For a Developer, What Does Identity Theft Look Like?

I love the Internet, I really do. deep breath But...

It does by it's nature allow a certain kind of terrible identity theft to take place. Please read through the following blog post and collection of investigative material. For clarity, the "me" in the headline is not referring to me personally.

Someone is pretending to be me.

-Source: hackernews

The commonly understood version of identity theft as far as I'm aware of it, is that someone gets your personal information, like your address, birthdate and social security details and signs up for accounts or credit in your name. This steals money from the creditors and steals (or ruins) credit reputation for the victim. The goal is usually short-term and monetary.

However, the story described in the linked post seems much more insidious. In this era of remote development work that has been around since well before the pandemic, there have been many a developer or coder that has worked for a company and never actually met any of the stakeholders face-to-face. Online portfolio websites, online resumés, and public LinkedIn profiles have created an option for some nefarious actors to entirely pretend to be someone else specifically for the sole purpose of soliciting development work based on the reputation of the victim. The specific victim in the blog post linked above was luckily warned by a potential accomplice that was refused to be roped in.

Long story short, a supposed freelance development company (the bad actors here), were attempting to hire a developer named Andrew (the accomplice) to interview and interface with potential clients (so far, so good), all while pretending (uh-oh) to be a developer named Connor (the victim). Once Andrew got the full picture of what was going on, he backed out and contacted Connor directly to warn him. Connor was lucky.

So I previewed the document and it was scary. It was a document intended for someone to have a cheat sheet for an interview on how to act as me.

• It included a subset of my personal information.
• It included my education history.
• It included my employment history.
• It included my certifications.
• It included a fake cover letter.
• It included a fake email/address that was "near" mine.
• It included information about the company interviewing for.

-Source: connortumbleson.com

Connor was very lucky, and smart enough to follow up and investigate all the possible details of the bad actors, and put them on blast. It's a good job of shaming them publicly. But ultimately the criminals in this case can simply move on, rebrand and start working on gathering work on the reputation of the next victim. Ultimately, the independent developer victims lose money because they aren't really the ones getting hired, and their reputations are most likely hurt given that the work is shoddy.

This is very scary. The only way to combat this is to raise awareness of the existence of this scam. I don't exactly have a big reputation or portfolio footprint at this exact moment so it's unlikely I'd be a target. But it's important me and professionals like me to be aware. It's also important for corporations large and small to be aware and do a proper investigation of who it is they are hiring. Since the bad actors are getting hired as "independent contractors" there's no HR investigation or other due diligence, no verifications. Here's more from Connor...

So it seemed like I was starting to understand the picture now.

• A person/company sets up fake Upwork profiles of real people.
• They apply to jobs in hopes to get an interview using that fake profile.
• They find suspecting victims on GitHub who are willing to go along with this.
• That person uses the identity of someone else to land the job.

-Source: connortumbleson.com

Connor's blog post was only first published a few weeks ago, and updated 9 days ago, so this is all very new and continues to develop. He will likely update the post as more details become available. Everyone be careful out there.