During the interview stage, a change in identity was observed. “We’ve seen cases where one person went through the phone screen, another person appeared on Zoom, and sometimes a third person appeared later – all under the same name and started over,” Weisong said.
Part of the problem is that traditional hiring practices ensure knowledge and skills are isolated. “Traditional background checks only verify the information provided and are not fraudulent,” Weisong also noted.
The uncomfortable truth for some CIOs is that work can be done at a high rate and discovery comes from signals, not performance.
However, fake IT employees pose a business and compliance risk as much as a security risk, exposing organizations to breach of contract, regulatory consequences, and loss of customer trust – especially in regulated industries.
Weisong says fraudulent IT staff create business and compliance risks as much as a security risk, exposing organizations in regulated industries to contract violations, regulatory scrutiny, and loss of customer trust.
Combating the problem of fake IT staff
Amazon uses AI-based tools with human oversight to identify unusual contact information, as well as fake academic institutions and startup companies, according to Schmidt. Security teams will flag LinkedIn profiles that look suspicious, require in-person interviews and office presence, monitor computer usage and work quality, and authenticate with a virtual token.
He also said that IT and HR must work together in recruitment to combat this problem.
“It’s actually a lot cheaper for the labor union if we catch the problem early,” Amazon’s Schmidt told Fortune.
The necessary shift, says SentinelOne’s Hegel, is treating hiring decisions as an access control problem rather than a hiring function. “Stop treating your identity as a one-time HR check box and start treating remote hiring as if it’s going to give you special access,” he says.
After his experience, Weisong made many changes in his applicant tracking system and in all internal systems and processes of the organization.
When advertising positions, make it clear that candidates applying for technical positions understand the expectations and outcomes outlined in all written communications. “Additionally, removing the term ‘absolutely remote’ from our recruitment practices has greatly reduced the potential for fraud and for applicants applying outside of the US,” he said.
“While the ‘trust’ approach would be good for all recruits, we cannot allow it to hinder or prevent legitimate people from applying. Instead, we need adequate measures to prevent fake and fake applicants from reaching the pipeline in the first place,” he adds.
To manage the large volume of applications, many of which are bots, Energy Solutions’ job listings now have strong CAPTCHA settings, referral bonuses help draw in employee networks, and there is a 90-day satisfactory performance review for new hires.
During the audition process, interviews are conducted via video and not over the phone, and applicants must share their screen for live challenges. The post-video interview report allows them to confirm the exact position of the applicants after the screening and interview sessions. If the candidate is outside the US, it is treated as a Yellow/Red flag.
Applicants must choose which office they want to work in and must acknowledge that they understand the use of AI during the interview will result in exclusion.
To verify references and employment history, they need two references, one of which was a supervisor or manager. Employment history is checked, including previous employers, and full home address must be provided.
To monitor access, a question is added to the job application form indicating whether the new role will have high access to confidential or sensitive information.
The first day on the job requires new hires to come to the office for equipment and training and on-boarding. All roles must be in place, with an option to join after satisfactory performance.
Combating this problem, says Weisong, requires reviewing hiring practices, working closely with HR, and monitoring the effectiveness of each countermeasure. For CIOs, the lesson is not that recruiting is broken, but that trust must be earned over and over again.
