I work for a small company, in the United States. Part of my duties is building out quotes for products and services our company sells. I’m trying to avoid being overly specific, but basically I have been asked to quote out a product we often sell, but to also include in the quote a feature which out company cannot actually provide. The customer has several of the item I am supposed to quote already and believes that they have the additional feature on all of the existing devices, so expects to see it on this quote for their new site.
I have brought up with my boss in the past that we have not implemented the additional feature and to the best of my knowledge we can’t. He assured me he was looking at addressing that. Today, after receiving the request for this new quote, I asked my boss about it, he said he still hasn’t come up with a plan to address the issue, but wants me to move forward with pricing it out anyway.
It would be a big hit to our company if the customer left us, but I struggle to see how what my company is doing here isn’t fraud. I’m not really comfortable with doing this, but my relationship with management is already strained and I wasn’t really looking to create any more waves at the moment.
Are there good resources I could look to to determine if this would constitute fraud from a legal perspective? Has anyone here ever been in a similar situation?
I’m looking for another job, but don’t have anything lined up yet, so nervous about doing (or not doing) something that would get me fired, but Im not comfortable with what appears to me to be dishonest at best and fraudulent at worst.
Edit: wanted to add that to the best of my knowledge, we aren’t selling that additional feature to anyone else at the moment. I think my boss is just afraid of this customer in particular finding out since they’ve already been sold the feature and they’re a larger customer.
Edit 2: thanks everyone for the advice. It is much appreciated. I’ve got a lot of thinking to do tonight.
FYI, your employer will probably see these outgoing emails from your mailbox, it will turn up in logs and be very obvious for someone in IT who you don’t even know if they see emails going to a random gmail address. You probably signed something when you were hired about not doing this, and it might create an IT issue for you. Also, since it’s a bcc, your boss’s replies won’t be there, so it probably won’t do you as much good as you think in proving they told you so. I would not recommend doing this.
Depending on how much control they can see into your work laptop, i would recommend printing the email threads as PDFs and copying them to a thumb drive if you need them. This would be harder to detect, but if your laptop is managed by the org, and someone does have it out for you, they could be watching your every movement, so it isn’t 100% safe.
If you think you are being closely monitored, I guess your best course of action would be to get an HDMI capture device on a personal computer, and then record your monitor as you’re viewing the emails.
Far more likely they’ll detect the foreign hardware plugged in to the device (assuming it allows new devices to be added at all) than someone in IT randomly coming across some sent emails - could’ve been to a client for all they know.
However, if someone is suspicious and ASKS IT to pull the logs it should be pretty easy to see. But if it’s gotten to that point, you’re still better off having the emails than not.
I guess it depends on the company and their policies. I’ve been an admin in Google Workspace, and it’s almost hard to avoid seeing some of the reports of the metadata of external incoming and outgoing email.
I remember we even had a rule for external emails with a name that employee name. This was mostly to identify and block scammers impersonating the CEO, but would also inadvertently catch a whole bunch of other weird stuff people were doing as well, but that was mostly someone setting up a shadow IT service that would send email with the name of an employee, which we’d then have to chase and figure out.
I’m less familiar with the MDM software running on laptops, it’s possible that each file copied to a thumb drive is logged, so that is totally a risk, but i imagine it would be harder to detect if that’s a common thing that people do at the org.
Don’t they monitor what you copy to thumb drives?
Yeah, that could depend on the level of monitoring and access they have, and what your risk level is. Since they say it’s a small company, the laptops might not be managed, but almost certainly they will have reports on incoming and outgoing emails, and a bcc to a gmail address would be a huge red flag. I would assume that small PDF files copied to a thumb drive wouldn’t raise suspicion, but you’d want to fly under the radar and not have the number of files be crazy or the file size be huge, since that would move you to the top of the list in an aggregated report, and have more eyes on you.