There are no three words in modern conversation that ignite passions with as much fury as “return to office.” During the pandemic millions of knowledge workers relocated to their home offices, and began enjoying shorter commutes, more flexible work schedules, less management oversight, and fewer interruptions from pesky coworkers. This global workforce migration from the office to the spare bedroom was a necessity of the times; at first dreaded, but now a prized and cherished perk. The debate over the relative productivity impacts of working from home is sure to rage on for years and I will not attempt to litigate or relitigate those here. From a cybersecurity perspective, however, the jury is out and back, and a final judgment has been rendered: Allowing employees to work “fully remote” is more reckless than walking barefoot through an airport bathroom.
It is an inconvenient truth that in concert with employees’ migration away from traditional office environments, companies saw their cyber losses explode. According to the FBI Internet Crime Complaint Center, cyber losses surged from $4.2 billion in 2020 to a record $16.6 billion in 2024, with cumulative losses from 2020 through 2024 topping $50 billion. The reality is that employees working remotely, and the associated security challenges, have taxed security teams to the max. Companies that allowed remote work following the pandemic saw their attack surfaces grow geometrically, their use of unsecure network connections explode, and their population of unmanaged “personal” computing devices for handling sensitive data proliferate wildly. What’s more, countless privacy, regulatory, and security concerns required new assessment, mitigation, and management. Most painfully, we are learning now that some of the security weaknesses introduced by allowing 100% remote work are far more sinister than ever imagined.
Incessant headlines describing the daily harm inflicted by professional cyber criminals overshadows and diminishes an even bigger problem. Today, more than half of all enterprise data losses and critical breaches still occur at the hands of company insiders. Sometimes these losses are accidental or the byproduct of carelessness, but increasingly these breaches happen as the result of negligence, malice, or apathy. According to the FBI between 2023 and 2024, there was a 28% increase in insider-driven data exposure, losses, leaks, and theft events. And according to CISA and others, insider attacks are viewed to be significantly more difficult to recover from than outside threat actors. It is mysterious why so much attention is paid to hackers and state sponsored actors when the most damaging incursions happen under our noses at the hands of badge carrying, wage earning, trusted employees.
In the old days, committed hackers waited patiently for an unsuspecting victim to click the wrong link. Or they tediously awaited the discovery of a new “zero day” exploit, or worse yet, they burned through teraflops of processing power and bandwidth by launching brute force or credential stuffing attacks. In many ways, hacking through a company’s cyber defenses could have even been characterized as painstakingly hard work, but the specter of working from home, especially 100% remote assignments, radically changed these economics.
Why? Because when someone is working from home, you never really know exactly who is watching the screen and pecking away at the keyboard.
The July 5th, 1993, issue of The New Yorker Magazine captured this phenomenon brilliantly with a cartoon of two pooches surfing the net and devilishly staring at each other atop the prophetic subtitle, “On the internet, nobody knows you’re a dog.” Today this meme could very easily read, “On the internet nobody knows you are a North Korean National.” Put more bluntly, a certain percentage of today’s remote workers are in fact spies.
The role of the spy is often romanticized in pop culture with shaken martinis and hand-tailored suits. A more accurate portrayal of this trope was captured in the popular TV series, “The Americans.” This based-on-a-true story series explored the lives of two illegal Russian immigrants, Elena Vavilova and Andrei Bezrukov, who posed as an American couple living in Washington, DC.
When they were college students, KGB spotters identified and selected Vavilova and Bezrukov for vetting. They were put through arduous training for years, molding their language, mannerisms, and identities into those of an ordinary American couple. They left the Soviet Union separately, re-connected in Canada pretending they had never met, re-married as Don and Ann, and immigrated to the United States.
Cold War-style spying is the stuff of Hollywood, but it’s costly and impractical for corporate thievery and mischief. It is much easier to corrupt an insider, contractor, or business partner who already has legitimate privileged access to a company’s data and understands the location of sensitive data and the organization’s security policies and procedures.
In a recent Wall Street Journal exposé, Christina Chapman was described as a 50-year-old operator of a “laptop farm,” who filled her home with shared computers and facilitated North Korean Nationals to assume jobs as U.S. tech workers. Reportedly she illegally collected $17.1 million in the process from more than 300 American companies,
What the employers never realized was that their workers were North Koreans residing in Korea but using stolen U.S. identities. According to Pindrop and others, as many as one-sixth of all online job applicants are using fake identities and as much as 5% of all 100% remote applicants arrange for a proxy to report for them on their first day at work. Not only are these spies harvesting data, but they are also getting paid to do it!
Is this so surprising?
A recent Fortune article in the August 2025 issue coined the term “overemployed” and shared how wily remote workers are routinely doubling, and tripling, their paychecks by secretly outsourcing their jobs to AI Bots or offshore workers in exchange for a share of wages. Among the overemployed workers Fortune spoke to, some were working up to five or more jobs and raking in more than $725,000 a year. The bad actors have figured out that it’s 1,000 times easier to impersonate a credentialed U.S. worker that is working from home than to infiltrate a company’s ranks. One doesn’t need Soviet style grooming and accent neutralization to run this bit of espionage⎯all one needs is ChatGPT.
Forbid 100% remote work for as many employees as possible. When employees are in the office and in the full-time company of coworkers it’s virtually impossible to run these scams. As an absolute minimum, insist that all employees on a call work with “cameras on.”
Require in-person interviews with prospective candidates. Video interviews are notoriously easy to defeat when trying to validate a candidate’s identity. Also, one never knows who else may be in the room coaching the interviewee or taking note of sensitive material.
Scan your organization for the appearance of mouse jigglers and “keep awake” scripts. Mouse jigglers are vibration plates that rest under one’s mouse and create the illusion that an employee is actively working. More than one million mouse jigglers are sold each year in the United States. They are very easy to install and provide the appearance that someone is hard at work when in fact they may be fast asleep.
Look for appearances of “impossible work locations” on your network. Eventually remote workers’ network providers will make a mistake and share packets from two impossible geographies. A packet from New York and another from London within an hour of each other is a typical slipup, and this provides an opportunity to pounce—if one is watching.
Leverage a disciplined role-based access scheme. If employees do try to escalate their privileges and access sensitive data that is unusual for their role, this will trigger alerts and prohibit unauthorized access. This also limits the “blast radius of an unwanted incursion.
Monitor the dark web. Once an adversary has determined that a company is a soft target, they tend to share this in the deep recesses of the internet. Once you are named, the heat will be on, but invaluable data can be learned by monitoring how your posture and readiness to fight over-workers and imposters is broadcast.
Scan for IP addresses that originate from domestic VPN providers. This is a telltale sign that proxy workers are trying to cover their footprints. Block VPNs all together. VPN usage should not be an approved application and should be blocked.
Insist that all employees report for work in-person on their first day. Take their picture that day as part of the onboarding process and use this photo on their profile and forbid editing by the employee. This picture should be used for their profile on their accounts. Photos should be updated every few years, just like your driver’s license.
There are dozens of other strategies including using AI to review employees’ calendars, locking down team members’ PCs, and more broadly leveraging facial recognition software. No strategy is 100% secure, but each layer of security helps.
The Associated Press estimated that fraudsters misappropriated more than $280 Billion of U.S. public relief funds during the pandemic. The darker side of human nature was on display during this public health crisis. It should be no surprise that these new cyber fraud strategies have become so ubiquitous, but they do not need to be tolerated. Do not be a victim. If you are not ready to “return to office” just yet, all is not lost. The technology to defeat these adversaries is at hand and highly effective.
Join our LinkedIn group Information Security Community!
