INSIDER FEATURED ARTICLE
Scamming the boss: Some employees are outsourcing their jobs to other people. Here's how companies are spotting the fraudsters.
By Rebecca Knight
- As remote work provides opportunities for fraud, some employees are outsourcing their jobs.
- Staffing executives say the practice is more common in IT, coding, and developer roles.
- Experts say this fraud poses risks, particularly when the work involves confidential company data.
It didn't take long for Khuram Raza Zakhaif, an independent cloud-computing consultant in Lahore, Pakistan, to realize something was fishy.
A German employee at a large chipmaker contacted him through the freelancer site Upwork because he needed help on some connectivity issues he was dealing with. The two signed a nondisclosure agreement and arranged a video call.
Then things got weird. When Zakhaif asked the employee basic questions about the chipmaker's system configurations, the employee forwarded him recordings from internal team meetings and his personal login credentials and passwords.
Zakhaif was wary. "I told him, 'You could get in trouble if you let me use your identity to impersonate you,'" he said. The employee said it wasn't a big deal, and he'd pay Zakhaif to do the job.
Zakhaif balked. "Then he became argumentative — he said in Germany it's common to outsource your job, he's done it multiple times, and all his colleagues do it, too," Zakhaif said. "I told him, 'Dude, I'm out.'"
When Zakhaif posted about the experience on Reddit, other freelancers messaged him with similar stories. "I guess it is more common than I realized," he said.
Even before the pandemic ushered in the Zoom era, remote work offered opportunities for employees to deceive their employers by working fewer hours than they were contracted to or working for multiple organizations at once. Today, the rise of remote hiring and work combined with an acute labor shortage has provided an opportunity for fraudsters to outsource their jobs to other people.
Research suggests that employee and job-candidate fraud
— for instance, people impersonating prospective workers or getting others to take their cognitive or coding tests for them in order to get hired — has risen recently, though it's difficult to monitor. Data on the incidence of people outsourcing their jobs is hard to come by, but anecdotal evidence from company executives suggests the practice is on the rise.
Experts say this fraud can pose severe risks for companies, especially when the work involves confidential company and customer data. Some observers say the fact that some rogue employees are doing this could signify an even bigger problem: Nearly 2 1/2 years into the remote-work revolution, employers do not have a good handle on managing their remote workforces.
Subtle signs the work is being outsourced
Outsourcing isn't uncommon in fields such as investment banking and consultancy, but it's done with the knowledge and financial support of employers. The problem for companies is when employees outsource their jobs without their organization's awareness, and pay out of their own pockets.
The phenomenon is not new. In 2013, Verizon's security team said it found that an American programmer who had outsourced his job to workers in China and watched cat videos at the office all day — a story that briefly set the internet ablaze.
Cameron Edwards, the senior vice president of client strategy and operations at the staffing agency Matlen Silver, a staffing agency, screens applicants for full-time jobs at Fortune 500 companies. She said that the practice is most common in technical, IT, coding, and developer roles and that the employees pulling these kinds of scams are often people authorized to work in the US and western Europe and therefore earn a relatively high salary. They get hired at large companies as full-time in-house technology consultants and then outsource their jobs or aspects of them to workers in lower-cost countries and pay them accordingly.
She said that before the pandemic she occasionally became aware of employees working two or more 40-hour-a-week contracts from different companies, sometimes competitors — but that the frequency has risen in the past couple of years.
"As the world has evolved to become more hybrid and remote, it's just that much easier to pull off," she said, adding that recently several clients have told her about newly hired employees who were outsourcing their jobs to others. "Nothing surprises me anymore."
Edwards said that from the employer's perspective, there are a few signs that outsourcing might be taking place — for instance, the work takes excessive time to complete, or it's done at odd hours, or the employee offers excuses for why they can't hop on the phone or be on camera.
There are other suspicious signs: A company's IT department might flag that an employee has forwarded work to a personal email, or it could discover through IP activity that the employee's credentials are being used to access the company's computer systems from afar.
"Managers are looking for signs more and more," she said. "Honestly, I think it's why you hear so many executives saying that we have to get back to the office. It's challenging to monitor this in a remote environment, and they're tired of being burned."
A nefarious side hustle
Many American workers have a side gig or entrepreneurial venture. Employers are generally powerless to do anything about these second jobs as long as they don't affect their employees' work and don't involve work for a competitor.
But Josh Bersin, an HR-industry analyst, says that employees generally aren't allowed to subcontract any part of their regular 9-5 jobs and that the practice is a fireable offense. "Every employer I talk to considers 'remote' as a location — not a work arrangement," he said, meaning remote workers must abide by the company's rules.
All this raises some questions: Why are people doing this? And why do they think they can get away with it?
The fraudsters are not forthcoming, but industry insiders have a few theories.
Vik Kalra, a cofounder of Mindlance, a staffing firm focused on placing highly skilled contractors at Fortune 1000 companies, said he's twice seen cases where an employee hired to do the job was not the person doing it.
He speculated that the employees were underqualified for their roles and the only way they could fake it was by getting help from an outsider, or they wanted to make more money by working multiple jobs at once.
Kalra said the scammers he's heard about probably didn't worry too much about getting caught, because even if they were let go, the tight labor market means it's relatively easy to get another job as a coder or developer. "But for now, the only disincentive is that they get fired from a consulting job. That's not enough."
Stopping security risks
Experts say that job outsourcing can make organizations more vulnerable to security breaches.
Lou Shipley, a former CEO of Black Duck, an open-source security company, and a senior lecturer at Harvard Business School, said the practice creates more opportunities for bad actors to infiltrate a company's proprietary systems and makes companies more vulnerable to broader attacks and theft of company data.
The research-and-consulting firm Gartner has suggested that the "ever-expanding digital footprint of modern organizations" is one of the top cybersecurity trends of 2022. It said large numbers of remote workers combined with greater use of public cloud and highly connected supply chains "have exposed new and challenging attack 'surfaces'" within companies.
Shipley said purposeful or accidental data leakage, where information is leaked by someone who hasn't been trained, is one possible problem. The company is also more susceptible to intellectual-property theft.
Mitigating the risk isn't easy, but experts say there are a few things companies can do. For starters, they should issue secure work devices, which ought to come with antivirus software and automatic updates and include tracking software that can ensure files in the company intranet or the work produced by employees are not shared outside the organization.
"Computer infrastructure needs to be centrally managed and controlled by the company," said Michael Corby, a former chief information officer who now consults with companies on information-security and privacy risks.
Organizations should also make sure all employees communicate communicate through encrypted channels, typically by using a virtual private network, or VPN, to help preserve data integrity and security. Along those lines, all employee correspondence should include a digital signature, which can validate the sending and receiving parties.
Crucially, Corby said, organizations need to remain vigilant about keeping their data secure and private, usually by IT and risk management. "There needs to be someone accountable for operations integrity," he said. "Otherwise you don't know what you don't know."
Kalra went even further: He said the growing incidence of job outsourcing is an indication that many employers have yet to figure out how to effectively manage their remote workforces. He said there needs to be more training on technology protocols and data privacy and a greater focus on developing the skills necessary to govern remote and hybrid workers.
"As it stands, remote work at a lot of organizations is seen as an individual right, but it needs to be seen as a privilege with a lot of restrictions," he said. "The whole system is built on trust, but it's not sustainable."