This story is also more fun from my position. I've been applying to internships and interviewing every week. They're mostly rejections. They're the same questions over and over with minor variation (sorry to top comment for "impersonating" your comment style). My days are deteriorating from a colorful sphere down to two points. In fact, down to two pointers, left and right, iterating over a list of heights to find how much rain water it can trap.
I'm about to repeat the experience for the 10th time and I'm 100% on autopilot. But suddenly, a man reaches out to me on email and offers me up to $80/hr to be his senior engineer. This feels sketchy, my girlfriend tells me, "you're good but let's be honest here...". Anyways, I proceed, it might just be the start of a beautiful thing. I'm asked to interview as one of our developers because English is not their best language. I'm a little bothered, but I was fine with it. But then I see the developer name: Connor Tumbleson. My laughter bursts and so does my suspicion: With a name like that, no way the guy doesn't speak good English. I look up Connor Tumbleson on linkedin, and my suspicions were proved correct. I detail everything to Connor, and now this is on the top of HN. I lost a opprotunity but gained a story of the lifetime.
As important as having integrity is a community that prioritizes and fosters integrity. The HN community skipped the fostering part and went straight to giving me referrals and interviews. I'm grateful, and I'll carry on the spirit when I'm in the position to do so. The opportunities I've derived are nothing but amazing, but the most important thing I've learned is to internalize integrity as one of my greatest strengths: In the face of adversity and unfairness, I'll stand up for myself and others.
Also, thanks for those telling me internship finding is going to get better. I am not pessimistic about it at all, but I was trying to be funny by "impersonating" the previous top comment, it fits the theme. I find myself maniacally focused when practice algorithms, and I enjoy focusing.
This whole time of writing this I have that one scene from Scent of A Woman repeating in my head: "And I have seen boys like these, younger than these, their arms torn out, their legs ripped off. But there isn't nothin' like the sight of an amputated spirit; there is no prosthetic for that."
edit: small tip though, I would rename the App2.js etc. files to something else, having multiple files named the same but with a number difference says a lot about experience level.
also: do not use regex for parsing XML (https://github.com/BlastWind/xml-leaf-highlighter/blob/main/...). That is also a common newbie mistake
I hope this doesn't come across as patronizing, I didn't mean it so.
HE COMES! https://stackoverflow.com/questions/1732348/regex-match-open...
Thank you reminding me about that diagramming and xml-parsing repos. Regarding the diagramming repo, that was honestly some of worst code I've written (2000 lined React class with 15 states). It's so bad that I put a warning in the repo and haven't gone back to it since. And regarding the xml parsing repo, wow, you really looked carefully! I however added a funny warning regarding this in the readme (https://github.com/BlastWind/xml-leaf-highlighter#design-dec...). I wanted to use regex since it was just a school project. Going to add an additional warning, thanks.
By "infrastructure" it's not just code (CI, tools, etc) but personnel, how they come up with projects, etc. New grads or still-undergrads may have a lot of programming experience but none on working as part of a team.
#sarcasm #seenitinthewild
My favorite part of this whole thing. Hang onto her.
Ah haha I hate that question
It should be banned everywhere, oh well.
I once saw a physicist (not even a coder) give a really cool answer to it though, I wish I could remember it.
If you learn to build things, provide value, you will have 100s of recruiters reaching out to you and you will mostly be rejecting offers for a change :)
I have no doubt reading about you and seeing this comment in a few years you will be more than set!
Karma should be that ethics works.
Strong ethics, and this lesson on their importance, will serve you well your entire career.
You should be able to solve them if they're the same questions!
* Kidding I'm retired. Mad props, Andrew!
Is it a good legal/corporate decision to hide the person who claims to be the original and let him listen to the interview with the other candidate? Holy fuck, no. Is it going to be WAY more thrilling? Oh my god yes; how could you not?
Consider the situation from the perspective of the interviewer: They don't have all of the background we did while reading this blog. They haven't even had time to process what Connor #1 said by the time that Connor #2 arrives.
The decision to hear them both out for a few minutes is reasonable, IMO. At that point in time, Connor #1 could have been lying as far as the interviewer knew. Letting them both exist in the meeting immediately cleared up any confusion.
But having one person hide is riskier. It means a random person could eaves drop on my interview by just pretending to me and telling this story.
I mean, super cool though. I imagine my adrenaline would be going as the interviewer. I’d probably chill out when I realized this was identity theft with extra steps, not a Kyle Reese situation.
And I doubt there would be too many legal or corporate ramifications from allowing someone else to be on the call with their camera off. These are contractor positions, not full-time. Frankly, it's a risk I would take to be able to witness this sort of thing in real-time.
If #2 doesn't get the the potential job, they could come after you for all sorts of things - emotional damages, economic damage (from not getting the job), etc. They might even be able to get the court to force you to give them the job, or at least waste years of your time and mental health dealing with legal hassles.
It's hilarious and awesomely entertaining, but don't do it if you have assets someone could go after, as eventually, someone will.
When interviewing, you do an actual interview, which is where you research whom you're interviewing to gain good questions to ask so you get good answers back.
