A few weeks ago, Steven Trippier, CISO at Anglian Water Services, received a connection request through LinkedIn that jarred with him. Someone who identified as “founder at Marketing Poppy” asked if he would take his place in an interview for a US cybersecurity job. In return, Trippier would receive half of the salary.
“You do all the interviews & do your best to land the job,” the message read. “I apply for you, just do the interviews & get the job. I’m doing this w/others and they make $$$, you can outsource the work.”
Trippier did not reply to the message, deeming it suspicious, and reported it to LinkedIn. But after sharing a screenshot with his network, he discovered that a number of his peers had received the same message. He was left wondering – was he the target of some kind of scam or are technology professionals actually outsourcing their own jobs?
Scam or self-outsourcing?
LinkedIn is certainly used by scammers to extract valuable information from their targets. The UK’s security agency MI5 recently reported that thousands of Britons have been approached on the site by fake profiles linked to hostile states to steal business secrets. Posing as recruiters or talent agents with common connections, these spies entice their targets with appealing offers to trick them into sharing valuable information. The UK’s Centre for the Protection of National Infrastructure has issued new guidance to help LinkedIn users spot and avoid such scams.
However, cybersecurity professional Philip Winstanley, who received the same message as Trippier, does not believe that he and other recipients are the targets of a scam. “I believe it is not a scam – or rather not a scam of me, but a scam of employers downstream,” he says.
After he posted the message, Trippier says he received replies from peers who have heard stories of tech workers ‘outsourcing’ their own work. “I hadn’t really heard of it, but I’ve subsequently seen through people replying to my post about other situations… where people have genuinely been doing the work of other people from some kind of offshore environment,” says Trippier. “It just seems a really unusual way of going about it.”
The best-known example dates back to 2013, when a US software developer was found to be outsourcing his job to a consulting firm in China for a fifth of his six-figure salary. He was discovered when his employer noticed anomalous activity on its virtual private network (VPN), coming from the city of Shenyang. The initial suspicion was that the company’s intellectual property was being stolen.
Still, it is unknown how widespread this practice is. As a curious cybersecurity expert, Winstanley wanted to engage with the sender to understand how the proposed arrangement would work. “It’s not something I would have actually done because it goes against my personal values in every way, shape and form,” he says. “But I was very interested to know how they were doing things like identity verification and bypassing that from an employment-check point of view.” By the time Winstanley replied to the sender, however, their profile had been taken down.
Although it was met with surprise and alarm by many recipients, Winstanley believes that some tech workers might be tempted to take the money. Trippier, meanwhile, wonders why anyone would use this approach to get a job they are not qualified for.
“It seems like a huge risk for some random person that you’ve never met… working under your name and putting your reputation at risk with no oversight over the quality of their work or their ability or integrity,” he says.
Cybersecurity skills crisis
Duncan Smorfitt, division director at recruitment consultancy Robert Half, says these scams, which take advantage of the shift to remote-working, are the result of a “chronic digital skills shortage”.
In the UK alone, the number of young people taking IT subjects at GCSE has dropped 40% since 2015 – a sign that the country is headed towards a digital skills shortage “disaster”, according to the Learning & Work Institute. In a global survey of IT decision-makers by security vendor McAfee, 82% said there is a shortage of cybersecurity skills, and 53% said the shortage is worse than talent deficits in other IT fields.
“It’s easy to see why desperate hiring managers might be intrigued by LinkedIn messages offering access to skilled people,” says Smorfitt. “But, as the saying goes, if it sounds too good to be true, it probably is.”
To end these scams, Smorfitt’s advice to employers is to invest in staff training. He highlights a mismatch in expectations: 70% of UK graduates expect their employer to pay for digital upskilling but half of businesses do not offer such training. “The situation is only going to get worse until we see wholesale changes from both the public and private sectors.”
When asked what action it takes against these messages, LinkedIn said: “Our Professional Community Policies make clear that we do not allow scams, and members must follow the law. We utilise a number of technical measures to protect our members from abuse, including scams. And we enforce our policies, which are very clear: fraudulent activity with an intent to mislead or lie is a violation of our terms of service. We also encourage our members to report any messages or postings they believe are scams to us so we can investigate.”