How well do you know your remote IT worker?
Is the remote IT worker you recently hired really who he says he is? Fake IT workers are slipping into companies around the world, gaining access to sensitive data.
Recently, more of these schemes have been linked to North Korea. They don’t just steal crypto or deliver malware. Now, they log into your systems as employees. This is no longer just a cybersecurity issue, it’s a growing geopolitical threat.
There may be hundreds of thousands of these workers deployed globally, though precise numbers are hard to verify. The U.S. Treasury, State Department, and FBI estimate that the IT worker scam has generated hundreds of millions of dollars each year since 2018.
Although US companies were their primary targets, North Korean IT workers have started expanding their activities to the rest of the world, especially Europe. This shift is likely due to pressure from American law enforcement agencies at exposing these activities.
How they do it
Using stolen credentials or fake identities, these actors are often hired as remote contractors, since there’s no need to appear in person or attend on-site interviews.
They use AI to make deepfakes for video interviews. AI also helps them overcome language barriers by improving résumés and eliminating poor grammar.
To increase their chances of success, they’ve built an entire support network:
- People running IT staffing companies that help them get hired
- Laptop farms that hide their real location
- Individuals who receive salaries in legitimate accounts, then forward the money onwards
Risks and consequences
Once inside your organization, these fake IT workers can compromise systems, and exfiltrate data.
Installing malware or creating backdoors can give them long-term access, even if their initial access is revoked. Depending on the access they gain, they can steal intellectual property, or leak sensitive corporate strategies.
This brings us to social engineering, where these individuals appear as trusted employees, for example, by pretending to be a tech support coworker and asking for passwords or access codes.
Before this became a major concern in corporate circles, these workers could slowly slip into companies without raising suspicion. That’s no longer the case, since being discovered early on could lead them to take revenge or resort to blackmail.
How to protect your organization
There’s a lot of finger-pointing when one of these workers slips into an organization. Did HR miss something during hiring? Or did the IT and security teams fail to catch the signs early?
HR is the first line of defense in hiring, but with remote jobs, spotting this kind of fraud isn’t easy. That’s why even a basic security check or a second opinion from someone with technical knowledge can make a big difference.
Insist on caution. Human judgment plays a crucial role. Too often, we focus only on positive traits when assessing someone, which can lead us to overlook potential red flags. Security awareness training must be comprehensive, ensuring staff are equipped to recognize and report anomalies.
Enforce the principle of least privilege. Give people access only to what they need to do their jobs. Nothing more. Check access rights often and remove anything unnecessary. This helps block fake workers from getting too much control.
Monitor for unusual behavior. Track login times, IP addresses, and data access patterns. Flag remote workers who suddenly log in from unexpected countries. Watch for unusual file downloads, system changes, or unauthorized software installations.
Carefully review vendors and third-party recruiters. Some fake IT workers enter through staffing agencies. Vet the agencies you use and ask for details about their screening process. Don’t rely only on outsourced hiring for technical roles unless you fully trust the partner.