The staleness and bore of interviewing is entirely the fault of the individual. Especially when they think whiteboarding compsci topics is meaningful.
A few months later a prospective junior engineer came in for an interview. My manager asked him the typical "tell me about an interesting project you've worked on lately." He then proceeded to describe in detail the very project we had just completed, even referencing the magazine article about it (he must have forgotten he was interviewing at the company mentioned in the article). At the end of his presentation, my manager said "That's interesting, because here at X, we just completed that project."
Awkward silence. Then the interviewee got up and said "I guess I should go now." My manager said "Yes, I guess you should."
Impersonation of this sort can be simultaneously disturbing and somehow comical. It isn't a new phenomenon; I'm not decided on whether I believe the information age makes it easier or more difficult.
The author's sleuthing is reminiscent of Cliff Stoll's The Cuckoo's Egg from 1989. [1]
[0] Andrew blogs at https://unfooling.com/, according to the article.
Excellent point.
I've been wondering about ways to test students on "trust/morals" and decided its one of the most valuable yet least well understood qualities. Employers generally rank skills, knowledge, salary, even age/gender/race above dependability/loyalty, or barely consider the latter at all.
Other than lengthy vetting and imprecise security clearance procedures this is such a hard quality to discern, and so costly when you miss the mark. The costs of defection, industrial espionage, and sabotage seem poorly quantified in HR. I think a corrosion of work relations has come about from devaluation of workers qua humans, and the corresponding disrespect people have towards their places of work. Is that inevitable under capitalism/efficiency?
And, harder question... does it even matter? Especially once AIs and remote agents take-over many jobs? Does a corporation care if the worker is an imposter and liar who abused a false identity to get the post, so long as they produce working results?
Is there a kind of moral Turing test here? What do work relations have to do with human-relations in the limit of the present trajectory?
It doesn't seem to win me any points.
In fact, it seems to actually count against me, as I'm sometimes accused of being "snobby."
Ah, well...
STORY TIME:
A few months after I had been promoted (the first time) to a manager, one of my new employees was hired by my boss' boss, while I was out on medical leave.
When I got back, I found out that he had made a promise to the new (now hired) employee, that he was not "legally" allowed to do, and had to let the guy do it (because he promised).
He asked me to sign it off.
I declined, sure that my job was in jeopardy.
Surprisingly, he took it well, and it was never mentioned again (until now). He actually had a lot of Integrity, and was uncomfortable with it (it was a mistake; not deliberate).
* take them on a tour of your chocolate factory
* ask them to pull a magical sword out of a stone
It's definitely a concern when you need to worry about spies infiltrating your company
Yeah this was an incredibly odd and creepy experience that I continue to investigate here and there. I really appreciate the interviewer for letting me stay on and confront the imposter.
Seems to me like there is a whole operation around this business model of exploiting US developer salaries and the morality of a few Americans willing to try and make a dollar for free. Honestly more disappointed in the people accepting shady deals like this than the ones offering them.
if the company gets decent work, the non-US participant gets better (and fairer, globally) pay compared to what they'd get locally, and the US participant takes care of the "soft" side of the operation... who's getting hurt?
I can't deny that something smells skeevy about this and I don't think I could ever trust a random foreign developer who I haven't built up a solid relationship with to execute reliably "as me" in the coding side of a role. But if I had a good friend from college who couldn't get a VISA to the US? I dunno, I might be tempted to collaborate. If everybody wins, I'm not sure it's inherently bad. But maybe I'm missing something.
This entire scam can be done entirely legally by subcontracting the work to your foreign friend, if your clients allow for that; if the end result is of decent enough quality then I don't see why they wouldn't. You'd be on the hook if they mess up, but the same is true when you lie to your friend's employers.
However, these people choose not to go the legal route, instead relying on lies and fraud. They go as far as to hire others to do part of their lying just to get into a company.
Personally, I'd call the authorities the moment I'd find out an employee of mine has been lying about their qualifications and experience from the very first day to fake it through the interview. You cannot trust someone whose entire career is built on top of lies, or someone who actively enables such behaviour.
I'm not sure if these people are a small step up from the call center scammers because at least they deliver something or a small step down because they're supposedly capable enough to do better. I'm sympathetic to the third world programmers that have the capabilities to earn some of the absolutely insane wages American programmers get paid, but I completely oppose the large-scale fraud these lying-as-a-service middlemen employ to make money.
The person being impersonated. Someone is out there pretending to be them. This person is known to be willing to do unethical things. (Who knows, maybe they're also infiltrating the client's network and stealing data, installing ransomware, etc.?) Furthermore, how does the person in the US pretending to be the developer get paid? Do they actually get paid, or is that a scam, too? At any point does someone write a check to fake developer in their name? Does the IRS see that? Is the real developer now on the hook for taxes on that? There are numerous things that could go wrong and hurt the developer being impersonated, the person doing the impersonation, and the client.
I'm a pretty good software engineer, and they pay me very well, but I've got absolute shit executive functioning skills. Task management, remembering to email people back, and the like are challenging to me. It has occurred to me that a full time personal assistant in my area typically makes about $50,000/year. I think there's a decent chance that, with such a support, my own salary could go up by $200k or more over the next couple of years. I've frequently entertained the notion of hiring someone to basically support me in my job without telling my employer, since there's zero chance they'd get me such an assistant and similarly zero chance they'd let me pay for my own.
