... even if I know he hates roses. I'd be more inclined to think it's someone stirring up trouble or who really honestly believes Blarney ate their roses.

I wouldn't put much stock in what your cybersecurity team is saying, unless they seem to be really engaging with the content of the email. Probably they give the same standard response to most people who get an odd email ("It's spam... just ignore.")

I'd definitely talk with HR about this... not necessarily because of the content but because if someone is so pissed off they're resorting to anonymous emails, you want to be covered.
posted by whitewall at 10:25 PM on January 14, 2020 [60 favorites]

Yeah, you’re focused on the medium, email. What if this was a typed letter slid under your door? Sounds like you should check in with HR. I suspect this person is sending these emails to others as well.
posted by bluedaisy at 11:36 PM on January 14, 2020 [1 favorite]

It claimed a bunch of petty stuff like they are frequently late and that I give them extra leave, none of which is true

I just wanted to flag this as a concern. If you were actually doing this, it would be a big deal, so it's actually a somewhat serious accusation. Not that I'm saying it's likely true. Just that it would be serious if true. This kind of favoritism and unfair practices could be considered "not doing your job as a manager" or even get connected to a discrimination claim, depending on other circumstances.
posted by slidell at 12:57 AM on January 15, 2020

Response by poster: I'll take another tack--why would you think it's spam?

Not to threadsit, but at first I thought it might actually be our cybersecurity team carrying out a phishing awareness exercise. They've done these a few times and one of them was an email from someone purporting to be my manager (which also didn't have any clickable links in it). However when we report those we get an instant "congratulations! you spotted the fake!" email back and that didn't happen in this case.

The other thing that made me think it's spam is that honestly the accusations are very, very far from the truth as employee and I are both very diligent. I can literally think of only one time when employee was late, and my own manager is witness to employee's and my daily arrival times as well. It could all be demonstrated if necessary with records of leave requests, logon and logoff times, etc.

Other relevant info: employee has been with us for 18 months so it's a long time since they were recruited.
posted by andraste at 1:51 AM on January 15, 2020

Best answer: It's not the truth or falsity of the accusations that is relevant to whether this is spam, it's the specificity. To me that suggests, as others have said, that this is a targeted email. As slidell says it's making accusations about you in your role as manager. I would report it to HR just so there's a paper trail if they do it again, or if they are doing it to other people.
posted by crocomancer at 2:02 AM on January 15, 2020 [19 favorites]

Best answer: I often jokingly use the word “poached” to refer to this staff member

It's a super-common usage. If I were designing a bot that could construct disturbing teaser emails, it's exactly the word I'd have it insert whenever it deduced a senior-changes-employer-followed-by-junior relationship from a bunch of LinkedIn API calls.

Whenever I'm disconcerted by something weirdly specific in a thing I'd normally just toss as spam, I will make some attempt to find out whether that weirdly specific detail is based on information I can find using search engines or on social media. Because if it is, there's a good chance it's also available via somebody's publicly accessible API.

Given the breadth of machine learning software that's readily available now, it doesn't take an enormous amount of work to hook some quite smart pattern recognizers up to those things. Such a tool could be quite effective at the pointy end of an automated spearphishing campaign; people's better judgement tends to degrade a fair bit when we're annoyed, affronted or frightened.
posted by flabdablet at 2:31 AM on January 15, 2020 [3 favorites]

Best answer: In most cases, "poaching" is not illegal or even immoral. If no one signed a non-compete, there is very little the old org could do about it. I would still stop using the term yourself and even try to stop referring to the old org at all if possible.
I think this is spam because it is unwanted email, not because it was trying to advertise to you or even phish or hack you. I think the purpose is to threaten you and maybe the employee. If they wanted to get you in real trouble, I think they would have sent this info to your boss and not you.
Think about looping in both your direct boss and this employee, making it clear to both that you disagree with the info, just want them to have a general idea of the issue in case it does become a pattern, and trying to keep it low-key and not appear defensive about the accusations in the email. That is easier said than done, of course. Due to the reorg, your direct boss might not be the right person or it might not be the right time. I do think the employee deserves to know if you have not told them, even in general terms.
posted by soelo at 3:02 AM on January 15, 2020 [4 favorites]

this kind of thing from gmail is usually spam

I would insist on a more specific and detailed explanation, and escalate to someone else if they can't justify their finding to your satisfaction.

Some elements of your description (e.g. some of the details in the accusations being incorrect) suggest that the text may be autogenerated (perhaps from data scraped from LinkedIn). Maybe this is a known form of spam that the security people have seen before. But then they need to actually tell you that.

Because it sounds like they skimmed through it, lazily concluded that it was in the same category as those mails that go "here's a pwned password you used twenty years ago and which we're hoping you still use; this proves that we hacked your laptop camera and have footage of you watching porn; send us bitcoin". And then fobbed you off with a vague platitude. Which is kind of infuriating, and I think warrants pushback.

On an unrelated note, have you tried searching for specific phrases (excluding the personalised elements) from the email?
posted by confluency at 5:02 AM on January 15, 2020 [3 favorites]

The headers of the email should tell you the originating IP address. You should check that, or ask your IT people to do it. You can then try to determine the ISP and/or the originating geographic area. Granted, it's easy enough to obfuscate this stuff, but it might tell you something -- particularly if the sender wasn't tech-savvy and didn't know how to cover his or her tracks.

I'd give more-specific instructions on how to do this, but I'm a bit pressed for time. If you know any techies, ask them to help. It's not particularly complicated.
posted by alex1965 at 7:28 AM on January 15, 2020 [2 favorites]

Whatever its source, you would be wise to pass it on to HR with a note saying that there was enough detail to make you wonder.

Who knows, they may say they know exactly who sent it and that a case is in progress.
posted by Tell Me No Lies at 7:49 AM on January 15, 2020 [2 favorites]

Best answer: As alex1965 says, look at the headers of the email for the originating IP address. (See for details) Then search your email account for that IP address. This won't prove anything but at least you might find out if the email was sent from inside your company, which might motivate your IT guys to action. People, even slightly malicious people, are lazy.
posted by The Devil's Grandmother at 8:26 AM on January 15, 2020 [4 favorites]

99.99% this isn't spam or some kind of phishing.

It's a misconceived effort by someone in your organization to do what people in AskMe always urge aggrieved workers to do: "document, document." They are trying to lay the groundwork for a complaint against you or the employer if they get fired or passed over for a promotion, or possibly to pressure you to save them from said adverse action.

A smarter way to this would be for the anonymous email to be a complaint to your chief compliance officer or ombudsman, but this person isn't smart.
posted by MattD at 8:30 AM on January 15, 2020 [1 favorite]

Response by poster: Thanks everyone for the advice and suggestions (and helping me look at this from a different perspective).

- The IP address is in the US but seems to be a generic Google one; I get something very similar when I look at the headers of an email I send from my own gmail. I will see if one of my tech savvy friends can help.
- Googling specific phrases from the email doesn't come up with anything.
- I will bring it to my manager's attention just in case there are future issues and either they or I will report it to HR.
posted by andraste at 2:28 PM on January 15, 2020 [1 favorite]

Have you shown the email to the employee you poached? It's possible he or she might recognize the style or received similar email.
posted by The Devil's Grandmother at 1:15 PM on January 16, 2020

« Older Flooring contractor in Queens, NY   |   Uploading Links to Google Free Webpage Newer »
This thread is closed to new comments.