Email Document Requests: Security Check

TL;DR

A background checking company has asked for sensitive documents via email. This is a high risk situation. Do not send them directly. Verify the request through official channels, understand what they need and why, and use secure methods to transfer any required information.

Step-by-step guide

1. Pause Communication: Immediately stop responding to the email. Don’t click any links or open attachments.
2. Verify the Request (Official Channels): This is the most important step.
   • Find their official website: Do not use a link from the email. Search for the company on Google or another search engine.
   • Contact them directly: Use the phone number or contact form listed on their official website, not in the email you received. Explain that you received an email requesting documents and want to confirm its legitimacy.
   • Ask specific questions: Inquire about the details of the request (what documents they need, why they need them, who specifically requested them within the company). Compare their response with the information in the suspicious email. Discrepancies are a red flag.
3. Understand What They Need and Why: Before sharing anything, be absolutely clear about:
   • The specific documents requested: Only provide what is explicitly necessary.
   • The legal basis for the request: Background checks usually require your consent or a court order. Ask them to explain this if it’s not clear.
   • How the information will be used: Understand how they store, protect, and share your data.
4. Secure Transfer Methods (If Request is Legitimate): Never send sensitive documents as email attachments.
   • Secure Portal: The best option is if the company has a secure online portal for submitting documents. Use this if available.
   • Encrypted File Sharing Service: If a portal isn’t available, use a reputable encrypted file sharing service (e.g., OneDrive with password protection, Google Drive with restricted access). Share only with specific individuals at the company and set an expiration date for the link.
   • Postal Mail: For highly sensitive documents, consider sending copies via registered or certified mail.
5. Report Suspicious Activity: If you believe the email is fraudulent:
   • Phishing Reporting: Report the phishing attempt to your local cyber security authority (e.g., Action Fraud in the UK).
   • Company Awareness: Inform the background checking company about the impersonation so they can warn others.

Example Verification Questions

Here are some questions to ask when verifying the request:

• “I received an email requesting [list documents]. Can you confirm this request originated from your company?”
• “What is the case number or reference number associated with this background check?”
• “Who specifically at your company requested these documents, and what is their direct contact information?”
• “Can you explain the legal basis for requesting this information?”

Important Reminders

• Be wary of urgency: Phishing emails often create a sense of panic to rush you into action.
• Check email addresses carefully: Look for subtle misspellings or variations in the sender’s address.
• Trust your instincts: If something feels off, it probably is.