I wouldn't ultimately do it because, y'know, all the dishonesty involved, but it'd probably be a good deal for everybody involved. My employer gets better work for the same money, my assistant gets stable work, and I get promoted.
Guess how much gets reported to the IRS that you're making and how much taxes you'll owe on that $100/h.
Next there's the fraudulent representation of who is doing the work to the client.
Lastly, there's the "this is a form of money laundering" and you're taking a significant role.
When this starts to unravel, you're not going to come out ahead.
If you DON'T do it this way, but instead get an actor to play a local dev, then it is because you cannot actually program, and therefore need to borrow someone else's identity to get contracts.
IMO if there were registered/regulated, established services that filled this need and handled the VISA/background check process then I wonder if companies might be willing to work with overseas developers more.
As a (pretty common) comparison - if a gay man marries a woman, has kids, does the whole couple thing and blends in, but periodically goes to clubs or gay bars, or has a boyfriend on the side, who are they really hurting?
What about the equivalent straight man with a mistress on the side? Or two? Or the woman with a side man?
Well, as long as everything goes perfect, I guess just themselves by pretending to be someone they aren't most of their lives and having to lie to everyone every day. And certainly the cards have been stacked against them in a great number of societies and environments (to the point of death penalties in some cases if they don't hide), so it's hard to blame them for hiding doing it in those situations if they really can't stop.
But it almost never just goes perfectly forever does it? Eventually, either someone finds out (and now they're exposed to blackmail risk, or a bitter divorce and lots of bad publicity), or someone gets sick with something they shouldn't have been able to, or pregnant, or whatever. There were a decent number of counterparties in supposedly monogamous relationships over the years that have gotten diseases they should not have been able to get, including HIV, from this type of stuff. It can trigger severe emotional trauma in people. Folks get killed over this kind of thing somewhat frequently.
From a corporate equivalent, think - traceable customer information leak. Or attackers get control of the corporate network through a hidden VPN endpoint configured to allow these contractors in to do things, and do things from crypto-ransom the company to outright rob the company blind.
An acquaintance at a company I only briefly worked at years ago got busted for siphoning MILLIONS of dollars through phony affiliates he'd setup at the company. He was in charge of the affiliate program. I never cared for him, and wasn't particularly surprised, and was part of the reason I left once I saw what I had gotten myself into, but it was a good cautionary tale.
The company had been really happy with overall performance, they just hadn't noticed the extra 'tax' they were paying him until he did something else sketchy and they started looking closer.
The reason to avoid doing sketchy things, is because they inevitably have hidden costs, from cognitive overhead from constantly tracking all the lies, to real risks of extreme bad problems that others are being exposed to. It's often lucrative enough however, that there is always the temptation.
It's why 'sunshine is the best disinfectant' is still so true.
After all, generally if everyone was actually comfortable with it and it's side effects, there would be no need to be sketchy about it.
I don't understand why corporations are not embracing and encouraging such arrangements.
I've had some fun with this before where a developer with a clearly Chinese accent, and of course no webcam, posed as German (mispronouncing his own name) and freaked out when I switched to conducting the interview in German. Of course I notified the person whose identity he stole and reported the profile to Upwork, but it's a drop in the bucket of the scams.
At least in America, that's not a valid tell. There are tons of developers in Western countries that have foreign accents.
to me this is immediate no hire. If you can't be bothered to show your face, I can't trust you.
---
Hi, hope you're doing well.
We are looking for a professional interviewee. I'm not sure if you've heard similar thing somewhere. We are a talented developer group specialized in web and mobile software development. We have partnerships with US people and deliver our service to clients by pretending to be US developers. And we share profits with them. Our partners are satisfied with this business model.
Everything is perfect except on one thing. It's just the interview with clients. Normally in the interviews, the clients ask us some technical questions to see if we are able to deliver the service they expect. Because we are not native speakers, we are suffering from taking the interviews and many clients are passing by us even though they can get what they want. So we want a native interviewee and hope you are interested in this model.
Please let me know if you're interested in further discussion. Thank you!
I worked with a firm that did this. Basically, they had one project manager who could speak decent English and about six developers who couldn't. The English-speaking PM was on calls with us, and then he'd farm out the work to the developers.
It was a win-win, because their group was getting work, and we were getting decent results at a discounted rate compared with on-shore resources.
But it's pretty clear that anyone looking for fake interview candidates is not actually planning to do that. They're essentially counting on the fact that it takes many companies a little while to get rid of a bad hire.
In the grey area, there's still a big difference between a liason taking on a load of freelance contracts for the farm under his real name and intermediating comms without ever mentioning there's actually six other people he's never met doing most of the work and identity theft to take on remote full time roles involving work they probably can't handle.
I'm in Uruguay so my timezone works out for all involved.
Sometimes law firms don't even really disclose who's doing the work, and sometimes in their invoices they'll have a paralegal's initials under the "Atty" column.
This is sometimes true even for very large and reputable law firms.
