How companies can recognize that employees are outsourcing their jobs
- Because remote work presents opportunities for fraud, some employees are outsourcing their jobs.
- HR leaders say the practice is more common in IT, programming, and developer roles.
- Experts say that this scam comes with risks, especially when it comes to sensitive company data.
It didn’t take long for Khuram Raza Zakhaif, an independent cloud computing consultant in Lahore, Pakistan, to realize something was amiss.
A German employee at a major chipmaker contacted him through the freelancer site Upwork because he needed help with some connectivity issues he was dealing with. The two signed a non-disclosure agreement and set up a video call.
Then it got weird. When Zakhaif asked the employee basic questions about the chipmaker’s system configurations, the employee forwarded to him recordings of internal team meetings as well as his personal access data and passwords.
Zakhaif was careful. “I told him, ‘You could get in trouble if you let me use your identity to impersonate you,'” he said. The clerk said it was no big deal and he would pay Zakhaif for the work.
Zakhaif balked. “Then he got argumentative – he said it was common in Germany to outsource his job, he’d done it several times, and all his colleagues do it too,” Zakhaif said. “I told him, ‘Dude, I’m out.'”
As Zakhaif posted about the experience on Reddit, other freelancers sent him similar stories. “I think it’s more common than I thought it would be,” he said.
Even before the pandemic ushered in the Zoom era, remote working offered opportunities for employees to deceive their employers by working fewer hours than contracted or working for multiple organizations at the same time. Today, the rise of remote hiring and working combined with an acute labor shortage offers scammers the opportunity to outsource their jobs to other people.
Research suggests so employee and job candidate scams — for example, people posing as potential employees or getting others to take their cognitive or coding tests for them in order to get hired — have increased recently, although this is difficult to monitor. Data on the prevalence of job outsourcing is hard to come by, but anecdotal evidence from business leaders suggests the practice is on the rise.
Experts say this scam can pose serious risks for businesses, especially when it comes to sensitive company and customer data. Some observers say that the fact that some rogue employees are doing this could spell out an even bigger problem: Nearly 2 1/2 years into the telecommuting revolution, employers are not good at managing their teleworkers.
Subtle signs that work is being outsourced
Outsourcing is not uncommon in areas like investment banking and consulting, but it is done with the knowledge and financial backing of employers. The problem for companies is that employees outsource their jobs without the knowledge of their organization and pay out of pocket.
The phenomenon is not new. In 2013, Verizon’s security team said it found it an American programmer who had outsourced his job to workers in China and was watching cat videos all day in the office — a story that short set the internet on fire.
Cameron Edwards, senior vice president of client strategy and operations at staffing agency Matlen Silver, a staffing agency, screens applicants for full-time positions at Fortune 500 companies. She said the practice is most common in technical, IT, programming, and developer roles, and that the employees who perform this type of scam are often people who are authorized to work in the US and Western Europe and are therefore a relative earn high salary. They are hired full-time by large corporations as in-house technology consultants and then outsource all or part of their jobs to workers in low-wage countries and pay them accordingly.
She said that before the pandemic, she occasionally became aware of employees working two or more 40-hour contracts a week from different companies, sometimes competitors — but that the frequency has increased in recent years.
“As the world has evolved into a more hybrid and remote environment, it’s a lot easier to pull this off,” she said, adding that several clients recently told her about new hires outsourcing their jobs to others. “Nothing surprises me anymore.”
Edwards said that from an employer’s perspective, there are some signs that outsourcing is occurring — for example, the work is taking an inordinate amount of time or is being done at unusual times, or the employee is offering excuses for why they can’t jump on phone or on camera.
There are other suspicious signs: a company’s IT department might report that an employee has forwarded work to a private email address, or they might discover through IP activity that the employee’s credentials are being used to send email from remote access to the company’s computer systems.
“Managers are looking for signs more and more,” she said. “Honestly, I think that’s why so many executives are saying we need to get back in the office. It’s a challenge to monitor this in a remote environment and they’re sick of being burned.”
A bad part-time job
Many American workers have a sideshow or entrepreneurial venture. Employers generally cannot object to these part-time jobs as long as they do not interfere with the work of their employees and do not involve work for a competitor.
But Josh Bersin, an HR industry analyst, says employees are generally not allowed to subcontract any portion of their regular 9-5 jobs and that it’s a felony criminal offense. “Every employer I speak to considers ‘remote’ a location — not a work arrangement,” he said, meaning remote workers must abide by company rules.
All of this raises some questions: why do people do this? And why do they think they can get away with it?
The scammers aren’t on their guard, but industry insiders have a few theories.
Vik Kalra, co-founder of Mindlance, a staffing services firm focused on placing highly skilled contractors with Fortune 1000 companies, said he’s twice seen cases where an employee hired to do the job wasn’t the person who carried him out.
He speculated that the employees were underqualified for their jobs and could only fake it by enlisting help from an outsider, or that they wanted to make more money by doing multiple jobs at once.
Kalra said the scammers he heard about probably weren’t too concerned about getting caught because even if they were fired, the tight job market means it’s relatively easy to find another job as a programmer or get developer. “But right now the only downside is they’re being fired from a consulting job. That is not enough.”
Stop security risks
Experts say job outsourcing can make companies more vulnerable to security breaches.
Lou Shipley, a former CEO of Black Duck, an open-source security firm, and a senior lecturer at Harvard Business School, said the practice creates more opportunities for bad actors to infiltrate a company’s proprietary systems and makes companies more vulnerable for broader attacks and theft of company data.
The research and consulting company Gartner suggested that the “ever-expanding digital footprint of modern organizations” is one of the key cybersecurity trends of 2022. It states that large numbers of remote workers, combined with increased use of the public cloud and highly connected supply chains, have ‘uncovered new and challenging attack vectors’ within organizations.
Shipley said intentional or accidental data leakage, where information is shared by someone who hasn’t been trained, is a potential problem. The company is also more vulnerable to intellectual property theft.
Mitigating risk isn’t easy, but experts say there are things companies can do. First of all, they should issue secure work devices, which should be equipped with anti-virus software, automatic updates, and contain tracking software that can ensure that files on the company’s intranet or the work created by employees are not shared outside the company.
“The computing infrastructure must be centrally managed and controlled by the enterprise,” said Michael Corby, a former chief information officer who now advises enterprises on information security and privacy risks.
Businesses should also ensure that all employees communicate over encrypted channels, typically over a virtual private network or VPN, to maintain data integrity and security. With that in mind, all employee correspondence should include a digital signature that can validate the sending and receiving parties.
Crucially, Corby said, organizations must remain vigilant to keep their data safe and private, usually through IT and risk management. “There has to be someone accountable for the integrity of the operation,” he said. “Otherwise you don’t know what you don’t know.”
Kalra went even further: He said the rise in job outsourcing is an indication that many employers are yet to figure out how to effectively manage their remote workforce. He said there needs to be more training on technology protocols and privacy, and a greater focus on developing the skills needed to manage remote and hybrid workers.
“As it stands, remote work is viewed as an individual right in many organizations, but it must be viewed as a privilege with many limitations,” he said. “The whole system is built on trust, but it’s not sustainable.”