Fake Remote Employees – not just a paranoid fantasy
Estimated reading time: 7 minutes
Key Takeaways
- Fake remote employees can gain access to company systems, steal data, and cause legal or financial harm.
- Most warning signs are identifiable during hiring.
- Many prevention steps fall to HR, not just IT.
I had read about North Koreans landing fully remote jobs with U.S. tech companies by pretending to be someone else working remotely. Fascinating but how realistic is it?
In April, it happened to one of my clients. Our EDR provider identified that unapproved hardware was installed on the computer sent to a new remote employee. The hardware was a USB KVM over IP device masquerading as a keyboard. Within an hour, we blocked the computer and suspended the accounts for the employee. We also reached out to the remote employee through every channel we had in case he was somehow an innocent victim. He never responded.
Our EDR service provider determined that there were at least three other companies who had been victimized by the same actors. They had detected three additional laptops from three different companies with the same kind of USB KVM over IP device in that same building. There could have been dozens of other machines there – just not running the brand of EDR software.
Stunning!
A month later, one of my peer vCISOs reached out on SideChannel’s internal Slack about some strange behavior by one of the remote staff with one his clients. We quickly ticked off many of the same red flags. It was another fake remote employee. The client executed their Incident Response Plan (IRP), shut down the machine and suspended the account.
The potential impact of this kind of compromise is at least:
- The fake employee can steal your intellectual property (IP) or customer data
- You can be giving money illegally to a proscribed foreign government, such as North Korea, or directly to a terrorist organization.
- The malicious actor could use your environment to attack your customers and others
- You lose a corporate laptop to the malicious actor
What follows is our guidance on how to avoid falling for these scams. Critically, only one control is technical. Most of these are actions your Human Resources department can do.
Red Flags
Any one of the following items could be innocent on its own, but each one is a potential red flag. If you find two or more, you should take immediate action.
Fully remote interview
Fully remote interviewing is substantially less expensive than paying for a candidate to visit an office in person. But it probably doesn’t cost much more than a new corporate laptop – which is your most direct loss if it turns out you’ve hired a fake employee. They’re not going to ship your laptop back to you after they’re terminated!
With video filters and IA tools, faking your appearance on a video call is not expensive or technically challenging. Every candidate should be able to show up at least once in person to be interviewed by a current employee.
Identity discrepancies
Many people have a “preferred name”. Sometimes they’ve been called by their middle name their entire life. Sometimes – especially in the heavily anglophone U.S. – they have adopted a name that is easier for colleagues to manage. As a result, official documents may not match the name presented on a resume or in an email. LinkedIn profiles and Resumes are, after all, not legal documents. The difference between preferred name and legal name is not generally a problem. However, in combination with any of these other items, it becomes a red flag.
If there is a discrepancy between official identity documents presented for background checks and for setting up payroll accounts, this should raise a red flag. You might do an interview on one person, a background check on someone else and set up banking for someone entirely different! This is a major indicator of potential fraud.
“No Response” reference checks
Did you do the reference checks? Well, we reached out to the people the candidate suggested…
Did you hear back from those people? Well… no.
If the candidate is a real person and really wants the job, they will have alerted their friends that they want to use them as a reference. If the friend doesn’t respond to your request for a reference, that is a negative reference. Whether the candidate is real or not – if the references don’t respond it is a red flag.
Laptop shipped to a different address
It is a best practice to provide a corporate laptop to fully remote staff. You load the laptop with all your anti-malware and device management tools.
But when the new employee asks that the laptop be shipped to an address different from their home address, it is a red flag. They may provide any number of plausible sounding reasons such as needing to go care for a sick family member, apartment being fumigated or major home remodeling disrupting their home office.
In practice, the fraudster typically works from a centralized location and has multiple victim companies (see the beginning of this article). They have each corporate laptop sent to that same address. The fake workers remote into the laptops from somewhere else entirely – possibly from North Korea.
Failing to attend meetings
With all the flexibility that comes with remote work, there is still a need to have focused collaborative time. Whether that is for video conference meetings or simply responding to messages within a reasonable timeframe. People depend on the engagement and responses of their colleagues. Unexplained or frequent absences from the flow of communication is a cause for concern because it can drag down an entire team. It is definitely a performance issue and should be a red flag if this happens along with other signals described in this article.
Working hours inconsistent with the home time zone
Similar to the absence issue described above, someone whose messages and work appear to be done well outside their supposed home time zone is a red flag. It is a clear indicator that they are either working from somewhere far away, have another job, or they have a serious sleep disorder.
Installing unapproved hardware or software
This should be painfully obvious, but a user doesn’t innocently install a KVM over IP USB device. This points directly at this “employee” being a malicious actor. Detecting this action requires you have enterprise grade EDR software installed on your corporate laptops. However, with all the other red flags that came before, we should never have sent this person a laptop to begin with.
Be Proactive
Don’t wait until an imposter is already inside of your organization. Here is a checklist of steps you can take to avoid hiring an imposter and make sure you.
- Require an in-person meeting. If this isn’t possible, get creative. As your candidate to arrange for you to call them at a local restaurant, coffee shop, or similar business with a published phone number and a decent Yelp rating while on a zoom call with them, have them pose on a public webcam in their local city.
- Examine Documents: Seriously examine discrepancies in official and unofficial identity documents. Credit checks typically include alternate names and locations – do any line up?
- Require a Reference: Don’t take no or a no-show – if no one is willing to verify your candidate then something is wrong. Ask references to confirm both official and given names and working location.
- Working versus Shipping: Be skeptical of requests to ship a laptop to anywhere other than the home address. Once online, make sure that the laptop geo-locates to where you shipped it.
- Trust but Verify First: For remote workers, give them an account but don’t grant them any access until you confirm that they are where they say they are. Start out with a minimal online guest account and locked down laptop profile until they are running and your EDR tools validate location and setup.
- Use your security tools: You need an enterprise level EDR solution – period. This should tell you where the device is located and what software is running on it. You should block remote access to your endpoints and limit or outright block peripherals – at least during on boarding – until you can confirm the device is where it’s supposed to be and someone is at the keyboard. Test that your EDR provider can detect remote logins, keyloggers, and USB devices.
If you don’t currently have a Chief Information Security Officer, get one. Contact us.