Every solution architect/ pre sales engineer you talk to before the ink is signed isn't there to do the work, they're there to build trust and confidence that the other folks who can't talk to a client are just as talented.
Also you definitely hear from us again as we bill 4 hours a week or what have you for "Quality Assurance."
It is amazing how many managers I have worked for who don't do that.
Get the contract using great people. Before the ink on the contract is dry, send in hopelessly underqualified staff. By the time the client finds out, their "old" internal resources are long gone, bonuses have been paid out to management for reducing cost etc.
I experienced this first-hand with Cognizant.
This is one of my big problems with LinkedIn. We put so much information out there in public, it’s really easy for people do do this. That information can also be used for things worse than applying for jobs.
I think small companies hiring freelancers are most vulnerable to this. In the UK at least companies have to carry out very strict right to work checks, including passports, National Insurance numbers, etc.
I ended up uncovering a whole scheme where an experienced dev in the US would hop on the calls/video interview and then the actual work would be handed off to some other people based overseas.
If you tried to contact the “dev” for something, your call would be routed to a google voice number and you’d receive a text message in somewhat broken English shortly after.
Their scam only lasted a few hours with us, but I often wonder how well they are able to pull this off.
This was an outsourcing group. In the grand scheme of things, “white people are stupid” is not entirely wrong, but there’s a line you know. And there are lines beyond that line. And then there are these assholes off in the distance.
Now, I understand not trusting the police, and often it's more trouble than it's worth to deal with them. But this is a situation involving identity theft, which is a very serious crime. I realized that this is an international situation and the local police probably cannot do much, but at some level of policing, be it the FBI or even at the international level, this feels like something that should be reported. Even if nothing can be done, in the worst case it's useful that the police be made aware of new trends in identity theft; in the best case, they will be caught. These people are organized to perform identity theft, which is literally organized crime -- I hope they are aware of the risk they are taking doing this.
Lastly, unrelated to the above, but just a random social aspect of this; it's clearly an interesting and unexpected result of location-based pay. The only reason I can think of that a group of people would organize something like this is because pretending to be native English speakers and presumably pretending to be US- or Europe-based will automatically get them a higher pay scale. (If I understand correctly, they are possibly a team of programmers in some other country, and are offering to actually do the work, but just pretending to be other people while doing it in order to get a higher paycheck.) Not making any judgement here regarding location-based pay, although that's an interesting discussion for another thread, but in today's remote work environment, new kinds of fraud are definitely an interesting consequence to be on the lookout for. Fascinating, and dangerous.
They won't take a report of your phone number being spoofed, but they'll deploy SWAT teams to unsuspecting houses at the word of bored teenagers.
Do you know the imposter's actual identity? What would you even report? If the perpetrator is international, what are your local police even supposed to do with this information?
You might have a little better luck with the FBI, but if you don't show up with hard evidence (i.e. do all the work for them), you won't get anywhere with them either.
All of this goes to show you why this sort of scheme remains successful. Nobody cares. Fraud is just an assumed risk.
However, the FBI might be very interested. While these situations may be just be a couple of friends scamming, it could also be the tip of the iceberg of an organized crime operation or an espionage operation. Many countries are actively working to get inside American corporations to steal both their technology and anything related to any govt work and secrets. There is not much better way to gain access to the network than to be able to login as an employee.
Even if that one case alone isn't that interesting to them, having the data may very well help crack a much more important NatSec case. Gather the info and report it.
But who knows. I'd be curious to know how common this is / is becoming. It's certainly novel to me.
This seems hyperbolic (though not impossible.)
If I were to attempt this scheme, would I have created an organized crime entity?
I think this whole thing is a novel example of grift, which is by definition bad. The idea of every bad act being turned into an excuse to necessitate federal police action is… weird.
I mean, IANAL but I'm pretty sure taking in income while posing as someone else must constitute a crime.
If not, lesson learned I guess. (Don't know unless you talk to a lawyer or try to report it.) But if it is a crime, then yes, it's across state and national boundaries, so who else would have jurisdiction but federal police?
> Nice to meet you. I am looking for a US person who do business with me. You can earn money with a few cooperation. Do you know Upwork or Toptal site?
They also had the text of the message in a GitHub repo. I tried reporting them to GitHub, Upwork, and Toptal, but I don't think they knew what to do with it? I assumed my scammer was looking to evade banking rules or sanctions, but it could be for either fake employment or actual work with a US-based persona like in this case.
Honestly, this is 100% Upwork's fault. Their platform is a race to the bottom, yet they make it very difficult/impossible for people from countries that can actually afford to make a living with those rates to sign up. So I understand why people resort to this behavior, even though I would never want to work with someone who would actually do that. Fuck those people.
That's been my own experience with Upwork (as someone looking for work).
100% of the contacts I received (100%, like in Every. Single. One.) was a scam (either trying to scam me, or inviting me to participate in a scam).
I realized that Upwork is a sewer, and quickly bailed.
It's sad, because I heard very good things about Upwork. Of course, these "very good things," all came from people who hired through Upwork.
