Don't Be Fooled by False Credentials

Employment Screening Expert: 'Trust But Verify'
Don't Be Fooled by False Credentials

Falsified credentials are a growing concern for organizations, as job applicants fill their resumes with bogus academic degrees and job titles. How can organizations respond to this growing risk?

See Also: How Tri-Counties Regional Center Secures Sensitive Files and Maintains HIPAA Compliance

According to Les Rosen, founder of Employment Screening Resources, a background screening firm, applicants have gone from "puffing" up their resumes to crossing the boundaries "into the realm of fiction," making things up in order to appear more attractive to potential employees.

The real risk comes when these applicants get the job and perhaps land in high-profile positions, as in the case of former Yahoo CEO Scott Thompson, whose four-month tenure ended after controversy over whether he had embellished his official bio.

"There's some literature now out there that suggests if a person lies in order to get a job, there's a much higher probability they will lie once they're in the job," Rosen says in an interview with Information Security Media Group's Tom Field [transcript below].

To respond to employees and applicants with fake credentials, it comes down to fundamentals. Organizations need to complete thorough background checks. "The important thing is to ensure when verifying past employment that the employer actually exists," he says. Also, ensure phone numbers are legitimate and not made up or inaccurate. Don't take the applicant's word, Rosen says. "Trust but verify."

Schools also need to be verified, and a simple call during the selection process can discover the truth before a potential incident occurs.

In an exclusive interview about background screening and how to avoid the embarrassment of falsified credentials, Rosen discusses:

  • The prevalence of false credentials;
  • Why organizations get fooled;
  • Hot screening trends, including ongoing screening of existing employees.

Rosen, a retired attorney, founded ESR in 1996. In 2003, that firm was rated as the top screening firm in the U.S. in the first independent study of the industry in a research report prepared by the Intellectual Capital Group, a division of HR.com. Rosen is a consultant, writer and frequent presenter nationwide on pre-employment screening and safe hiring issues. He has testified in the California, Florida and Arkansas Superior Court as an employment screening expert on issues surrounding safe hiring and due diligence. Rosen is the author of "The Safe Hiring Manual-The Complete Guide to Keeping Criminals, Imposters and Terrorists out of the Workplace." He is also the key presenter in the new webinar Risk Management: New Strategies for Employee Screening.

Falsified Credentials

TOM FIELD: One of the big stories in the news was that Yahoo's CEO had to step down after the embarrassment of the revelation that his resume credentials had been falsified. How common is this?

LESTER ROSEN: Unfortunately, it's all too common. There are studies and surveys showing that when employers receive applications, up to 40 percent or even more go beyond the boundaries of merely putting yourself in the best light or putting your best foot forward beyond just puffery, and cross the bounds into the realm of fiction, people making things up. We see that people will tell lies about real schools or tell the truth about fake schools - you see both. You see that people have gone to schools and did not graduate or don't have the degree they claimed, or they'll claim degrees, worthless degrees from diploma mills. In this age, particularly with the recession and people trying to get ahead, it's fairly widespread and surprisingly it's also something that can occur in the C-level area of a firm as well. It might be an assumption that it's just the workers, the administrative type workers or others, but it's even more dangerous when someone at the top fakes a degree, as we found in this case, where documents were apparently filed with the SEC that were challenged. That's a big problem across the board.

FIELD: That was my point. We've got a very public company and a very public situation and embarrassment here. What do you see as the message to all types of organizations from what we've seen unfold with Yahoo?

ROSEN: The big message is going back to the basic rule of business, which is don't assume. Or put another way - to borrow a phrase from the 1980s - trust but verify. In this particular case, we had an allegation that a person, apparently for whatever reason, chose to mischaracterize the nature of the degree early in their career, and once that line is crossed and the person moves up their career path and goes from job to job, there are new accounts, there's a person's resume out there, they may be interviewed in the media, and it's hard to go back. It's hard to change that and correct it so that the truthful matter is out there. Organizations cannot simply assume that when they hire, particularly at the executive or C-level, that everything is above board and the way it should be. And the real issue here, which is a real perplexing issue, is that for less than the cost of a glass of wine, a background firm could have called the school in the ordinary course of the selection process and gotten the truth out and reported it back and then none of this would have ever happened.

Background Screenings

FIELD: The point to be made here is that in a case of background screening, we aren't talking about someone that might simply fudge an item on their resume, but if you don't screen properly, you're introducing significant potential risk to your organization.

