The problem with many of these examples is that 99% of the time, it is a sign of fraud, and 1% of the time it’s a false positive.
> If a person's mobile phone number is associated with VoIP or Google Voice, that indicates fraud.
I’ve been using this heuristic (along with VPN and IP geo lookup) when screening job candidates after a massive influx of developers outside the US applying for US-only remote roles. I discovered that VOIP phone numbers on a resume is extremely highly correlated with the applicant lying about where they live.
If it weren’t for this screening step, I literally wouldn’t be able to hire anyone because the volume of fraud is so incredibly high that it drowns out legitimate candidates.
I wish there were a way to detect fraud while never having a false positive.
But the reality is that a lot of the heuristics you listed are indeed strongly correlated with fraud. It sucks, but it’s also not realistic to optimize for the 1% of false positives at the expense of the 99%.
The cost of the false positives are much higher than the false negatives.
Temporarily slowing down down 99 scammers is not worth stranding one normal person in a foreign country with no means to access their money and no means to recover their account.
The reality is that most lockdown-type protection schemes are just a roadbump, not a solution. They slow down the attacker. In fact, hackers are employing account lockouts to lock security teams and management out of their own accounts when they launch an attack.
I'm with OP on this one. The banks have completely failed to protect against fraud while causing massive economic damage with their clueless security design.
> Temporarily slowing down down 99 scammers is not worth stranding one normal person in a foreign country with no means to access their money and no means to recover their account.
To that one person it obviously isn't worth it. To the company it absolutely is.
So many transactions are flagged as false positives (way more than 1%), while there are a lot of false negatives because the tools don't improve as quickly as the scammers. The case for blocking transactions is getting weaker - we should instead strengthen the post-fraud response mechanisms, and then analyse the additional data we gain.
My primary phone number is a Google Voice number, and I am entirely legitimate. Just curious, how often are other people filtering with this kind of criteria?
I have been considering migrating away from GV for unrelated reasons, but if that sort of thing automatically makes me less attractive when looking for gigs then I'd like to prioritize actually doing that.
I primarily use Google Voice, especially since I’ve been out of the USA for a while. I haven’t had any major problems, but I have noticed things getting a little more difficult. I was recently denied a savings account at a bank with whom I already have a credit card because they couldn’t text my Google Voice number. They offered to try calling me at a different phone number that’s known to be associated with me, I couldn’t just give them a different number, but I hadn’t uses their proposed number in nearly 20 years.
Long story short, GV or VOIP numbers will forever be a big red flag for me moving forward.
Longer story:
A few months ago, I posted a job for a remote US-based developer. 90% of the applicants were not in the US. Some of those who were immediately rejected re-applied with new US addresses and phone numbers, but that's another story. In the end, hired someone who was a great fit, passed the background checks, etc. The only odd thing was their phone number was GV and didn't match the location of their address. My mobile number doesn't match where I currently live and lots of people use GV, so we didn't think much of it.
About 4 weeks in, they sent me a message on a Sunday saying there was a family emergency. They would not be online during normal business hours, but would check in and would still work on tasks as they could. No big deal, I asked for follow-up on two assigned tasks so they could be handed off to someone else to finish a sprint that week.
After two days, haven't heard anything, reassigned the tasks and tried to reach out to check on the person. Phone number goes to the generic GV voicemail prompt, I leave a message. I tried calling the emergency contact, same thing. I reach out through LinkedIn & personal email, no RESPONSE. At this point, we disabled accounts and access to systems. No real reason or policy why, just seemed like a good idea.
Two days later, now Thursday, I start getting calls from a random phone number (also GV from another area of the US), but leaving no messages. Then I get texts, "This is <missing_dev> I've been trying to reach you, please call me back." I call back within 3 minutes, straight to GV generic voicemail.
A few hours later, the number calls again, I answer "Hey, this is <missing_dev>, I was trying to get some work done but it seems my accounts are disabled". After explaining the situation, they simply offered "Well, everything is good now and I'm ready to work." I tried asking some basic things like, are they okay, is their family okay, can we help with something, did you get arrested? Anything to give them a opportunity to offer something. The only response they gave was, "I'm back now and ready to work, if you'll enable my accounts." Over and over.
