Keil Hubert: Innocent Inquiry

Social networks make it easier than ever for miscreants to falsify their credentials. Business Technology’s resident U.S. blogger Keil Hubert suggests that squiffy claims need to be backed up with incontrovertible artefacts.

When Yahoo! laid off the Dallas office back in the spring of 2001, part of our severance package was a referral to a ‘career transition counselling service.’ Since the visit was already paid for, my boss James and I signed up for the agency’s one-day seminar – mostly for grins. If nothing else, we figured that we might discover a better CV template or perhaps some insight into the local jobs market. As it turned out, there wasn’t much to learn. The ‘counsellor’ treated all of us experienced business professionals like recent high school graduates. She tried to explain to the group what a ‘résumé’ was. It rapidly went downhill from there.

Our ‘counsellor’ told the class all that it’s a generally accepted notion that ‘everyone exaggerates on their résumé.’ Therefore, she said, we all ought to ‘punch up’ our accomplishments in order to better stand out against the other job seekers. I remember turning to James and joking that the lady’s entire strategy was about to come off the rails once this new Internet search tool called ‘Google’ finally went mainstream. [1]

I can understand (if not sympathise with) the urge to embellish one’s qualifications when applying for work. Being unemployed can be stressful as hell. The longer you spend without work, the worse the pressure can get to gamble on trying shady tactics. A bloke might claim to have earneduniversity degrees or military service or other honours on their CV that he didn’t actually earn in order to ‘qualify’ for a position. The trouble is, making a claim that you can’t substantiate will usually get found out sooner or later. The more outlandish the claim, the more likely it is that someone who was in a position to know better will notice your claim and cry foul.

Today, the conventional wisdom regarding résumé embellishment has largely done a one-eighty from the way things were back in 2001. It’s so easy to Google a potential hire today that most any ridiculous claim made on an application will likely be found out well before an interview happens. All it takes is a few minutes of idle searching to assemble either a corroborating or a contradictory picture of an applicant’s claimed professional history. If a fellow lies about something in his application package, we’re going to find out. Or, rather, I’m going to find out because I make it point to research my applicants before I interview them. Some companies don’t make an effort to crosscheck their applicants, and it can cost them dearly.

The trouble is, Google isn’t a guaranteed cure-all for the overblown claims problem. An Internet search is not a fool proof technique because it isn’t terribly difficult to create a completely false online persona that backs up the history and identity that you claimed on your CV. Think about what you had to do in order to create your last social networking profile … Provide the service with a valid, working e-mail address, right? How hard would it be to create a completely fictitious profile? The unfortunate answer is, ‘not very hard at all.’

Additionally, people tend to assume that social networking companies somehow validate the claims made by their site’s members. A person’s current profile (the thinking goes) must have been vetted by someone at some point, or else it won’t be online. The reality is that a site with millions of user profiles can’t effectively police all of its members’ claims. They can (and certainly do!) respond to complaints about violations of their terms of service, but they don’t run background checks on millions (or hundreds of millions) of user-generated pages.

Theresa Hamacher of the non-profit outfit NICSA recently posted an article on the problem of identifying and dealing with ‘phantom employees’ on LinkedIn. Ms Hamacher’s focus was on dealing with people who falsely claimed to be an employee of a given company and might thereby misrepresent the company’s interests by making statements that appeared to come from an inside source. Her article pointed out that such fakers could be exposed via a quick phone call to the company’s HR department to confirm or refute their employment status.

That’s easy enough for a spurious one-time claim of affiliation, but what about a more detailed fiction? Back in September, Marketplace’s Queena Kim posted a great story about some social engineers who posted fake LinkedIn profiles in order to con victims into disclosing information about classified projects. Part of the con involved getting access to online groups within LI to interact with targets. Another phase entailed creating a fake recruiter ID that sent fake job vacancy announcements to targets. To really twist the knife, the con men created a fake secondary profile on a different social networking site to build two points of presence for their fictional character. From the article:

‘Having found his targets, Harbinger [the social engineer] set up a “cover.” He went on Facebook and created a profile of a female college student. She’s attractive but, Harbinger says, he made sure she was “attainable.” And she’s about to graduate with an engineering degree.

