Written by: Tim Porter, CPA, CISA
May 7, 2025
Two weeks ago, I was fortunate enough to attend the first ever SmileyCon hosted by TrustedSec. The conference featured keynotes from Diamond Dallas Page (WWE champion and Hall of Famer) and David Kennedy (Founder and CEO of TrustedSec), networking opportunities, and sessions on security strategies and wellness, held at TrustedSec's headquarters in Fairlawn, Ohio. During one of the networking breakfasts, I was catching up with a prospective client and generally asked how their expansion plans were going. His response caught me by surprise.
He went on to say that he recently reported a potential fraud to the DOJ FBI Cyber Task Force that resulted in North Korean Nationals being indicted for carry out a multi-year fraudulent IT workers scheme. The scheme involved conspirators using false identities to obtain remote IT jobs with US companies to generate millions of dollars and stealing sensitive company information and extorting employers by threatening to leak the information unless they paid. The proceeds were funneled through US and Chinese financial systems to benefit the North Korean Government.
I probed my contact to share more details. I wanted to know the root cause of his suspicion and also wondered if they actually hired any of these fake remote employees. He went on to explain that during their onboarding process they perform background checks, mostly as a formality as the results hardly ever disqualify a candidate from receiving their formal offer letter for employment. For a few candidates, however, the background check returned rather interesting results. The one that tipped off my contact was a candidate with the same name applying for different roles (totally fine) but having multiple addresses as full-time residency. As my contact dove deeper, he suspected one of the residential addresses was located in a business center near a “laptop farm” in Miami, FL.
A few days after the suspicion was reported to the DOJ and FBI cyber task force, our contact heard back from the FBI saying his report was one of many that helped the task force indict two North Korean Nationals and three facilitators for a multi-year fraudulent remote IT worker scheme (https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote).
So, what were the lessons learned? Well, our contact explained that the results to the background checks are under a higher level of scrutiny. Our contact also pays additional fees for the background checks to include deeper analysis into residential addresses, death audits (checking to see if the name and SSN are registered in the state obituary database), and other details. Furthermore, our contact said they require interviewers to ask candidates to wave their hand in front of their face during the video interviews to help identify potential AI deep fakes.
Don’t lose sight of the basics. During our SOC 2 testing procedures we usually see controls around background checks and reference checks being performed as part of the onboarding process. This is a simple control that can often be overlooked depending on the job you are hiring for (ex. Remote IT support position). These controls are in place to reduce risk to an acceptable level. Take pride in performing these controls and maintaining your information security program. Your future self will thank you.