I explained it wasn't that simple, walked through the communication inconsistencies and asked how that would affect their reliability in the future. You will only need one guess for the response, "I'm back now and ready to work, if you'll enable my accounts."
I thanked them for reaching out and said I'd talk to HR and CEO so we could discuss (both had also reached out through personal LinkedIn, email and phone numbers to check on the person, no responses).
They were still in the 90 day probationary period, so we let them go. They were a very good developer, smart, good coding practices, but inconsistency is a killer. And yes, a GV or VOIP number will be a hurdle any future applicant needs to overcome with flying colors.
One quick trick that has worked for me to weed these people out is saying “You live in <city>? That’s great! We have another employee who lives 30 minutes away, would you be able to do an in person interview later in the process?”
They will make excuses (and blame Covid) for why they can’t meet in person. At that point you can politely reject the candidate.
If you already hired one that you’re suspicious of, ask them if they’re willing to fly to you to meet in person. If they’re legitimate, then they’ll fly out and you’ll have a great opportunity to meet the new employee in person (a good practice in general IMO), and if they’re not in the US they’ll have a bunch of excuses why they can’t.
They will never admit to anything and when confronted with the lie they’ll continue to deny it with silly excuses or they’ll totally ghost you.
Longevity is not part of this scam. The goal is to get a couple paychecks and bounce. (1 month of a US salary is a ton of money to them)
We had plans to get together as a company (about 15 of us from all over the US) about 3 months later. They seemed excited about this. But, we never made it that far.
> The only odd thing was their phone number was GV and didn't match the location of their address.
How is that even remotely odd? Ever since cell phones became popular the phone area code no longer means anything. People tend to have the area code of wherever they were when they got that phone, which is often many location moves in the past.
> I wish there were a way to detect fraud while never having a false positive.
There is: networking. People you trust will tell you about candidates they know about.
> it’s also not realistic to optimize for the 1%
It's not about what's realistic, it's about what's right. Nobody should be falsely treated like a criminal. That 1% should carry enough legal liability to completely offset if not exceed the gains of preventing the 99%. If even one innocent person suffers, it's unacceptable.
It’s acceptable to reject a candidate because they’re not “a friend of a friend”, but it’s not acceptable to reject a candidate because they submitted an application with an IP address from Pakistan with a VOIP phone number?
Wrong framing. The parent didn't set it up as a means to filter. In your situation you have a list of applicants that you are filtering. In the parent's scenario they do not yet have applicants, they simply ask their network if there's any suggested candidates which then forms the list that they will filter from.
It's as discriminatory as posting on Linkedin but not on Indeed. The discrimination would come from the counterfactual question of: supposing they posted the job listing to a larger network _and_ supposing a clearly more qualified applicant applied, would that better applicant be turned down due to nepotism. That's the difference. No one is getting upset at family businesses despite almost certainly failing the counterfactual.
The result is the same, and it's the result that is the issue. If potential applicants aren't given consideration because they're not in the network, it doesn't matter that the hiring committee thinks they're innocent, or isn't technically rejecting them.
Be careful with your logic and framing. I explained why it was poor framing above. But the way you've (and the gp) framed it is dangerous. Swap "voip numbers" for "x skin color" and you're in clear unethical and illegal territory. But swap the attributes of the parent and you don't get this issue. If parent is x race and all their friends are also x race you're not discriminating against y race through their means because they aren't turning down based on race, it is just closer to changing the odds. The problem isn't when you change the odds (unless there's an extreme manipulation) but rather how you respond to samples from the distribution.
This is wrong. You are expected to discriminate against samples from the distribution in a variety of ways, like the formatting of their resume and their work history; it only becomes unethical when you discriminate based on race, gender, etc. If you replace "voip numbers" with "x skin color", of course that would be unethical, but being able to switch phrases to make them unethical is irrelevant, because we're not discussing the unethical case.