‘Using that profile, Harbinger approached his targets saying, “Hey, I got an offer from your company. But I’m trying to figure if I want to work there. Do you like your project?”

‘”Guys love to come to the rescue, so I played that vulnerability. Damsel in distress. I’m looking for a job, I don’t know what to do, can you help me?”’

For those poor victims that did a little Internet-based due diligence on Harbinger’s fake identities, the presence of multiple points of validation online seemed to be enough to confirm that the stranger they were talking to was a real person, and was who ‘she’ claimed she was. Whoops!

So, how do you protect yourself against a clever faker when he or she has set up multiple false fronts online to reinforce their bogus claims of employment, or awards, or accomplishments? Dealing with paper and pixel deception can be much more subtle and difficult to deal with than a twenty-year-old fellow sitting across from you in the interview room claiming that he was once the Archbishop of Canterbury.

My preference is to read the packages as they arrive, look for curious elements, and mark them. When the interview starts, I pull out the applicant’s package and simply ask the lad or lass to present us with some artefacts related to their claim. It’s all very friendly and out in the open. There’s no need to be mean about it. Just ask.

See, this is where the fragile lies often fracture. It’s one thing to write a bullet point on your résumé. It’s quite another to have the paperwork to back up your claim if you never actually did the listed deed. Real life generates mountains of documentation as a by-product of existence. The more notable the deed, the more witnesses and documentation there’s likely to be.

Here’s a good examples of what I’m driving at: if I told you that I once served in a Special Forces unit, would you believe me?

A wise fellow will be immediately sceptical of the claim, as well they should be. The Army’s Special Forces branch is rather difficult to get into. I’m not an Action Man type and never have been.  Extraordinary claims require extraordinary evidence, and I fortunately happen to have a small stack of unique artefacts to back up my claim.

When I mustered off of active duty in October 1997, my in-service recruiter secured me a position with the 15th Psychological Operations Battalion at Fort Thomas, Kentucky (just South of Cincinnati, Ohio). It was a bureaucratic fluke, since the HR team had advertised an open staff officer positing as ‘branch immaterial’ (meaning anyone, not just an SF officer, could be posted there). My recruiter entered me into the HR computer, and poof: I received my assignment orders to the unit (which I still have). Military assignment orders constitute a darned solid piece of proof.

I was assigned to work for one specific officer in the 15th PSYOP from October of 1997 through March of 1998. That was long enough to receive an Officer Evaluation Report from my supervisor. I have a copy of that evaluation which includes the names, Social Security Numbers, and payroll signatures of both my rater and my senior rater. A copy of that evaluation is also on file with the national military archives. That document constitutes very strong evidence that I was actually assigned to the unit during the time in question.

That’s not all, though. The colonels at 15th PSYOP must have liked my work, because they presented me with a formal military award when I transferred back to Texas. I have both a colour certificate [2] and a Recommendation For Award form dated June of 1998 showing that I was both recommended for and received an Army Commendation Medal for my work in the unit. These records are also stored in the official national archives. They’re also probably still on-file with the S-1 (Personnel) shop at 2nd PSYOP Group Headquarters in Ohio.

If you put all four of these artefacts together, they present a compelling body of physical evidence to support my claim that I was once assigned to a Special Forces unit. Having the documents to present makes it painless to reasonably substantiate my claim. [4]

Could I have faked all four documents? Yes, it’s possible … That is, it’s possible if you know what the required forms are and what a correct execution of each document looks like. It’s possible to create convincing fakes, but it’s also extremely easy to make a mistake that a real member of the community would recognize. Further, a fake document isn’t likely to be entered into the official archives.

That’s why I ask for artefacts when I see something listed on a résumé or hear something during an interview that sounds slightly off. If the applicant really did the things that he or she claimed, then producing some collateral from the event should be fairly simple. More importantly, the offered documentation should spark a new round of questions and stories that might tell us interesting things about the applicant. Everyone wins.

Folks who are averse to confrontation can employ this method without much anxiety, because at no point in the interview does the challenge become confrontational. You’re not calling the applicant integrity into question. In fact, it’s better if you maintain a cheerful, positive, appreciative demeanour. You’re interested in learning more about the candidate. That’s the pointof an interview. It would be completely barmy to get upset at that … if, that is, they’re telling the whole truth.

