Unmasking Employment Fraud

The popularity of remote and hybrid work has redefined the workplace, offering flexibility and accessibility to companies and employees alike. That said, this evolution has not come without some hidden vulnerabilities that have created fertile ground for a rise in employment fraud.

From individuals seeking financial gain to nation-state actors with more nefarious intentions, the remote employment model has opened new avenues for fraudulent activities. For businesses unaware of or unprepared for these risks, the consequences can be devastating – with data breaches, financial losses, reputational damage, and insider threats all possible outcomes.

There are some less devastating outcomes as well – such as underperformance, or low employee productivity from splitting time across more than one full-time job. In some positions there are contractual exposures to client data or non-compete clauses that could be violated due to fraud, or legal liabilities to worry about if third parties become involved who are not under the employer’s umbrella of protection.

Understanding the threat of employment fraud and developing strategies to identify and prevent it is fast becoming a critical capability for security teams.

The Faces of Fraud

Employment fraud is not one-size-fits-all. It can take several forms, each driven by their own set of motivations and presenting a unique set of risks:

1. Identity Fraud: The simplest type of employment fraud is identity fraud. By creating a false identity, applicants conceal their true qualifications or backgrounds, often because they don’t really have the skills they profess to (such as an advanced degree or a specific software certification), or because they’re looking to evade legal issues (i.e., a criminal record, or live in a country under sanctions). Some applicants have more qualified friends stand in for them during an interview, so they can pass a skills assessment and secure a job they’re not qualified for.
2. Outsourcing or Polywork Fraud: Alongside the increase in remote work has been an increase in employees either outsourcing their workloads to a gig worker or freelancer, or employees holding several full-time jobs at the same time, with none of their employers aware of the situation. Essentially these employees are breaching the workplace policies of several companies, while still collecting full salaries. This not only undermines workplace trust but can also lead to subpar work quality and confidentiality risks.
3. Criminal Organization or Nation-State Fraud: These actors target companies to infiltrate systems, bypass sanctions, or launder money. Recent cases, such as North Korean operatives securing remote IT roles, underscore the sophistication of these schemes. Their motivations often include economic disruption, the ability to gain access to systems for data theft or hacking, or even simply for financial gain to support broader political or criminal agendas.

Spotting the Warning Signs

Employment fraud doesn’t just appear out of nowhere, however. There are several warning signs to be aware of – and identifying fraud early can save organizations from significant harm. Some warning signs can be identified before an employee is hired, while some only become evident afterwards. While any one of these signs may not say with certainty that there is fraud at work, identifying them should push internal teams to take a deeper look at the employee in question. If several red flags are present, then it may be time to take action.

Pre-Hire Warning Signs:

• Inconsistencies in Information: Multiple profiles with similar photos or discrepancies in employment history are all telltale signs. Fraudsters also often create barebones professional profiles with no personal content or history, which can also indicate a fabricated persona.
• Suspicious References: Employment references that evade video calls or provide vague, generic feedback may be in on the fraud. Additionally, some references may appear overly rehearsed – or fail to provide any concrete examples or contextual information about past performance. In some cases, applicants have been known to serve as their own employment reference.

Post-Hire Warning Signs:

• Discrepancies in Skill Sets: This red flag is easy to identify. Fraudulent employees often list advanced technical skills in their resumes, only for it to quickly become apparent post-hire that they are unable to do what they claimed. This mismatch often becomes evident during the first few weeks on the job. For some employees, having a low level of engagement with corporate tools, data or systems can stand out, especially when it is unlike the rest of their peer group.
• Information Changes: Frequent address changes after hiring, or a sudden address change just before the delivery or a work phone or laptop could indicate fraudulent activity, as could a request to send payment to a different address. Sometimes the inability to answer a simple question about their location such as “how is the weather?” can be a warning sign.
• Technical Issues: Other warning signs to look out for include the existence of remote access software on their computers, the employee never turning on video or never being seen on video very clearly, or difficulties in their availability for calls or meetings. The use of foreign IP addresses, VPN usage, the installation of mouse jiggler software, or the laptop’s physical location being inconsistent with the employee’s claimed location can be indicators of fraud.