The example of networking you give has even more potential for unethical behavior than filtering voip numbers.
Any thread about online scamming will include comments from a bunch of online scammers telling you that the things you can do to make their life harder are unethical.
I'm confused about what such applicants hope to gain by this. What's their business model? They're going to have to give you a SS# or EIN (if they're a self-employed consultant) before you can send them a paycheck, right? And the Social Security Administration has a website where you can verify SS numbers. So what's the play here?
The applicant is actually three people involved in a scam. One is an US person that can provide valid US SSN or other magic numbers, but otherwise doesn't know first thing about anything. Second is the person running the scam, located anywhere. Third is a person from low-cost country that's skilled enough to pass the interview pretending to be the first person, who might also be responsible for doing the actual job such the interviews succeed. The fat US salary is split between the three parties.
This is actually the case of a thing you mentioned, just sadly in reverse. A phone number may indeed not identify a single person. It may represent three unrelated individuals at the same time.
FWIW, I'm 100% with you on your list. Even if it's only 1% of false positives, it's a massive number of people at global scale, and frankly also a big percentage. Outside of tech, hardly anyone is allowed this kind of error rate.
This is a good description of the problem - kinda from both sides. Thank you! But based on this, wouldn't the right defense be to insist for some camera feed?
1) Most phones have a camera now - besides the plausible excuse of the candidate's computer not having a working one. 2) When no camera is working, it usually shouldn't be a big problem to postpose the interview for a few days. The time for a camera solution to be procured by the candidate. 3) For an extra test of the candidate being able to engineer their way around a broken or missing camera in less than a week.
Of course. The conversations point out that one frequent problem is the hiring process managed, interviewed and finally filled by different persons.
Place of residence is a different issue. Many people connect behind a VPN. A video feed during the interview would at least hint at the time zone they are in.
Third different issue is right to work in the US. This is an issue you have even in person in the US. Solved with legal documents. Social Security card, green card, US passport... then tax ID, then ongoing tax filings by the employer - Which may be a little easy to forge when presented in pictures but seem to still be sufficient legally. (And here camera helps with "person doesn't match ID".)
Anyway. You are right! Camera solves only part of the problem.
Basically you are getting a mole infiltrated into your company. There was even an US govt warning about North Korean IT workers, heuristics included.
> The hiring or supporting of DPRK IT workers continues to pose many risks, ranging from theft of intellectual property, data, and funds, to reputational harm and legal consequences, including sanctions under U.S., ROK, and United Nations (UN) authorities.
This is the funniest part:
> Repeated requests for prepayment; anger or aggression when the request is denied.
How do you communicate in real time? Even a phone call can lead to bias unfortunately (accent, name, etc). Unless you fully are anonymous it is hard to eliminate bias
Well phones have worked rather well for the past few decades. These days video calls tend to lead to rejection while phone calls leads to a successful engagement. Seems as though lack of video is more anonymous and removes the ability to judge someone based on their backdrop
Likewise. It's amazing how much SMS spam I get on Google Voice number relative to my primary number. Google Voice makes it easy to blackhole numbers and at least some form of spam filtering. If it's going to rule out potential employers, so be it.
This kinda scares me you are screening out Google Voice Numbers. Google Voice was my primary phone number for over 5 years, I had a real phone number but I was always giving out only Google Voice. Google Voice is a very powerful tool:
* your phone number keeps working even if you lose your phone (I could still answer phone calls when my phone broke).
* Traveling abroad is a breeze, just change sim cards on arrival and your US phone number still works via data on Google Voice. No need for expensive travel passes, and you get to choose your operator that has a lot more data.
* Having full SMS & call support on a website is very nice, I always hate typing with the phone. iMessage doesn't solve everything since you need a mac (I frequently switch OS & devices).
Also I think e-sims will make lying and fraud much more common. A month ago chatgpt was denying creating a work account for me because I've already had this phone number associated with my previous account. And they were blocking Google Voice. I went to USMobile.com, payed 7$ to create an esim with another phone number, and I had sms with a second phone number on my phone working in less than 10 minutes.