It should raise serious red flags when an applicant flat-out refuses to supply any corroborating documentation. People are naturally proud of their work, and especially proud of the things that they’ve created that won them awards, promotions, or special praise. If a listed highlight of an applicant’s career was a printed product or a formal award, then they should be eager to show it off – it doesn’t matter that you might not understand it or it’s not relevant to the position applied for. Your interest in their good works helps to validate them as a person.

If the applicant’s only corroborating source for a claim is what they’ve listed on a web site that they control, that doesn’t constitute acceptable proof. If their source exists on someone else’s site, it becomes more compelling. If a third party with a professional reputation to maintain exclusively controls the claimed source, then it’s probably reliable. For example, I wrote a white paper last year for the SANS Security Reading Room. They don’t let just anyone post content there; you have to apply for the opportunity, get assigned a mentor, make it past an editorial board, and get your work accepted. SANS posts the content, not the author. That’s much more reliable a source than a domain that I bought for $7 back in 2001.

I’m extremely sceptical of an applicant’s claim that they’ve ‘lost’ all of the collateral for a given job. Yes, things do get lost. I had a tech working for me whose house burned to ground with 99% of his family’s possessions in it. These things can happen, but they’re awfully uncommon. For such a thing to happen twice … Nope. I’m not buying it without proof.

Trying to claim that a claimed accomplishment was ‘classified’ is almost always disingenuous. Even if the fellow’s last job entailed cracking ciphers at GCHQ, the odds are pretty darned good that there are unclassified artefacts that he can produce that demonstrate that he was, at the very least, employed there. Pay slips, for example. The schmaltzy greeting card that he received from his co-workers on his last workday. His jersey from the Departmental Football leagueSomething.

Finally, the applicant’s demeanour when asked for evidence should tell you quite a bit about their character. Belligerence, aggression, evasion, distraction, and smarmy assurances are all good indicators that the applicant is a disingenuous sort – a person whose every word deservers to be thoroughly cross-checked. On the other hand, a delighted or agreeable reaction suggests that the applicant is being mostly honest with you. Just asking for substantiating proof can, in and of itself, reveal positive and encouraging things that you need to know about an applicant.

When it comes to liars and cheats, it’s best to unmask them before they get on the payroll. Once inside, they’ll co-opt your company to become another piece of false evidence to obfuscate their sordid history. That’s assuming that they don’t do any major damage to your operation or reputation in the process.

Bear in mind, there’s no practical way to stop people from creating false identities on the Internet. You can, however, effectively crack a liar’s façade by asking them to show you simple, tangible proof of their accomplishments. It’s not 100% reliable, but it will help to weed out most of the clever lads who think that they can bluff their way in to your company.


[1] Yep. Everyone in the Engineering Services Team at Yahoo! Broadcast back then was quietly using the unannounced beta version of Google for Internet searches.

[2] Department of the Army Form 4980-14.

[3] Department of the Army Form 638.

[4] Come to think of it, I probably still have all of my payslips and income tax returns from that period as well.

[5] Note that I never once claimed to have been a ‘Special Forces soldier.’ That would be an easy exaggeration to make, but know that it wasn’t true and so would everyone else who was there. Anyone who served in the battalion back in 97-98 would remember me as the bespectacled nerd who inventoried the gas masks in an old coat closet on the second floor of the HQ building. I never earned an SF tab, and know better than to even insinuate that I had.


POC is Keil Hubert, keil.hubert@gmail.com

Keil Hubert is a business, security and technology operations consultant in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo! Broadcast, and helped launch four small businesses (including his own).

His experience creating and leading IT teams in the defence, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employees. He currently commands a small IT support organization for a military agency, where his current focus is mentoring technical specialists into becoming credible, corporate team leaders.

Keil Hubert

Keil Hubert

POC is Keil Hubert, keil.hubert@gmail.com Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

© Business Reporter 2021

Top Articles

Why businesses need to optimise the hybrid worker experience

Organisations need a new lens through which to measure the impact of hybrid working and take data-driven decisions that help…

Related Articles

Register for our newsletter