How to be vigilant when vetting remote IT workers

Be careful who you hire to handle remote IT responsibilities, according to a recent advisory from the Department of Justice: Work-from-home tech teams may be helping to deploy something more deadly than code.

In an Oct. 18 memo, the DOJ announced a US seizure of 17 domains used by info-tech workers in North Korea to defraud businesses, beat sanctions, and funnel money to the country’s weapons program.

The memo is a stark reminder for the work-from-home workplace: Careful and stringent verification of IT employees, especially those who don’t have to come into the office, is now table stakes.

“At a minimum, the FBI recommends that employers take additional proactive steps with remote IT workers to make it harder for bad actors to hide their identities,” said FBI Special Agent in Charge Jay Greenberg, of the St. Louis Division, in the agency news release.

According to court documents issued in the Eastern District of Missouri, North Korea dispatched thousands of skilled IT workers, primarily to Russia and China, to take remote IT jobs, mostly developer positions, said FBI Public Affairs Officer Rebecca Naber in an email to IT Brew.

“They’re sort-of remoting into someone’s network and appearing as if they’re working from an IP address in, say, St. Louis,” Greenberg told the Riverfront Times.

The IT employees made millions of dollars for entities like the North Korean Ministry of Defense, which supports the country’s UN-prohibited WMD programs, according to the DOJ.

“More likely than not, if [companies] have augmented their IT workforce, they have employed one of these people and at a bare minimum, unknowingly funded North Korean weapons programs,” Greenberg added.

Where’s the remote? 1E, a London-based digital employee platform provider, has plenty of engineers that work from home. Ways for the company to verify hires include code assessments, as well as plenty of face time in regular “standup” developer meetings, and an “extensive onboarding process” that gets the new recruits meeting other members of the staff, said its Chief Technology Officer Ian van Reenen.

The FBI offered a list of remote red flags to watch out for, including an unwillingness to appear on camera, indications of cheating on code tests, or social media profiles that don’t match the employee’s résumé.

Aaron Tantleff, partner in the technology transactions, cybersecurity, and privacy, at the law firm Foley & Lardner, recommends that hiring managers always conduct video interviews, and to have the applicants hold up physical ID documentation on camera.

“I still have heard of companies interviewing candidates, whether it’s through their own recruiting, or the use of a third-party recruiting service or staffing service, that they only do it via phone,” Tantleff told IT Brew.

Another important best practices, according to Tantleff:

• Only allow company VPNs, not third-party ones that can disguise location
• Double-check addresses (is a new applicant’s “home” the same location as, say, a UPS store?)
• Do background checks on any staffing firms
• Where possible, require an in-person meetup for new hires

And one way to make vigilant verification a little easier: a referral.

“Probably around 80 to 90%, in fact, of the people we hire have been introduced to us by one of our staff members already,” van Reenen said.

When it comes to trusting employees, after all, who can be 100% certain?