View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 27, 2021updated 31 Mar 2023 4:22pm

‘I apply for you, you get the job.’ Are ‘self-outsourcing’ offers a scam?

In a suspected attempt to defraud employers, cybersecurity professionals have received offers to help fake candidates win jobs then outsource the work.

By Cristina Lago

A few weeks ago, Steven Trippier, CISO at Anglian Water Services, received a connection request through LinkedIn that jarred with him. Someone who identified as “founder at Marketing Poppy” asked if he would take his place in an interview for a US cybersecurity job. In return, Trippier would receive half of the salary.

“You do all the interviews & do your best to land the job,” the message read. “I apply for you, just do the interviews & get the job. I’m doing this w/others and they make $$$, you can outsource the work.”

Trippier did not reply to the message, deeming it suspicious, and reported it to LinkedIn. But after sharing a screenshot with his network, he discovered that a number of his peers had received the same message. He was left wondering – was he the target of some kind of scam or are technology professionals actually outsourcing their own jobs?

Self-outsourcing scam

MI5 has warned that spies are using LinkedIn to steal secrets but ‘self-outsourcing’ offers are most likely intended to defraud employers. (Photo by Travel man/Shutterstock)

Scam or self-outsourcing?

LinkedIn is certainly used by scammers to extract valuable information from their targets. The UK’s security agency MI5 recently reported that thousands of Britons have been approached on the site by fake profiles linked to hostile states to steal business secrets. Posing as recruiters or talent agents with common connections, these spies entice their targets with appealing offers to trick them into sharing valuable information. The UK’s Centre for the Protection of National Infrastructure has issued new guidance to help LinkedIn users spot and avoid such scams.

However, cybersecurity professional Philip Winstanley, who received the same message as Trippier, does not believe that he and other recipients are the targets of a scam. “I believe it is not a scam – or rather not a scam of me, but a scam of employers downstream,” he says.

After he posted the message, Trippier says he received replies from peers who have heard stories of tech workers ‘outsourcing’ their own work. “I hadn’t really heard of it, but I’ve subsequently seen through people replying to my post about other situations… where people have genuinely been doing the work of other people from some kind of offshore environment,” says Trippier. “It just seems a really unusual way of going about it.”

The best-known example dates back to 2013, when a US software developer was found to be outsourcing his job to a consulting firm in China for a fifth of his six-figure salary. He was discovered when his employer noticed anomalous activity on its virtual private network (VPN), coming from the city of Shenyang. The initial suspicion was that the company’s intellectual property was being stolen.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Still, it is unknown how widespread this practice is. As a curious cybersecurity expert, Winstanley wanted to engage with the sender to understand how the proposed arrangement would work. “It’s not something I would have actually done because it goes against my personal values in every way, shape and form,” he says. “But I was very interested to know how they were doing things like identity verification and bypassing that from an employment-check point of view.” By the time Winstanley replied to the sender, however, their profile had been taken down.

Although it was met with surprise and alarm by many recipients, Winstanley believes that some tech workers might be tempted to take the money. Trippier, meanwhile, wonders why anyone would use this approach to get a job they are not qualified for.

“It seems like a huge risk for some random person that you’ve never met… working under your name and putting your reputation at risk with no oversight over the quality of their work or their ability or integrity,” he says.

Cybersecurity skills crisis

Duncan Smorfitt, division director at recruitment consultancy Robert Half, says these scams, which take advantage of the shift to remote-working, are the result of a “chronic digital skills shortage”.

In the UK alone, the number of young people taking IT subjects at GCSE has dropped 40% since 2015 – a sign that the country is headed towards a digital skills shortage “disaster”, according to the Learning & Work Institute. In a global survey of IT decision-makers by security vendor McAfee, 82% said there is a shortage of cybersecurity skills, and 53% said the shortage is worse than talent deficits in other IT fields.

“It’s easy to see why desperate hiring managers might be intrigued by LinkedIn messages offering access to skilled people,” says Smorfitt. “But, as the saying goes, if it sounds too good to be true, it probably is.”

To end these scams, Smorfitt’s advice to employers is to invest in staff training. He highlights a mismatch in expectations: 70% of UK graduates expect their employer to pay for digital upskilling but half of businesses do not offer such training. “The situation is only going to get worse until we see wholesale changes from both the public and private sectors.”

When asked what action it takes against these messages, LinkedIn said: “Our Professional Community Policies make clear that we do not allow scams, and members must follow the law. We utilise a number of technical measures to protect our members from abuse, including scams. And we enforce our policies, which are very clear: fraudulent activity with an intent to mislead or lie is a violation of our terms of service. We also encourage our members to report any messages or postings they believe are scams to us so we can investigate.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU