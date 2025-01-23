Executive Summary

The recent indictment of 14 North Korean nationals for fraudulently obtaining remote IT jobs with U.S.-based companies underscores the importance of vigilant hiring practices. Our Privacy, Cyber & Data Strategy and Immigration teams offer actionable steps businesses can take to avoid worker fraud schemes while complying with federal and state antidiscrimination laws.

Strike a balance between protecting the business from fraud risk while properly vetting new hires

Establish robust hiring and onboarding processes that include employee verification

Adhere to Form I-9 and E-Verify requirements to comply with antidiscrimination and identify laws

A years-long fraud scheme perpetrated by the Democratic People's Republic of Korea (DPRK) continues to present U.S.-based companies with significant cybersecurity and employment risks. As first announced by the FBI in May 2022, the DPRK has been evading international and domestic sanctions by partnering with sympathetic unsanctioned nations to covertly enter North Korean information technology (IT) remote workers into the employ of U.S.-based companies and funneling the proceeds of that employment to the DPRK, including into its illicit weapons programs. As of May 2024, over 300 companies had fallen prey to the North Korean fraud scheme.

On December 12, 2024, a federal court in St. Louis indicted 14 North Korean nationals for using fake identities to obtain IT jobs with U.S.-based companies. The FBI has stated that this indictment is "just the tip of the iceberg. ... If your company has hired fully remote IT workers, more likely than not, you have hired or at least interviewed a North Korean national working on behalf of the North Korean government." The indictment also revealed that the DPRK's workers have recently become more aggressive and, in some cases, extorted their employers by accessing company information and threatening to post – or have actually posted – it to the dark web unless they receive payment.

Given these developments, companies may be caught between two potentially competing areas of legal risk. On the one hand, companies may be feeling the pressure to tighten employment screening processes, especially considering guidance provided by the FBI and the New York Department of Financial Services (NYDFS), as described in further detail below. On the other hand, implementing changes to their employment processes could run afoul of established federal and state employment laws if such changes are not undertaken carefully.

Tactics, Techniques, and Warning Signs

In May 2022, the U.S. Department of the Treasury, the U.S. State Department, and the FBI issued an advisory (the 2022 Guidance) describing the tactics, techniques, and procedures (TTPs) often employed by operatives in the IT worker fraud scheme as well as potential mitigation measures. Among the list of TTPs included:

The 2022 Guidance also includes a lengthy list of warning signs that companies should consider when trying to identify a potential DPRK IT worker in its employment. Some of these notable warning signs include:

Use of digital payment services linked to the People's Republic of China.

Inconsistencies in personal information across profiles.

Requests for communication on separate platforms.

Unusual payment requests or failure to meet benchmarks.

Developers are logged into multiple accounts on the same platform from one IP address.

Developers are logged into their accounts continuously for one or more days at a time.

Direct messaging or cold calls from individuals purporting to be C-suite executives of software development companies to solicit services or advertise proficiencies.

On November 1, 2024, the NYDFS issued an industry letter to all the entities it regulates, with steps to take to protect from foreign threat actors. These steps include the following:

Raising awareness with senior executives, information security personnel, and human resources.

Implementing technical and monitoring controls.

Proceeding cautiously with all remote technology employees.

Notifying law enforcement and regulators.Conducting due diligence during the hiring process.

New Employee Onboarding and Potential Consequences

Companies may wish to consider enhancements to their processes for hiring and onboarding new employees and revisit procedures designed to ensure compliance with relevant legal requirements, regulations, and recent guidance.

Under the Immigration and Naturalization Act and relevant Department of Homeland Security (DHS) guidance, U.S. employers must verify the identity and employment eligibility of all newly hired employees, typically during the onboarding process. This involves completing a Form I-9 and, for some employers, using the DHS E-Verify tool. Employers must examine documentation from the Form I-9 List of Acceptable Documents to confirm identity and work authorization, with both parties attesting under penalty of perjury to the veracity of statements made on the Form I-9. Compliance with nondiscrimination provisions, enforced by the Department of Justice (DOJ) Civil Rights Division's Immigration and Employee Rights Section, is also required. Noncompliance can lead to investigations and penalties, including fines, back pay, and other consequences, based on violation severity and employer factors.

Although it is critical to comply with the Form I-9 verification requirements during onboarding, it is also important to make sure that the verification process is conducted properly and not discriminate based on national origin or citizenship status, as outlined in 8 U.S.C. § 1324b, and interpreted by the DOJ. Some of the consequences for failing to do so include civil penalties, back pay and hiring orders, cease and desist orders, public notice, and monitoring and reporting. It is not uncommon for employers to be confused as to what actions might constitute discrimination. Some examples of employer actions that can constitute discrimination include:

Overdocumentation. The company requests more or different documents of the worker for the Form I-9 than legally required.

The company requests more or different documents of the worker for the Form I-9 than legally required. Specific Document. The employer requires a specific document (e.g., HR administration says: "show me your green card" or "show me your TPS receipt").

The employer requires a specific document (e.g., HR administration says: "show me your green card" or "show me your TPS receipt"). Improper Reverification. The company reverifies based on the expiration date on the Permanent Resident Card or List B identification document.

The company reverifies based on the expiration date on the Permanent Resident Card or List B identification document. Discriminatory Hiring Practice. The company turns away or fails to hire non-U.S. citizen unable to comply with company's unlawful overdocumentation request.

The company turns away or fails to hire non-U.S. citizen unable to comply with company's unlawful overdocumentation request. Discriminatory Recruiting Practice. Restricting job opportunities to specific nationalities – e.g., job posting includes "must be a U.S. citizen or green card holder to apply," with no valid legal justification for the restriction.

OFAC Sanctions

Compounding this risk, employers should also be cognizant of the consequences of directly or indirectly providing aid or money, in any form, to the DPRK. As a sanctioned entity, the DPRK is listed on the Office of Foreign Asset Control (OFAC) Specially Designated Nationals and Blocked Persons list (SDN List). As the federal government reminded the market in the 2022 Guidance, OFAC has authority "to impose financial sanctions on any person determined to have ... [m]aterially assisted, sponsored, or provided financial, material, or technological support for, or goods or services to or in support of, the Government of the DPRK or the Workers' Party of Korea." Indeed, OFAC has a long history of imposing severe sanctions on those who aid the DPRK in any respect, and employers should take this enforcement risk into consideration when evaluating how to implement appropriate, risk-based controls to address sanctions risks.

OFAC's sanctions regime imposes a strict liability standard for acts of non-compliance. As described in a 2021 OFAC guidance, a strict liability standard "means that, in many cases, a U.S. person may be held civilly liable for sanctions violations even without having knowledge or reason to know it was engaging in such a violation."

Key Takeaways for Employers

Employers may wish to review their policies and procedures to re-align their practices with the apparently dueling compliance risks associated with the DPRK IT remote worker fraud. By working to strike a balance between protecting the business from this fraud scheme while properly vetting new hires as part of their onboarding process, employers can strive to comply with the DHS and DOJ requirements as well as the FBI and NYDFS guidance. Primarily, companies should review their policies and procedures to:

Implement Robust Onboarding Processes. Develop detailed onboarding procedures that include thorough verification of identity.

Develop detailed onboarding procedures that include thorough verification of identity. Use Form I-9 and E-Verify. Ensure compliance with Form I-9 requirements and use the E-Verify system to confirm employment eligibility in a nondiscriminatory manner and separate from other processes.

Ensure compliance with Form I-9 requirements and use the E-Verify system to confirm employment eligibility in a nondiscriminatory manner and separate from other processes. Regular Compliance Audits. Conduct regular audits of the onboarding and verification processes to ensure compliance with legal requirements.

Conduct regular audits of the onboarding and verification processes to ensure compliance with legal requirements. Monitor for Red Flags. Establish systems to monitor for red flags, such as inconsistencies in documentation or unusual access patterns.

Establish systems to monitor for red flags, such as inconsistencies in documentation or unusual access patterns. Provide Training on Compliance. Educate HR and hiring managers on Form I-9 compliance with identity and antidiscrimination laws.