I've never had anyone try to impersonate me for a job, but I have had people steal my photos and create Tinder profiles using them in cities I don't live in (I've been alerted because people who recognized me sent me screenshots). I tried to catfish the person who was using my photos to catfish others, but was unsuccessful. I dreamed of doing what Connor did, which was to confront the person who was using my face on a video call.
I'm so sorry this happened to Connor but am grateful he documented this sort of scam, which I fear is probably a lot more common than we know. I see people on TikTok all the time encouraging these sorts of outsourcing scams of taking jobs on Upwork or something else and then hiring people to do the work on Fiver or in markets where the cost of labor is much, much lower. Do this with enough volume and you could make decent money, I imagine.
But how utterly distasteful for the victim.
It's easy to say 'if they don't notice, then clearly it's not a problem' - but it has downstream effects, like broken products, huge legal liabilities for the company including often scary handling of customer data to make it work, and morale hits as other folks pick up on things like this happening and being uncaught.
These are real, albeit currently low percentage/high risk things that happen. The more people get away with it, the higher the percentages of people who will try (people rationalize it to themselves as 'everyone else is doing it', and 'I'd be foolish to not do the same thing everyone else is'.).
The biggest issue I've seen with remote work (in practice), is it makes it really hard for a manager to see and actually understand what's happening (not just what people SAY is happening, which is rarely the same thing), and makes it easier for employees to hide things they don't want others to see. Which leads to more of everything from undiscovered-until-too-late burnout, to team members who have no idea what to do or how to do it, to opportunists grifting.
Which is kind of useless for most of the points you described at the end. There are plenty of comments here really proving that you can scam even in person interviews. Let's say you are not scam, you pass an interview. You can still do all of those things while you work.
The only way to prevent this is by having keyloggers and similar tools on the work laptop so that you can actually see what people do. And even then, if someone does "enough", would you really check? Probably most people nowadays wouldn't care, as long as you deliver.
The truth is: most people are honest, they do "normal" work, they get a raise, etc. Then there is a percent of people which exploits the system. A system that let's be honest tries to profit from them too by giving lower wages, etc.
One of these other devs only noticed because the client sent a calendar invite to his real email, instead of the one provided by the impostor.
[edit - I'm reading through the original post, and I see now that this was all done through Upwork as well. Yikes!]
They had gotten someone else from the India office to conduct the interview. He said his camera wasn't working and we didn't think anything of it.
He aced the interview, even made good recommendations on the project he would be running.
The guy that showed up wasn't even at a junior level. It became painfully obvious after a couple of days. Pure red flags but the highlight...
- When asking for a project plan on an enterprise level project his response was "I can code all this in 3 days".
- Proceeds to supply broken code.
- When mentioned the code doesn't work he gets aggressive and says other people on the team broke it.
- Code gets reviewed by a senior architect (Bob) from another team. Turns out code was copied from an external github. So even if it worked it would be illegal to use.
- They get aggressive saying that Bob is jealous.
- Bob proceeds to document in detail the codes origin, legal details and points out where the code is broken.
- Bob and senior management have a meeting with the guy, where he is asked supply his original code (which he can't). Is then asked to explain exactly what the code does.
- Bob puts the cherry on the cake where he finds a simple broken function that anyone junior developer could see is wrong. Asks him to explain what is wrong with that code.
After that the guy got fired. Not sure if they investigated further in the India branch. But it was embarrassing all round.
I'm still not sure how the imposter planned to keep the job after getting it. I suspect the stand-in expected money and didn't get it. So didn't support them.
This goes even deeper. During pandemic, supposedly there are even shadow engineers who does the work for you. :-(
Many of the big contract platforms are dealing with this too. Hiring managers are getting tired of it and are 1) not hiring as many contract workers and 2) not using platforms to hire those workers.
Unfortunately, this hurts small companies more since their hiring practices are so lax and there's a crop of new ones every few months.
I'm pretty sure that can get you into super duper extra trouble with the State Department.
My main message for people is to resist the social temptation to share every detail of your family's life on social media, in the long run it's better for your privacy, your family's privacy, your security, and reduces opportunities for malicious data mining.
It's sufficient to build an entire identity theft kit if you're a malicious actor wanting to impersonate somebody. Somebody would combine whatever is available from social media with things like linkedin profiles, CVs, github projects, other github-like-project profiles, and linkedin-type business networking site data.
Or at least a good enough to pass cursory inspection/examination identity theft kit to impersonate somebody with a close-enough email address, or a throwaway custom domain name registered for the purpose.
I would highly recommend anyone that does keep an account somewhere like Facebook to stop posting photos of your house, family members and to set all of your 'privacy' settings to whatever is the friends-only/maximum setting. Try looking at your own profile from a different browser with no cookies in a burner account or incognito mode and see if any of your personal life is visible.
I guess he felt the ultimate Impostor Syndrome.
"Hi, Billy
How are you?
I checked your Codementor account, it is great.
I am *** **** from Ukraine.
I am 32 and I am also a computer programmer.
I want someone who can help me.
Would you lend me your account?
If you borrow it, I can earn a lot of money.
I will pay 100 usd every month.
Regards."
If it's reasonably common, there might be a place for a "reputation protection" service in the tech community - a service that watches various contracting and hiring sites for its members names, then notifies the real person when their name is used.
