The combination of remote work, the latest technologies, and never physically meeting your employees has made it very easy for job applicants to mask their true identities from their employer and commit employment fraud.
Motivations for this type of fraud vary, so it’s essential to start by quickly reviewing the key forms that employment fraud can take:
- Nation-state or criminal organization fraud, where employees infiltrate an organization to gain access to systems, data, or payroll (to conduct future nefarious actions), to skirt sanctions, or to find other means of money laundering.
- Identity fraud, where applicants create false identities to hide who they really are.
- Outsourced work, where employees outsource their jobs to gig workers or others who will complete their tasks for a fee, outside of corporate policy.
- Polywork, or working several full-time jobs at the same time, without the knowledge or approval of their employers.
These types of fraud have become more prevalent over the past couple of years.
Red flags of employment fraud
Security teams need to recognize the red flags of employment fraud to prevent it before it can have a negative impact. At the same time, it’s essential that teams do not jump to conclusions if something seems off. The past few years have encouraged acceptance of people that work differently, which is excellent but has also created an opening for others to exploit.
Let’s look at what some of those red flags are in more detail:
Differing skill sets – Potential employees often claim to have experience developing web and mobile applications, knowledge of multiple programming languages, and an understanding of blockchain technology.
However, after new employees are onboarded, it is quickly discovered that they do not have all the expertise or skills described in their resume and interview. This can be the first sign that a larger issue may require monitoring.
Employee information inconsistencies – There are several ways in which inconsistencies can be brought to light. For instance, a common trait of workers committing fraud is that they update their mailing address just after accepting a job, but prior to equipment being shipped to them. This indicates that the identity and information provided during the hiring process could have been stolen.
Some other common employee information anomalies to look for include potential employees that have several accounts with the same name and photo associated with different physical locations, some of which are abroad. Or even simply that photos of the same individual were used to create multiple, different personas.
Lack of personal content – Potentially fraudulent employees also are very thorough at making sure there are relevant accounts connected to the personas they have established. There are typically recent accounts on employment websites, IT industry-specific freelance contracting platforms, with software development tools and platforms, and on common messaging applications.
But these same personas lack social media accounts or any personal content, and the relevant accounts only contain minimal information, suggesting that the accounts have been created solely for the purpose of acquiring employment, and that some of the resume content and experience statements were likely copied from real individuals in the IT industry.
Ways to prevent employment fraud
Successful employment fraud investigations rely on OSINT and internal investigation components. Collaborations between the security, legal, and HR teams often occur, especially as suspicions escalate. As we’ve investigated fraud for clients, we’ve discovered widespread tactics, techniques and procedures (TTPs) that are repeated – especially by those committing employment fraud who are connected to a nation-state or criminal organization.
With those in mind, below are some procedures that can be implemented at your organization to help identify existing employment fraud and prevent new fraud from happening:
Visual check – One of the first areas to address is applicant screening. In the name of efficiency and kindness, many organizations have been understanding when a job applicant could not meet in person or was “off-camera” because of a family issue or illness. One of the easiest ways to ensure the applicant is who they say they are is to insist that the interview process involves an on-camera and/or in-person interview. With the rise of deepfake technology, we expect visual checks will be less straightforward soon.
Check for accurate documentation – Organizations should ensure that the job applicant provides identification documentation in-person. This can make it easier to identify falsehoods and deter any who may have fabricated a persona. Companies without a physical presence or hiring fully remote workforces will need to look at other measures to achieve this.
Review publicly available information – Conduct a detailed review of the job applicant’s online presence, both on relevant work sites, and on personal destinations. Look for consistency in name, appearance, work history, education, and physical location. Ask about any inconsistencies – and don’t take no for an answer. The lack of any information outside of relevant work accounts can also be indicative of a problem.
Conduct a thorough reference check – Collect and retain all contact information for the references given by a job applicant. Take the time to verify prior employment.
A few everyday actions of fraudulent applicants are to have the references be the same individual with different contact information, or for them to be connected to the same network of people as the job applicant. Another common trait is that references may not want to appear on camera if requested – and their answers are kept brief and/or provide no real contextual information on how they supervised or worked with the job applicant. This is a sign of a problem.
In addition, applicants will often list significant companies in their employment history, both to inflate their experience and to deter the hiring organization from contacting their provided references. Contact them.
Confirm identity during onboarding – Once an employee has passed the screening process and is hired, take the opportunity to verify their identity one more time by requiring mandatory in-person onboarding and/or that they show up in person to obtain necessary equipment.
It is very common for an individual committing employment fraud to ask for a laptop, for example, to be shipped to a different address than what was listed on the documents provided during the application process. The reasoning typically is that they have moved or have temporarily relocated. When this red flag comes up, immediately research that new address to verify that it is indeed linked to the individual and doesn’t belong to a third party (who may or may not be in on the fraud).
Using that “spidey-sense” – Sometimes everything looks correct, and there just might be a slight feeling that something is off. It’s easy to talk yourself or your team out of worrying that there is a problem, especially as sometimes those working in the technology and related fields have the reputation of being introverted or of simply keeping to themselves. And you could quickly find out that it was incorrect of you to be suspicious. But it’s worth taking a few easy, non-intrusive steps to follow up on that feeling.
Search for language on their resume – many fraudulent actors have been known to copy and use sections of a resume as their own. Some even copy the whole resume, or the descriptions of work experiences, verbatim. Image searches can also be a valuable tool. If you find multiple personas online with the same image – and not necessarily the same information – it’s time to flag that applicant.
Don’t go it alone – Many teams lack the experience or tools to perform much of this external validation effectively and find that partners can help with external research, while respecting the candidate’s privacy and protecting the company’s interests.
It’s well-known that employment fraud is dangerous – it can lead to data leaks, reputational harm, and operational disruption. Many organizations assume that they’re too small for this to be an issue, or that they’d be able to spot and call out any fraud immediately. Unfortunately, the modern workplace structure makes it even easier for nefarious actors to be successful.
Recent actions by North Korean job applicants have put the spotlight on an issue that comes in a few different varieties, but can still spell disaster for a company. By recognizing the red flags, improving the vetting and onboarding processes for job applicants, and embracing open-source intelligence as a part of your investigation, you can stop employment fraud in its tracks.