ROSEN: Exactly, and particularly for firms that are publicly traded or publicly regulated, a firm that falls under Sarbanes Oxley, a firm that has investment from third parties where it has fiduciary obligations, absolutely by hiring someone with a false credential, that's a misrepresentation and that's a form of deception. There's some literature now out there that suggests if a person lies in order to get a job that there's a much higher probability they will lie once they're in the job. The bottom line is that hiring someone who's honest is mission critical for any organization. That's one barrier a firm cannot get around; you cannot have dishonest people and quite frankly verifying your resume in this day and age is not a hard thing to do.

FIELD: That was my question because it seems like in this day and age as you said, we've got electronic checks and balances. We've got greater awareness of the need for background screening and more firms doing this. How can a situation like this even occur?

ROSEN: It can occur because of a culture where an organization might believe that someone they're hiring in an executive capacity just wouldn't do that sort of thing, that they have this long career and they were successful from various jobs. It must be real. So it goes back again to just exercising basic due diligence and taking care of business. The problem with the electronic age is that it's both good and bad in the sense that on one hand, yes, the data is available if one will go and access it and background firms have all sorts of resources that access data from schools and there are databases that background firms can access of schools that are known to be diploma mills.

On the other hand, with the electronic age and with Web 2.0 it's easier to perpetuate a lie. For example, one can go to a business connection site such as LinkedIn, go to the advanced search feature and you can search under school and you could find a name of a fake school and there's at least 10,000 fake schools in the world. You can find them on the Internet. Put in one of these fake schools. California unfortunately leads the nation in these fake schools, and you would be shocked and surprised at the number of people who are putting out on the Internet as part of their own resume or qualifications a degree from a school that's totally worthless, a degree that you can buy just with a credit card, a printer and a computer, and they're making that public knowledge. And it would also be shocking that you'll see some of these people work for firms that are household names, so it's very prevalent, and with the new electronic age it's both easy to tell the lie but at the same time it's also much easier for a professional to detect it, assuming that a firm is focused on the idea that you can't believe everything someone tells you.

Fixing the Problem

FIELD: How do organizations protect themselves from falsified credentials?

ROSEN: It's complicated for a couple of reasons because there are abilities out there for organizations to be fooled. For example, there's a website that got some publicity last year where they provide a service so that if a person butchers up their application and their career history, they can go on to the Internet. They can create a fake company, and what this company apparently will do is this web service will create a very professional looking web page with about five pages. They'll also provide an 800 number to call and you can re-create yourself into anything you want. You can create a company, you can create a title, create job responsibilities. It's the same thing with schools. As I mentioned, it's very easy now to get a fake degree from a real school or a real degree from a fake school.

Companies need to understand that these resources and abilities are out there and there are people, particularly during harder economic times, who [want] to use them and so it just goes back to basics. It goes back to just the fundamentals of employment background checking. Either a third party can do it or an employer can do it in-house. For employment, the important thing is to ensure when verifying past employment that the employer actually exists and not to take the applicant's word that the company even exists or not to the applicant's word for a phone number. A background firm will establish those independently of anything the applicant tells you in order to cut the possible fraud that may go on.

In terms of schools, there are plenty of resources on the Internet. The U.S. Department of Education, for example, will have a list of all schools that are considered accredited for purposes of federal financial aid and so the employer really has no excuse to be taken in by this. There are tools out there and there are procedures, and also it's part of the hiring process itself. If the applicants are told that a background check will be performed and they're on notice and they're asked if they have any concerns about that, well there are certain applicants who will at that time decide to either not to apply or to tell the truth. There are certainly a number of things that employers can do. Employers are by no means a sitting duck unless they choose not to do anything.

FIELD: It sounds like an episode of Seinfeld. You really can be George Costanza inventing Vandelay Industries.

ROSEN: You certainly can; [it's] very easy to do.

Continual Screening

FIELD: We talked about these in some of our private conversations. Continual screening is one topic. What are the benefits and some of the methodologies of revisiting background screening on employees after you've hired them?

ROSEN: Organizations concerned about hiring the best employees, making sure they're hiring people that are fit for the job, that aren't dangerous, that are qualified, they have told the truth, will certainly utilize best practices including a background check when a person comes in the front door, so it's screening at the front door. Now you have a person in the job and they could be there for whatever period of time and the question is, "Has anything changed that might cause that person to go off course [or] that may have changed their ethical redder?" And some firms have thought of doing continual screening or infinity screening; the jury is still out on that.