I could see it being a real issue in the future if someone's professional reputation is tarnished this way. If a prospective employer searched for a candidate and found multiple profiles with very different skills listed, that would be a huge red flag. Worse, if the fraudulent person was hired and then fired, that information could find its way to places where the real person is applying.
If they were able to successfully land a job like this, I could also see that messing with the real person's tax situation.
... I'm off to look for my name on Upwork, I guess.
One of my first employees was doing fantastic work, until his performance fell to 0 - no communication, no deliverables, nothing. Turns out, he stopped paying the subcontractor that was doing his job for him.
The subcontractor contacted me months after I fired the employee and confessed. Apparently, the long-pauses and loud typing during my conversations with the employee was the employee messaging the subcontractor asking for help answering my questions.
So, in my case, the employee was still the front. In this case, they're attempting to eliminate that bottleneck by just having the subcontractor impersonate the employee.
Or, in video form, the Kay & Peele Bank Heist[1]
Companies know that they can pay less money to people in poor countries because an American wage in a third world country would have them live like kings. Going the honest route significantly cuts your profits if you live in these countries.
The "Plamen" person linked in this blog says he was educated in Sofia and Veliko Turnovo, Bulgaria. The average salary in Bulgaria ranges from $18k to $30k depending on the city (taking the optimistic route, here, sites like https://www.zaplatomer.bg/en/salaries-in-country give much lower numbers!); with an expected wage starting at $59k, they would be able to live a wealthy life earning twice the average wage just by getting lowballed by an American company. Spending that wage from a small California apartment wouldn't be nearly as profitable and comfortable as it would be living from a nice house in Bulgaria. All they'd need is a good internet connection and a shifted sleep schedule to take part in meetings.
That's assuming the guy can actually deliver on his tasks. My guess would be that these scammers have limited technical skills and rely on waiting for the slow evaluation process to fire them and then moving on to the next company.
Even if he actually has the capability to become a really good programmer, I'm not sure he's going to beat getting half of potentially dozens of US-based developers' contract incomes for less effort than spamming job boards and running a Slack channel
Even the person they hired here to pretend to be Connor said himself that's he's just a junior that would pretend to be a senior. Maybe the idea is simply to get a well-paid job, work a couple months, get fired (maybe even with a generous severance), and repeat.
I never responded to it, since it reads like an obvious scam, but I had no idea the scam was this elaborate.
The surprising part was that Maris/PND seems to have a pretty good command of English himself, so he could have easily done this without involving other people and thus mostly avoid being caught. Though maybe he runs a larger operation and he simply needs more people to do this.
I am not sure palesthine has internet enviroment and they can use upwork.
And on odesk, former upwork, a client ask me to work "online store management", actually they are fake identification goods seller, their server is also in panama. (banned but their sites can see on archive)
There are few credit check on these cool tech industries.
For AI tuning, margin revenue is the 1st priority. Credit check maybe difficult, AI can't dispute for their instructions.
I can't help but feel there's a whole community of people out there with few morals who are trading tips on how to set up scams like this. The "web of lies" seems so deep and complicated I can't imagine this whole thing was built in a vacuum by one person.
I'm seriously considering being LinkedOut.
Also the story sounds like he/she's somebody around your close circle. Maybe you can stop what you're doing and spend some time to filter some people out.
In the days of remote work, it would not surprise me a bit if there are organized criminals doing this 24/7. Just churning out job applications, hiring people off fiverr, upwork, etc. to do the interviews, collect a paycheck or two and disappear. Could easily be worth $5000-$20000 pr. scam, if they manage to get hired.
What happened is fraud, and potentially harmful to your reputation. If you can afford it, consider seeking legal remedy. It sounds like the twits running this scam are amateurs and its possible services like Zoom could unveil better leads toward pinpointing the perpetrators if compelled. Google's impersonation policy seems particularly wanting. You could consider reporting to law enforcement as well, for what that might be worth.
Thanks for sharing and I hope your story serves as an example to those who are out there hiring to stay alert.
People trying to get cheap labor and instead get defrauded.
I feel bad for Connor though.
Basically the person would write to me and say something like, "I'm a good $language dev and am worth $120/hr but in my country that is really high pay and people won't pay it unless you're American. I'll get closer to $25/hr." Then the deal is something like this: "We will apply for jobs/contracts in your name, but I'll do 100% of the work and you keep half the money and send me the other half."
The worst part is, I get the feeling that the premise is actually true and that this person is merely trying to beat the system. However, I could never bring myself to do such a thing due to the dishonesty required. Secondarily (but importantly) I've been burned by low-cost foreign contractors that billed for over a week before essentially delivering nothing, so I'm a bit once-bitten twice shy. I likely never would, but have considered doing a similar strategy but in an honest way where I'm up front with the client that I won't personally be doing all the work, but instead will out-source it, but I would be their point of contact/PM and if the work wasn't acceptable then (worst case scenario) I would (re)do it all personally.
Interviewed some Italian guy, but when the job started a Russian guy with Asian roots was on the cam.
Somehow I understand his situation, but nevertheless ended the call after one minute.
