In this interview with Heller Search Managing Director Jason Henninger, veteran information security executive Joanna Burkey discusses the rise of fraudulent job applicants and the risks they pose, and what security leaders can do in response.

With the advent of deepfakes, AI applications for the masses and the rise of remote work, CISOs have another risk to address: fraudulent job candidates seeking the keys to corporate systems to gain access to corporate systems and data.

Bad actors are knocking on the door through the job application process. In some cases, they might fraudulently claim to have the right qualifications to perform the work – then have someone else do the job in their place. In more serious situations, as the U.S. Justice Department has warned, criminal organizations and foreign adversaries place their agents in remote positions to access corporate systems with criminal intent. 

The challenge is particularly problematic when it touches the cybersecurity team.

Joanna Burkey, a longtime CISO, founder of Flat Rock Strategic Advisors, LLC., and an independent director at Beyond Inc., CorVel Corp., and ReliabilityFirst Corp., discusses this risk and how CISOs can respond.

Jason Henninger: What does “new” candidate fraud look like today amid increasingly complex cybersecurity issues?

Joanna Burkey 216Joanna Burkey: Simply put, candidate fraud refers to a company hiring an entity that is not who they represented themselves to be. One typical example of candidate fraud is when someone incapable of doing the job successfully interviews and is hired, but is really leaning on someone else, like a friend or family member to perform the role for them. For example, I know a case of a hired candidate showing up to the office every day but having their cousin in another country do the actual work each night.

The other “new” type of fraud we see is a hired entity purposefully exploiting something or someone else. I say “entity” instead of “person” because sometimes it’s a group or entire criminal organization behind a fraudulent candidate. These fraudsters generally look to exploit a company, whether through its customers or company resources. We’ve seen several instances in recent years of a candidate looking to tap into a large company’s cloud resources for bitmining or accessing sensitive Amazon Web Services resources, for example.

When it comes to resume fraud, recognizing why the fraud happens can be more important than how the fraud has occurred. Sometimes similar tactics will be used by fraudsters for different reasons, so it’s crucial to look holistically at the why and the how to recognize potentially increased dangers. For example, a person using a family member to complete work for them provides less of a threat than someone joining a company specifically to defraud customers or bring the company down.

As important as it is to recognize and prevent the tactics used by fraudulent candidates, it’s equally important to identify why these entities are looking to commit fraud.

What dangers do fraudulent cybersecurity candidates pose to an organization?

Two types of major dangers tend to arise, which can be broken down as passive and active fraud.

Often, especially amongst businesses that engage in government contracts or regulated work, companies are required to meet certain requirements with the individuals hired for a given project. If one of those candidates lied about their citizenship, background, or certifications, the company and/or employer could be in violation of a contract. So, although the hire did not actively jeopardize the project, the simple fact that they aren’t who they said they were puts their employer in violation.

Additionally, the threat of having an unqualified employee on your staff is a growing issue. There are a lot of job postings out there, and a lot of people who need jobs. There’s a real temptation for candidates to overrepresent capabilities during interviews, only to join a cyber breach response team and create internal weaknesses and threats since their overrepresented skillset immediately hinders the company’s ability to operate.

More active threats occur when the hired entity is there specifically to do damage. Generally, these hires either use company resources to commit crimes or gather data to then use maliciously, oftentimes using the data to exploit and threaten the company or a person down the road. One of the scariest examples we’ve seen is some of these fraudulent employees purposefully compromising a product or service their employee makes.

How can CISOs detect and prevent fraud?

Right now, while Fortune 200 companies can dig deep to diligently check identities, most companies do not have adequate time or resources to be as diligent. This process must change. Small and medium-sized businesses currently rely on market service providers for many services including staffing, and generally don’t know how to engage with them in a careful way which creates more risk for candidate fraud.

Recently, interview processes have directly incorporated skills validation tactics, so candidates must prove technical prowess immediately to avoid any skill gap issues down the road.

There are also many ways to validate a candidate’s identity. Many companies make video calls mandatory during the first one or two virtual interviews and will require the candidate to hold up a photo ID (noting that they can and should cover up any personal information). Before implementing these techniques, it’s imperative that you check with your legal and privacy teams to ensure you are allowed to ask a candidate to share a photo ID. If a candidate cannot provide correlating ID, there’s a strong chance that they aren’t who they claim to be.

Asking someone to show correlating ID is also a quick and easy way to check their movement and gauge whether they’re using deepfake video. Fraudulent entities using deepfake video generally struggle to move naturally on camera, which can be a quick indication of a fraud.

What do you recommend for companies looking to mitigate this issue?

It is amazing how powerful the Internet can be now to help us validate identities. Simple things like verifying a candidate’s address through Google can be effective. If their home address is an office or warehouse, for example, that might raise concerns. You can check their CV and LinkedIn to see if their work history holds together, or if they have an unreasonable amount of experience listed over a short period of time. A largely empty LinkedIn profile can also identify a potentially fraudulent candidate. Additionally, the use of third-party platforms is helpful and sometimes imperative to helping companies validate candidate’s identities.

The number one thing to remember when it comes to candidate fraud is that staying diligent in your recruitment and interview planning process will help you to more easily detect fake candidates and may prevent a fraudulent entity from engaging within your company.

 

Download the Ultimate CISO Job Description guide

Roles We Recruit


 

Read our weekly e-newsletter packed with career advice and resources for the strategic technology leader, and information about active searches.

The Heller Report

Add a Comment

My CIO Career: Dan Inbar on the Value of Clear Communication and ‘Managing in All Directions’

Sep 25, 2024

5 Tips for Fueling IT Effectiveness in 2024

Sep 18, 2024