How Companies Can Defend Themselves

In addition to being vigilant when it comes to recognizing potential red flags, there are several strategies that employers can adopt to help fortify their defenses and weed out any fraud before it becomes impactful. While there may be legitimate reasons for an employee to have moved several times recently, or to be careful about what personal information is shared publicly, these strategies can help ensure you’re only finding false alarms and not ignoring real fraud.

1. Enhanced Applicant Screening: Organizations should try to require on-camera or in-person interviews to confirm the applicant’s identity. For remote positions, ensure video interviews are conducted with clear, verifiable visual checks. Utilize tools to detect emerging threats like deepfake technology, ensuring candidates genuinely match their submitted documentation.
2. Thorough Documentation Checks: Where feasible, conduct in-person verification of identity documents. In remote setups, implement secure digital verification methods and cross-reference applicant-provided information with public records to ensure consistency. Ask questions if there are discrepancies; simply asking may scare a real fraudster off.
3. Comprehensive Reference Checks: Reference checks were mentioned as a red flag – but it’s worth mentioning here as well. Ask for references, don’t take no for an answer, and then verify them through direct, detailed conversations. Ensure their legitimacy and connection to the applicant by asking targeted questions about specific projects, responsibilities, and work contexts. Consider independent verification of references through background-check services as well.
4. Secure Onboarding Practices: A natural follow-on to stronger application controls is to keep the same level of heightened awareness when it comes to onboarding. Require in-person onboarding or robust virtual identity verification before granting access to company systems or equipment. Virtual verification can include live document presentation and biometric authentication. Monitor for last-minute address changes and verify new addresses with trusted sources.
5. Leverage Open Source Intelligence (OSINT): If you fear there may be fraud at hand, conduct deep dives into applicants’ online presence to confirm consistency in professional history and personal details. Look for anomalies such as identical photos used for multiple profiles or sudden bursts of activity on professional platforms.
6. Collaborative Investigation Efforts: Above all, ensure that your organization’s HR, legal, and security teams are working together to address any fraud concerns, pooling their expertise for a thorough assessment. Cross-department collaboration can identify patterns or inconsistencies that might otherwise go unnoticed.

Stopping Employment Fraud

The dangers of employment fraud extend far beyond false resumes. Once inside an organization, fraudsters can access sensitive systems and data, posing significant insider threat risks. These vulnerabilities can ripple through partner networks, amplifying the potential damage. A single compromised hire can lead to significant breaches that affect customer trust, financial stability, and industry standing.

Organizations that assume they are too small or secure to be targeted may find themselves caught off guard. Small businesses, often without dedicated security, HR or legal teams, are particularly vulnerable, as fraudsters may see them as easier targets.

Remote work is here to stay, and with it, the need for vigilant and adaptive strategies to combat fraud. Employers must continually refine their processes, integrating technology and collaboration across departments to stay ahead of emerging fraud strategies.

About the Author

Ryan LaSalle is the CEO of Nisos. He leads a mission-driven team who helps clients use the power of open-source intelligence to unmask the digital threats and identify the real-world people seeking to do them harm. Ryan served as the North America Lead for Accenture Security, nurturing the talented teams that bring transformative solutions to better defend and protect clients. During more than 25 years with Accenture, Ryan led client engagements across commercial, non-profit and the public sector by integrating emerging technologies into advanced solutions to drive agility and meet business needs. He holds patents in human resource management, knowledge discovery and establishing trust between entities online. Ryan is a frequent speaker at international security conferences and has authored numerous articles on cybersecurity. He holds a Bachelor of Science degree in electrical engineering from Princeton University and lives in Alexandria, VA with his wife Melissa, their two kids, and pandemic puppy. Ryan can be reached online at [email protected] and at our company website https://www.nisos.com/.