I was on the receiving end of one of these recently. I was looking for US-based contractor, found someone whose profile looked legit, and reached out. In the phrasing I got back via email, I knew this wasn't the native English speaker I was expecting.
Here's my thread: https://twitter.com/watilo/status/1561795264888901633
Why the hell don't software developers have their own chain of trust?
(Well, professionals in general, but you'd think that we'd have gotten this shit working for ourselves first.)
It would kinda fix this shit - at least to the extent that it was actually used.
So then all you need to do is have "Company X" adopt the policy that all of their people must be connected to the trust chain.
From then on "A" of "Company X" fame can no longer be impersonated (except via theft of keys).
Is it a bird?
Is it a plane?
No, it’s BLOCKCHAIN!
This actually sounds like a possibility legit application for distributed ledger.
But yeah, that's a decent use for the ledger.
[...]
Am I just naive, or does the email that followed below not sound like a scam at all to anyone else? Getting this, my alarm bells would indeed go off, but more in the "this person is probably telling the truth, someone might be impersonating me" department, not in "this person is trying to scam me"
Some people are certifiably insane, and will con anyone to make money. Note, confronting psychopaths with proof they are liars is extremely dangerous. These are the people that will hold grudges for decades if they feel you owe them something, or do something nasty.
Weak Stenography in your CV is also good for auto-screening/blacklisting those engaged in social-engineering workers. You would be surprised who shows up. ;)
Is this going to be a new problem that the gov is not equipped to deal with? Are we going to need to be on high alert that one day the IRS is going to alert me that my tax bracket is 37% because of my income from the 6 jobs I'm working? Then it will take months or years of legal battles to "prove" I didn't actually work 6 full time jobs this year.
If an experienced person does the interviewing asking the right questions / requiring tests / etc might be insufficient to realize the person you are interviewing is not the person who will do the work. I wonder how you would catch this before actually having the "worker" start.
I guess this is a downside of all remote work assuming your company is less than thorough in checking references/documents/etc.
......
I'm not sure how this actually pans out if it works. Can you really refuse to use video for the entire contract of the job? How do you get paid if you need to submit tax documents? Do you pretend to be me forever?"
Having over 15 years working as freelancer through Upwork I can answer that.
1 - Can you really refuse to use video for the entire contract of the job? Yes, you can. But only if you're good at your job. 90% of my clients never knew my real face. I only did video calls with the other 10% of them while we were already deep in the project(s) and trust was already well established. I do prefer voice over written chat though so I have weekly calls with all of them.
2 - How do you get paid if you need to submit tax documents? Upwork is great in that perspective. They have a lot of FAQ helping you with all tax informations and if that fails you have live chat too, with support. However, in this case, being the fact it was an impostor, Upwork style of getting paid and filing for taxes are 2 different beasts they frankesteined together. You still get paid under the fake name using your desired method of payment and filing taxes under your real name, which is done outside of Upwork's control.
3 - Do you pretend to be me forever? Not necessarily actually. You can do bait&switch. Bait clients, do good work for them, create a great relationship with them. Then either you create a new profile under real you and move projects there or move them outside Upwork forever. The fake identity sham is only there to help land the clients in the first place. Once you hook them and they depend on you, they really don't care about Upwork's protection and all that, they just want work to be done.
Anyway, they later asked my partner to send money to their personal account. I was a little bit sad.
I see how this could be valuable as it can be really hard to build credibility from 0. (Though it definitely depends on the particular platform rules/dynamics.) E.g. I used to have an Elance profile for 15 years or so, which got transitioned to Upwork, but it mostly got reset to zero. When I last checked about 5 years ago I was presented as someone who has never worked there and never had any feedback which would have made it very hard to win projects. (Not that it seemed worthwhile anyway.) So while it's 100% unethical, there is probably a pretty strong motivation for these kind of trickeries.
This doesn't help though if your name happens to be Kevin Smith or something.
I don't know about new addresses, but it sounds like more robust vetting is needed on the interviewing side. Resumes and initial screens have become potentially stale and too easy to fake.
I wouldn't be surprised to learn that these people think they have high-level skills, but some other factor is preventing them from getting the job. Sometimes it might even be true, but I'm better against them having the skill level they think they do.
Back in the 90s I was becoming a math teacher at one university while I was working on getting admitted into an IT engineer course at another. Strangely enough, the other admittance exam besides math was physics and I sucked at that while obviously I was far ahead in math compared to my peers at the physics preparation course. So someone offered an astonishing amount of money to take the math entrance exam for them, enough to buy a small apartment with it -- and perhaps I would've been young and foolish enough to go with it except for one fact: they offered a falsified national id to go with it. That's five years in prison if you get caught with it and I noped the hell out of it...
In the case OP describes, the situation is similar: it's the documentation that catches you.
The main technical challenge for a scammer would be to create a trustworthy looking email address so as to not raise the candidate's suspicion. It might not work with big companies but I've seen some companies using 3rd party services to send interviews invitation so it's not completely unlikely that this could work.
