Is your contractor who you think they are?

I will admit that this is a question that is pretty new to me.  While we have all seen a scam or two over the years,  I am pretty surprised to discover that there are domestic “Companies” that will facilitate completely fraudulent contractor relationships.

There appears to be two significant goals for the malicious actor-

The first is to get paid market rates as a contractor.  I am guessing that the work performed can be performed remotely, without a lot of supervision, and is specialized or difficult enough to warrant a company looking for a contract employee.  We live in a time where staffing companies are everywhere, doing effective and legitimate work, meaning it is easy to blend in.

The second motive is more dangerous—scanning networks, installing malware, manipulating files, and ultimately exploiting an organization’s systems.    Even great corporation security teams are going to having a hard time managing users who have some sort of internal elevated privileges.  Users, legitimate or not, expect to have access to the systems that companies are paying them a lot of money to use.   Sorting out bad internal actors is the kind of responsibility that gives the Security team in a company (or outsourced MSPs) ulcers.

What was particularly surprising was that these domestic companies knew exactly what they were doing.  It seems like the riskiest way to make a buck that I have ever heard of, and I am pretty sure that the DOJ isn’t going to go lightly on the offenders.

But who knows? Some companies might not want the embarrassment of having fallen for a scheme like this.

So, what is to be done?

1. We might actually have to start reading resumes again, looking for inconsistencies.
2. We probably want real phone numbers, zoom meetings with the cameras on, and availability for check-ins.  Are we FedExing any gear to the address on the resume?  It wouldn’t make sense to send it someplace else, would it?
3. Consider implementing a Zero Trust IT security model.  Adding this layer of security has been shown to prevent data breaches.  Aspects of this model include multi-factor authentication, device access control, least-privileged access, continuous monitoring, and more.
4. Ensure organizational firewalls, security patches, malware prevention devices and software are up to date.
5. Reconsidering reliance on unknown staffing firms and vetting any firms you may work with.  A good, simple check is to ask about business insurance, and getting added as a certificate holder.
6. Finally, a good data backup is your last line of defense.  Modern backup systems can store data on an immutable medium preventing things like ransomware or nefarious actors from altering the data.

Good grief, this is nuts.