It may also depend on the position and it depends on how it's done. So if continual screening is done by reference to using databases to do criminal checks, well we all know in the background industry that criminal databases are full of holes depending upon what state you're in. It's not really a workable solution. Some people have proposed doing credit checks, after all embezzlement, for example, is a kind of motive opportunity and means. If a person's financial situation has changed, a credit report might reveal that. Credit reports have been under review by state legislatures. At least seven states have now passed laws. More states are considering laws through restrictive use of credit reports. It's unclear and uncertain what tools can be used.

The good news for an employer is that once a person is working for you, you have two things going for you. Number one is if they don't show up for work for a period of time - and of course an essential function of any job is to go to work - then the employer might be on notice that something might be happening and allow a chance to take a look at. And an employer is able to put sufficient controls in place in order to protect themselves financially, even if they're in a state that makes credit reports on an ongoing basis more difficult to do.

The other problem employers have is they need to think out very clearly the policies involved. If they find that someone has committed a criminal offense or something has changed, how do you adjudicate that? What are the sorts of internal due process opportunities? How do you make sure a person is being treated fairly? There's a lot to think about on that particular front. As I said, the jury is still out and different companies are approaching different ways and one way to do it, for example, may be by analogy, the way drivers of drug tests do. You do a pool and you may randomly run full background checks on them periodically. There are alternatives, but there's no slam-dunk, widely accepted solution yet.

Addressing Merger Risks

FIELD: In the Internet industry especially, you've got so many organizations coming together through mergers and acquisitions. How do you screen employees that could come to you through an acquisition or even from a recruiting firm that has supposedly pre-screened for you?

ROSEN: That's a hot issue for a lot of organizations. If there's a merger or an acquisition, you're now acquiring a work force. But to the existing company, the acquiring company, these people are strangers. You have no idea who they are. You don't know anything about them. You don't want to be caught in a Yahoo-type situation where you have someone in a position of prominence or responsibility without the qualifications they claim and so there are a number of firms who will do background checks on all newly acquired employees. The tricky business is not the legal aspect. Legally, you can certainly do it. Certainly background firms or your attorney can tell you which "i" to dot and "t" to cross so all the paperwork is in order.

It's more of a cultural issue. So you're acquiring a firm. The person now has a new boss. If the first thing out the gate is a new background check, you may have a work force that's disgruntled or not happy or a little apprehensive, so it's all in the roll out, in the presentation, and we recommend among some of the steps you take [that] if you're going to do a background check on a newly acquired work force, educate the work force on why it's happening and why you need to do it. Let them know that they'll have plenty of opportunity to be heard. It's not going to be a process where all of a sudden they get a pink slip and they have no control over it. With a background check anyway you need a consent and authorization disclosure of certain rights. It's all in the way it's rolled out in order to have buy-in from the newly acquired employees, because obviously during a merger acquisition most firms need some of the employees that are part of the acquired firm. Again, there's more of a cultural roll-out.

The staffing firm is a bit more tricky but again doable. There are a lot of employers who will have excellent policies and procedures for due diligence when it comes to their own employees, but yet they will acquire someone from a temp agency of whom they know nothing about, and yet that temp has access to the IT, financials, access to clients; there's a co-employment relationship. It gets complicated. It requires that the employer and the staffing firm work closely together to come up with a methodology where the employer is assured that they're getting safe, qualified workers coming on board.

Lessons for Organizations

FIELD: What do you see as the big lesson or lessons from this Yahoo experience that we're watching unfold, and how should organizations put those lessons into practice?

ROSEN: The first lesson, number one, is recognition [that] there's a problem. You can't take things at face value. You can't make any assumptions. Just because you're hiring someone with a great resume does not necessarily mean that the due diligence has been conducted. Keep in mind that when a person tells a story once and they continue to tell the story, they might even believe it after a while. That's lesson number one; realize that there's a problem.

Lesson number two is to do something about it. You can't just sit there and assume that a higher paid person doesn't have the same type of problems that a person at a lower level might have.

And three [is to] review your policies, review your procedures and figure out how you got there. Figure out how the mistake happened. What's being done to make sure that you're hiring those qualified and best employees and employees that are honest and absolutely going to make your company a success?


About the Author

Tom Field

Tom Field

Senior Vice President, Editorial, ISMG

Field is responsible for all of ISMG's 28 global media properties and its team of journalists. He also helped to develop and lead ISMG's award-winning summit series that has brought together security practitioners and industry influencers from around the world, as well as ISMG's series of exclusive executive roundtables.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.