Seems to me you are filtering against agile, tech-aware candidates - prefering less agile, less tech-aware candidates. These are your false positives. A time saver for sure, but perhaps not optimal for filling the positions.
As opposed to, for example, demanding a video feed (and giving time for an alleged engineer to engineer their way past an alleged broken camera.)
It used to be that demanding a photo or video was frowned upon as being a bit too easy to use to filter on race or gender. But I guess not anymore.
This is exactly it. Nobody assumes these factors are always true. Absolutely nobody in the fraud prevention chain.
They're just true often enough that the company is better off declining to serve the few exceptions than it is trying to build things around the edge cases.
it makes sense that every company ever has a bunch of broken by design security features that were justified after the fact by "risk model", after failing to arrest anyone who pointed out that they were broken, that award people who are uneducated and even moreso not self-accountable to just manage their password or key properly. it makes sense that these features that cannot be opted out require you to constantly give every company your personal id, location, comprehensive profile of your voice and speech patterns (and mouse movement patterns), and selfies using proprietary apps which require you to own highly specific products from 1 or 3 companies.
it makes sense to require email as a second captcha^H^H^H backup authentication thing^H^H^H mechanism we cant explain for your security which requires using one of the 4 remaining email services all of which cant be used without phone verification (btw all these will do things like, lock you out when you switch phone number which is even smaller space than IPv4). what if use different emails for two companies and they are corroborated at some point? do they think i'm identity hopping? but wait, should i be punished for using the same email for my games as my bank? is my email address my identity or should i use multiple to mitigate risk? oooooh i'm thinking too hard, it just makes sense because an adult on HN said they are also totally adults making these decisions based on sound reasoning. if i thought too hard that would also break the risk model because it would no longer be secret which is essential for it to work, and therefore i would be a criminal.
it makes sense that someone can just steal my money from my bank account because he spent an hour figuring out how it really auths you (actually they just learned all they need is the last restaurant you ate at and a rough amount you spent, totally not a guessable number) whereas i assumed just nobody having my password would be sufficient.
it makes sense that my keyboard, monitor, and speaker each have their own OS that takes 10 seconds to boot and also have remote code execution vulnerabilities, because none of that would ever matter for a casual user. it makes sense that my dishwasher doesn't work, that doesn't matter for a casual user since regurgitating crap onto the dishes only gives you disease 1% of the time, its green!
it makes sense that my random photo id is a password and i give it to 50 different companies because everything in the world is good.
some ceo said so, it all makes good business sense.
tl;dr you're literally just defending the garbage dystopia Richard Stallman warned about 70 years ago or whatever.
I don't think it's safe to write off that 1% if you don't first make sure you understand who that 1% is and how decisions like this, especially at scale, could harm those people. If a person says that they are eligible to work in the USA, that should be taken in good faith. If 99% of applicants are fraudulently answering this question, you're probably doing something wrong and need to figure out what's broken in your application process, rather than aggressively filtering out applicants based on correlation. It would be better to filter them out with a more robust application process that doesn't attract these scattershot job applications typically pushed by bots.
> I don't think it's safe to write off that 1% if you don't first make sure you understand who that 1% is and how decisions like this, especially at scale, could harm those people.
Businesses prioritize profit, not "safety" or whatever else you're talking about. Profit always comes first.
laws and regulations are supposed to provide a counter to a corporation's amoral greed which prioritizes profit over all else (including human life or suffering) and the harms that greed causes on a societal/global level.
If enough people are being wrongly treated because companies won't (and arguably shouldn't) care about the harms they are causing, that's when government should step in and find a way to force them to stop acting in ways that we (those of us who aren't amoral monsters) deem unacceptable.
It sounds like it might be time for governments to step up and address this situation with fraud detection, but hopefully part of that will involve cracking down harder on the rampant fraud going on that caused these flawed detection systems to be seen as necessary in the first place
Idk, if your aim is to find the "best talent", then what's the chance that they stumble along and you treat them like shit?
