How to Prevent Fraud in Remotely Hiring and Secure Your Company

Table of Contents

As remote hiring accelerates, companies enjoy benefits like access to a larger talent pool, cost savings, and improved employee retention. However, this shift also brings significant risks, particularly sophisticated fraud schemes.

The DOJ's Major Fraud Bust

A recent Department of Justice investigation uncovered a complex fraud operation where thousands of North Korean IT workers used stolen or false identities (of U.S. persons) to infiltrate over 300 U.S. companies. This scheme involved creating fake identities, using U.S. payment platforms, and setting up proxy computers within the U.S. to mask their true locations. These actions generated millions of dollars for North Korea, underscoring the high stakes of such frauds (Department of Justice / Dark Reading​.)

Real-World Encounters of Attempted Fraud at Remotely

At Remotely, we encountered a similar but distinct fraud attempt. Here's how the scheme works: A highly skilled, senior software engineer, fluent in English, completes job interviews under a false identity. They excel in these interviews, consistently securing employment offers. However, the real shocker comes next. A different individual completes the identity verification process using a legitimate government ID, an IP address matching the ID, and a selfie that passes the biometric check against the ID.

What’s critical to understand is that ID verification often happens through invoicing companies using third-party KYC/ID verification services, completely disconnected from the employer’s processes. The selfie taken during ID verification matches because a legitimate individual with a legitimate ID is completing the process. But here's the twist: this individual is entirely different from the one who excelled in the interviews. In our experience, both individuals are complicit in this elaborate scheme.

This separation of processes exposes a gaping vulnerability: a seemingly valid ID verification, yet a completely different individual from the one interviewed and hired. Once hired, the fraudulent individual infiltrates the company, gaining access to sensitive source code, recording internal meetings, and more. The endgame is extortion—threatening to sell or release the source code to competitors unless a ransom is paid. (You can read the first-hand account below of a company that faced this specific threat).

This case starkly highlights the extreme measures fraudsters take to deceive companies. At Remotely, we’ve encountered multiple individuals attempting to penetrate our talent network through this deceitful method. Each one ultimately failed the ID verification because the person interviewed was not the same as the person completing the verification. Notably, one such individual was "Alejandro," mentioned in the post below.

Rest assured, none of these developers are in the Remotely network, and none have gained employment through our platform. A customer alerted us to the incident detailed below, prompting us to immediately tighten our verification processes. Thanks to our enhanced pre-employment procedures, we can now successfully identify and expose these fraudulent identities, ensuring our network remains secure.

Understanding the Risks

Such fraud is particularly concerning for roles like software engineering, where employees access sensitive financial data, customer information, and proprietary code. As a result, these roles are more targeted.

Identity Fraud Mitigation Strategies

To combat these risks, companies must implement stringent verification and security measures:

  1. Enhanced Background Checks: Use advanced techniques to verify candidates' identities and credentials.
  2. Multi-Factor Authentication: Implement multi-layered authentication processes to ensure that the person accessing your systems is who they claim to be.
  3. Regular Security Audits: Conduct frequent security audits to identify and address potential vulnerabilities in your hiring and operational processes.
  4. Training and Awareness: Educate your HR and IT teams about emerging fraud schemes and the importance of robust security practices.

By staying informed and proactive, companies can navigate the dark side of remote hiring, ensuring they reap the benefits while mitigating the associated risks.

For more detailed information on the DOJ's recent actions and additional security measures, visit the Department of Justice press release.

How We Combat Fraud Risks at Remotely

Vigilant Screening

We conduct live, face-to-face interviews with all candidates in our network. It may sound obvious, but not all networks do this, and our team is trained to probe into potential risks and inconsistencies.

Robust Identity Verification

At Remotely, we’ve rolled out an identity verification process across our entire talent network using government IDs and live biometrics. We partner with a third party to verify government IDs and confirm that the biometrics of the live individual match those of the ID. Our processes confirm that the ID verification completed by the individual matches that of the individual we’ve personally interviewed and admitted to our network. All contractors have completed ID verification, and all candidates introduced to customers go through this obligatory step. A frequent disconnect between the identity verification process and the interview/hiring process leaves room for exploitation. The identity verification is completed by an individual with a valid ID, but the individual interviewing is not the same person who completed the ID verification process. At Remotely, we protect against this.

Background Checks

When Remotely candidates receive a job offer, by default, we conduct a background check. This is incremental to the ID verification process we’ve already completed by this stage.

Employment References

We have a streamlined process to gain employment references for candidates at Remotely. We’re continuing to tighten the reins on this process, including the implementation of a process that forces a referee to submit their reference after signing into LinkedIn, so we can more clearly verify the identity of the referee.

By implementing these measures, Remotely ensures a secure and trustworthy hiring environment, protecting our clients from the sophisticated fraud schemes prevalent in today’s remote hiring landscape.