Recruitment risks: Avoiding the dangers of fraudulent candidates

Tech companies are seeing an increase in fraudulent job applications, with associated impacts on risk and cyber security. So how can organisations protect themselves from fraudulent applicants while ensuring they recruit the best talent?

The past two years have seen an increase in fraudulent candidates applying for roles in the technology sector. This results in expended resources for unsuitable hirings, but can also lead to significant risks, such as cyber security breaches resulting from insider threat.

There has always been a temptation for candidates to overstate their professional experience, with a minority who take it too far and deliberately misrepresent their credentials. This is rarely intended maliciously, but it does cause problems.

“A friend of mine was recruiting some SAP people,” recalls Colin Tankard, managing director of Digital Pathways. “The company was in startup mode, so they were desperately trying to get all these specialists in for when they won deals. When they sent them out to Holland to do this SAP install, they found out that they didn't know anything.”

It takes time and resources to interview and recruit people, all of which has to be repeated if a candidate has misrepresented his or herself. “It takes about 23 and a half hours per candidate,” says Nick Shah, founder and president of Peterson Technology Partners. “If you interview 10 people, that’s over 230 hours. That’s a lot of manpower. If that person stays with you for six months, you are paying that person a crazy amount of salary, just to find out that they were fresh out of school.”

There have also been instances of candidates applying with ulterior motives. Here, the goal is not just a shortcut on their career path, but to access commercially sensitive information. Although such industrial espionage is rare, it is nonetheless a viable threat.

“Companies that deal with critical infrastructure could be at risk of employing people with the ability to wreak havoc on a national scale, whereas companies that deal with financial or personal information could be at risk of losing confidential information,” says Dave Lear, a lead security architect at an end-user organisation. “Either of these scenarios could lead to sanctions or penalties and reputational harm, which could, in turn, affect the company’s ability to continue operating.”

Rapid advances in computing mean that the technology sector has a competitive recruitment market and remote working has meant that recruitment is no longer bound by area, leading to more applicants.

“Talent has always been pretty high, even before the pandemic,” says Shah. “It did take a pause when the pandemic hit, but after three months it was back to organisations hiring best talent.  The pandemic opened up room to hire people who were not in the same area – that escalated the demand.”

In-person vs remote interviewing

Following the shift to remote working during lockdowns, interviews were conducted online using tools such as Microsoft Teams or Zoom.

Interviewing remotely has provided candidates with opportunities to deliberately misrepresent themselves. There have been instances of people using third parties to provide them with answers through an earpiece, and even cases of the person who was successfully interviewed not being the person who was actually recruited.

Several steps can be taken to mitigate the risk of fraudulent candidates. Interviewing candidates in person helps significantly, because it reduces the opportunity for candidates to use external means to misrepresent themselves. “If a candidate is invited to interview, body language can often say more than the words that candidate uses,” says Lear. “Use of defensive positioning or answering questions vaguely could be signs of a nervous individual, either because of attempts to hide the truth or simply that they are uncomfortable in formal situations.”

However, the widespread adoption of remote and hybrid working has meant that in-person interviews are not always a viable solution. Online interviews should always be conducted in such a way that the candidate is clearly visible and not wearing any headphones. “They have to be on their computer, speaking directly into the machine,” says Shah. “There should be enough light in the room so that you can see their mouth moving. If candidates are having technical difficulties, where they are unable to share their screen or turn on their video, I will ask them to reschedule it when they have all of this available. Otherwise, I will not proceed further with the interview.”

Vetting and background checks

Basic background checks are useful, but they can only go so far and do not necessarily confirm identity. “Careful vetting of employees is vital to ensure that you have the right people in the company,” says Lear. “Using basic employment checks – right to work, and so on – can be useful, but it’s worth considering enhanced checks, such as identity, financial and criminal record checks. These will be dependent on the company and role applied for, but in my experience, they can be important in ensuring that candidates have a valid reason for applying.”

Vetting to confirm the candidate’s identity, along with his or her experience and qualifications, requires examining the candidate’s background details by contacting the organisations and people involved. “I’ve seen a rise in emails coming to me about former employees,” says Tankard. “They are tracing back their CV to previous companies.  We’ve got to become more sophisticated in doing these checks.”

Some fields, such as defence and intelligence services, have mandatory security vetting requirements. “In my field, it is a requirement to hold a National Security Clearance for any role,” says Lear. “I have discovered individuals who have had their clearance suspended or withdrawn for various reasons. In this case, it was easy to discover, as the UK Security Vetting [UKSV] agency will contact the employer to disclose this information, even if the individual does not.

“In every case, these individuals have been suspended from work, pending an investigation, after which they have either been reinstated or removed from the company, depending on the outcome. It would not be as easy to discover such cases if the UKSV was not involved. However, watching out for the warning signs is vital to ensure the safety of the company and all its employees.”

Background checks are not foolproof. If a candidate has not been convicted of a crime, then a standard CRB check will come back negative – for example, allegations and pending matters are not highlighted in these. Any discrepancies found in the candidate’s background may be indicative of misrepresentation, and require further investigation.

Each organisation needs to determine the appropriate level of CRB checking, but also to never rely purely on background checks for detecting fraudulent candidates. Instead, an ongoing vigilance for potential security risks should be applied.

Access management and network monitoring

It is here that identity and access management systems will prove their worth, because they can designate a new employee’s permissions. These access rights should only allow employees to access information they need in order to perform their duties. Naturally, an employee’s role expands and evolves over time. As such, these access rights need to be reviewed regularly, with redundant permissions discontinued when no longer required.

Network monitoring systems can be used to detect suspicious network behaviour. The machine learning algorithm generates an acceptable behaviour pattern for employees.  “You build up a picture over a period of time of a person’s working pattern – the time they start and finish, data they access, their routes around the network,” says Tankard. “Quite often, you will pick up if they are trying to get into places they’re not allowed.”

Any subsequent user behaviour within the network that is not within the accepted boundaries, such as attempting to access restricted information or attempting large downloads outside of normal business hours, will notify the network managers.

Employee monitoring is another option, but it is important to note that any workplace surveillance should never be overbearing. Not only would this generate a large amount of data that needs to be curated and reviewed, but it will also impact employee morale because of perceived lack of trust.

In an office environment, the first indicators of potentially suspicious activity will be witnessed by colleagues. This includes employees asking about information that is not related to their role. Remote working can make detecting suspicious activity more difficult, but it also reduces the risk of physical eavesdropping or use of another’s password.

Whistle-blowing process

Whistle-blowing has become stigmatised in recent years, as a whistle-blower can be viewed as a “snitch”, when in reality they are just concerned. Providing an anonymous whistle-blowing process allows employees to report their concerns without sharing personal details.

“A lot of companies have a whistle-blowing policy,” says Tankard. “They are obviously encouraging people, if they have a concern, or they feel that there is something wrong, to be able to go somewhere and not be vilified for doing it.”

Most of the time, these reports will be inconsequential and explained by a simple oversight or curiosity about the organisation as a whole. However, some reports may be indicators of potential malicious activity and warrant further investigation. Having reporting policies in place for such eventualities allows organisations to respond to concerns swiftly.

Although interviewing candidates in person negates many risks associated with online interviews, it limits the scope of applicants. With the appropriate measures in place, organisations can remotely interview people from a geographically unconstrained talent pool, while protecting themselves from misrepresentation and malicious activities.

Read more on IT risk management

Data Center
Data Management