Biggest thing you can do is just ensure you conduct at least 1 on-site interview, and make sure that interviewer is in a position to realize if the person they met is not the same one who shows up for other interviews and/or the work. Cost of a flight is nothing really compared to recruiting and hiring (and if you really are fully-remote and geographically distributed, you probably already have somebody in their metro area), on-sites used to be standard.
I mean, it's not the biggest thing you can do; you could start selling to the government, become a cleared contractor, and then you could require a USG security clearance for job applicants.
I would call the on-site interview and/or minimal background check "the most pareto frontier thing you can do."
How much of that would you get from just using e-verify? That doesn't find criminal issues like a security clearance does but seems like it would at least reduce the pool of nefarious applicants by a significant margin.
Just make them show up in person at least once for onboarding. They're not going to fly out from China or Russia (where they tend to be based) to do this; especially not to the US.
Verify their ID in person, issue their laptop etc in person, make sure someone who interviewed them is there to meet and greet them (and attest that it's the same person they talked to.)
If you can at least do a final interview in person also, then that's even better.
Start with a fingerprint check before you even talk to them.[1] Then ask for a REAL ID at the interview, take fingerprints again, and match with the ones from the pre-screen fingerprint check. You need to be signed up with a driver's license verification service to validate the ID.[2]
It takes that level of verification to become a security guard or a school bus driver. Anybody in computer security should be doing this.
I live in China, a supposedly autocratic country and one with universal ID, and even companies here don't take fingerprints. ID will be shown when you are officially onboard. I can't say for all, but for most companies (at least the ones without the need for a security clearance), requiring ID at interview will be seen as a red flag, and requiring fingerprint would probably be put on social media and name shamed, if not straight up reported to the authorities.
> I live in China, a supposedly autocratic country and one with universal ID, and even companies here don't take fingerprints. ID will be shown when you are officially onboard. I can't say for all, but for most companies (at least the ones without the need for a security clearance), requiring ID at interview will be seen as a red flag, and requiring fingerprint would probably be put on social media and name shamed, if not straight up reported to the authorities.
You're in a much more authoritarian country, and that would be using your non-universal, national ID. How do you authenticate someone coming in from overseas?
Answer: your authoritarian government doesn't let them in, or authenticates them for you in a joint process with your HR department.
For overseas workers, a. it is quite difficult for foreigners to get a working visa in China (though I suppose it's more of an immigration issue rather than the country being authoritarian); b. companies would probably use their passports. So you're kind of correct. However, my point still holds: fingerprints for interviewees, even in China, is at best extremely uncommon, and at worst (?) illegal in most cases.
Btw, I am nitpicking here, but by universal I meant used across the whole country, i.e. national.
I have some experience working for financial institutions with access to highly confidential information, and haven't been required to produce my fingerprint for, like, ever.
Again, I can't say for all, and I'm sure there are certain companies and positions which require such measures, but I could not imagine requiring fingerprints (or even ID during interview) to be acceptable in most cases.
You didn't have to do an in-person background check that included fingerprinting? When I worked at a bank this was required. It was run by a third party company not at the office.
No, but I didn't deal with money directly. I dealt with corporate governance and capital market related information for the company, so perhaps other people needed to have their fingerprints taken.
You probably worked in divisions where the auditors didn’t issue a finding yet, or outside the regulatory scope.
It’s pretty common in finance, government and human services. Amazon is very aggressive with this - contractors in their facilities get regular background checks.
Usually the employee goes to a third party run by a company like Idemia to collect the biometric. I can’t imagine not collecting the ID information of perspective employees - that’s just asking for fraud.
In a high security environment, you can get a report from law enforcement; in the Netherlands this is called a "declaration around behaviour" (??), which is basically a signed / authenticated document saying "this person was not involved in financial crimes" - you need to have it specified for a category of crimes, the previous is for example one I had to get to work at a bank as a contractor.
The way it worked for a real US high security job (TS/SCI) was that the clearance process was totally separate from the employer. The fingerprints and polygraph exams were done off premises. The famous SF-86 form[1], all 130 pages, had to be filled out, but nobody at the employer ever saw it. The checking and processing were done by the FBI or a unit in DoD.
(The current SF-86 only wants your residence addresses for the last 10 years. Used to be "List all residences from birth".)
The latest advice about spotting at least north koreans who apply under fake identities is asking them to comment on how fat Kim Jong Un is. Real north koreans could not comment on that..
'According to Adam Meyers, CrowdStrike's senior veep in the counter adversary division, North Korean infiltrators are bagging roles worldwide throughout the year. Thousands are said to have infiltrated the Fortune 500.
They're masking IPs, exporting laptop farms to America so they can connect into those machines and appear to be working from the USA, and they are using AI – but there's a question during job interviews that never fails to catch them out and forces them to drop out of the recruitment process.
"My favorite interview question, because we've interviewed quite a few of these folks, is something to the effect of 'How fat is Kim Jong Un?' They terminate the call instantly, because it's not worth it to say something negative about that"'
The solution is just-in-time access controls, context-aware authorization for things like database access (i.e. given a justification with an approval workflow, the employee can access a user X for 2 hours). These are the guard rails against a rogue employee, by introducing friction.
I rolled out these level of controls at a big company and got push back from the sales team -- they needed access to generate leads. do demos on the spot, etc. Was a hard fight and I lost.
I run outsourcing agency, we work with US clients and have seen lots of fake applications (different degree of sophistication), so far we have either rejected them right away, or we were able to filter them during (remote) interviews.
Definitely the 'regular' application procedures - check someone's ID, check their references, ideally meet them face to face, etc.
This is more tricky with remote-only jobs or worse, "gigs" where you don't even meet people. But also, I would've expected open source to be "infiltrated" a lot more than it has, since that's very much anonymous internet culture... but also a culture of code reviews and the like.
Yes there are lot of identifiers. They are improving a lot, so things are changing daily. There are certain steps to take pre hiring and post hiring. If you need help share your email and I can provide details.
Young naive and full of memes, parachuted into place from a billionaire, completely unaccountable and completely unaware of how todo anything securely.