Was reached out to on Triplebyte by a guy claiming to work for a large casino in Las Vegas which I won’t name. Asked me to sign an NDA before the interview or that he would tell me what the job was. Couldn’t find him on LinkedIn or anything. The NDA was a word document which I think I signed via online service but never physically opened on my machine because (thank god?) I don’t own Microsoft word, on a Windows machine.
Pretty sure it was some sort of scam, but I couldn’t for the life of me figure out what it was they were after. Perhaps this is it.
>So I sent an email to two of them after I found them on LinkedIn to further help investigate this. One immediately responded unaware of this behavior occurring and left the group.
Although I admire the authors restraint, I am more than a little unimpressed with one of the contacted being "unaware" of the behavior. "Excuse me, did you know you're in a group that is actively committing crimes?" How do you think they're going to respond?
Much easier to just use a real person's identity.
Non trivial stuff for a specific target.
Something's not adding up
And who knows, maybe you manage to actually KEEP one of those jobs, which given how bad some employers are at figuring out who's good and bad at this stuff, is entirely plausible.
Frankly, the work environment was slow-paced and generally non-confrontational so both co-workers I suspect of this behavior just managed to tread water. When I joined the group there was a very tight-knit group of 3-4 developers who were very protective of each other. There was always a handy reason why some schedule was slipping and the other fact is that in hindsight, there just weren't very high expectations for them to accomplish anything.
In roles where communication is fully asynchronous, a competent offshore dev whose written English is considerably closer to a native speaker than their spoken English might be able to hold onto the job for a while, especially if they're good at excuses.
If they're applying for US onshore jobs with below-local-market pay, they might even be considered relatively productive members of the team.
2) they could have developers from countries currently under sanctions
I nopped the f out, so I don't have any more info. Maybe it would lead to a similar scam.
https://web.archive.org/web/20220927224436/https://connortum...
What are the chances its children behind this, maybe even American children lying about why they need a stooge? It would explain why they're not concerned about violating federal law, whatever else, I think also US Code Title 18 Section 241, Conspiracy Against Rights (a wild guess, iinal).
Eventually you need to pay this person, he/she will need to give you some ID or passport, etc. How can someone just employ a name? Or is it just because they are contractors (so no document / background check)?
I’d love to hear a follow up.
But that said, I do wonder if Innersloth actually has to deal with similar issues like this, especially after the boom of interest in the game. Maybe not?
> Thankfully I'm not sitting on a Windows machine and can just preview the document via Google without a fear of infecting myself.
Is that true? Can you get infected by seeing a preview of a Google Doc from Gmail or even opening it on Google Docs? I thought the browser was isolated.
Any project associated with me that went well, I’ll definitely be claiming credit for.
Any project that went poorly.. that’s clearly the impostor.
Thanks other selves for building my CV! So this is how you get 10 years of experience in 2 year old tech
Github support tells me they won't deactivate or rename the account (I don't want it, I just want it gone) unless I copyright my own name and file a copyright complaint with them.
“You can reverse those sites to find a couple hundred of domains on that IP, then cross-check the list against matching Google Analytics IDs and find almost 50 domains”
Just like in the real world.
Authenticated and anonymous are not mutually exclusive. We need a mix.
Just like in the real world.
When I searched for PGP in the comments, this was the only one that mentioned it which is hard for me to believe.
WHY!? the undercover vicitm doesn't jump up and shout when the crime starts to go down, except to drive the plot in really bad tv series.
This could have been the beginning of a new Cliff Stoll Cuckoo's Egg thriller! I am dissapoint, but I guess "who has time for all that?" Interesting story nonetheless.
It brings to mind these immortal words (needs more line breaks but then it would be longer):
If you can keep your head when all about you Are losing theirs and blaming it on you, If you can trust yourself when all men doubt you, But make allowance for their doubting too;
If you can wait and not be tired by waiting, Or being lied about, don't deal in lies, Or being hated, don't give way to hating, And yet don't look too good, nor talk too wise
If you can dream - and not make dreams your master; If you can think - and not make thoughts your aim; If you can meet with Triumph and Disaster And treat those two impostors just the same;
If you can bear to hear the truth you've spoken Twisted by knaves to make a trap for fools, Or watch the things you gave your life to, broken, And stoop and build 'em up with worn-out tools
If you can make one heap of all your winnings And risk it on one turn of pitch-and-toss, And lose, and start again at your beginnings And never breathe a word about your loss;
If you can force your heart and nerve and sinew To serve your turn long after they are gone, And so hold on when there is nothing in you Except the will which says to them: 'Hold on!'
If you can talk with crowds and keep your virtue, Or walk with Kings - nor lose the common touch, If neither foes nor loving friends can hurt you, If all men count with you, but none too much;
If you can fill the unforgiving minute With sixty seconds' worth of distance run, Yours is the Earth and everything that's in it, And - which is more - you'll be a Man, my son!
If: A Father's Advice to His Son ― Rudyard Kipling
Considering how distracted and overwhelmed many managers are right now, some might go years before catching on.
Even if no code got checked in. Chances are, they could also farm out a bit here and there to a friend to make it a harder problem to resolve for the company.
Maybe deepfake-detection will be the next-gen's Anti-Virus business? :)
U know what I mean