That's what's going to happen when you say "out of this other group, this 99% of people who I didn't want anyway, many of the Google Voice people were fraudsters".
Same thing for asking people to reverse a linked list on a whiteboard, or getting them to re-do their résumé, but in your HTML form instead of just emailing you their pdf. If you do ever get your dream candidate, you've pissed them off.
With most interview processes, your aim is to have a high degree of certainty that you will find someone in the top 1% or so of people, not to find the absolute best person. Given that, arbitrary filters that save your time are very much worth it.
I’d be interested to see actual statistics on this.
I encounter anti-fraud challenges fairly regularly just because I have the same name as another family member and we once shared an address. Years ago.
A number of clients and friends have reported constant hassles wrought of poor anti-fraud implementations.
Older folks and less technically inclined are particularly at risk of falling through these cracks, as are frequent international travelers.
The 99%/1% thing is a good colloquialism but I don’t think the numbers would be there.
Loads of people are using VoIP numbers everyday for perfectly legit purposes. I’m not saying you’re making up your troubles. Just that clearly there are assumptions in anti-fraud technology generally that impact wide swaths of people, whether they understand why or not.
When I lived in the US, I primarily used Google Voice, as I could still use it in foreign countries.
When I had asked T-Mobile to enable international roaming on a particular date, they said they would, but then didn't end up doing it, messing up my travel plans because I didn't have Internet when I arrived. Luckily I was in my home country (Australia) where I could speak the language, but it was a foreign city.
I eventually used someone else's phone to speak to a T-Mobile rep and was sent through a credit check, asking me my American social security number. I'm not American, I don't remember off-hand what government ID I was given there. Luckily I happened to have taken my social security card with me on vacation. I told them, if I can afford to travel internationally, you'd probably think I could also afford a phone plan; why am I being put through this bullshit and why can't you just keep your promises?
It's been a while since I worked with this, but when Google Fi started, their numbers would often show up as Google Voice in carrier lookups, sometimes only for the first few days of service though.
As of 2018 when I last used Google Fi, my number was still being blocked by services that block VOIP numbers, even after having that number in Fi for years.
The entire premise of remote is that it shouldn't matter where you work from, as long as you get the work done. This is extremely, incredibly harmful. I hope you know that.
> The candidates that I’m calling fraudulent are answering “Yes” to a question on our applicant form asking if they’re eligible to work in the US.
The dumb thing is that a lot (and I do mean a lot) of hiring platforms ask this question even when the job is advertized as not being in the US. It's hard to take seriously anymore.
Country of residence makes a difference for legal reasons, foreign remote employees are not the same as domestic remote employees.
Some companies have an established process to handle the different requirements of a global workforce, and for them hiring one more person from country X doesn't cause any issues; but if your HR, legal and accounting is set up for domestic operations, then hiring a foreign employee may easily add so much overhead that it's not worth the hassle.
Yes, it is. It's even hard for a US citizen like me to find jobs that don't require some proof of citizenship that I don't have. IDs cost money here, money that I don't have because I can't get a job, because they want my ID.
You still need to provide accurate data for location, mainly due to taxes. I'm also getting from the post that there's an implication that they are receiving outside the us applicants.
One boring but absolutely valid reason you might want to hire remote people in the same country is that they're within a few time zones of everybody else so you can have online meetings during normal business hours.
> If a person's mobile phone number is associated with VoIP or Google Voice, that indicates fraud.
I’ve been using this heuristic (along with VPN and IP geo lookup) when screening job candidates after a massive influx of developers outside the US applying for US-only remote roles. I discovered that VOIP phone numbers on a resume is extremely highly correlated with the applicant lying about where they live.
If it weren’t for this screening step, I literally wouldn’t be able to hire anyone because the volume of fraud is so incredibly high that it drowns out legitimate candidates.
I wish there were a way to detect fraud while never having a false positive.
But the reality is that a lot of the heuristics you listed are indeed strongly correlated with fraud. It sucks, but it’s also not realistic to optimize for the 1% of false positives at the expense of the 99%.