The Governance Blind Spot: Fraud Risks in Professional Networks

The views expressed are those of the author and do not necessarily reflect the views of ASPA as an organization.

By Edward Kingsley Ocran
May 22, 2026

In 2020, an unidentified recruiter contacted an Arizona woman through her LinkedIn page and offered her work as the U.S.-based “face” of an overseas employer. Five years later, the U.S. Department of Justice sentenced her to 102 months in federal prison for running a domestic “laptop farm” that helped North Korean operatives obtain remote IT positions at more than 300 U.S. companies using stolen American identities. The scheme moved more than $17 million to a sanctioned regime and compromised the identities of 68 U.S. citizens.

The point of initial contact was a professional networking platform.

The Christina Chapman sentencing in July 2025 was not isolated. It was one of several federal enforcement actions last year against the same scheme. The Department of Justice charged additional U.S.-based facilitators, executed searches against laptop farms in 16 states and disclosed that operatives placed through these schemes had exfiltrated ITAR-controlled technical data from a California defense contractor. Investigators also confirmed that operatives using stolen identities had sought positions at U.S. Immigration and Customs Enforcement and the Federal Protective Service. Federal agencies were not collateral exposure in this pattern. They were among the intended targets.

Public agencies have spent heavily on cybersecurity. Firewalls, endpoint protection and internal monitoring have all improved over the last decade. LinkedIn and platforms like it sit outside that perimeter. Profiles look credible, mutual connections suggest legitimacy and a private message arrives without the institutional checks that an equivalent email would face. From there, conversations can escalate quickly into requests that would otherwise require formal verification.

This is not solely a cybersecurity problem. It is a governance gap.

Where the Perimeter Ends

Traditional cybersecurity is built around what an agency owns: its email servers, internal networks and managed devices. LinkedIn is none of those things. Employees use it in a professional capacity, but security tools do not monitor what happens there. Identity verification on the platform itself is thin. Once a conversation moves from a public post into private messages, no one outside that thread sees it. A request through LinkedIn can bypass controls that would catch the same request in a corporate inbox.

This is social engineering at a higher altitude than email phishing. Instead of mass-casting fake messages, attackers build credible personas using public professional information and pursue specific targets. A recruiter approaches a state agency employee about a senior role. A vendor representative messages procurement staff about a partnership. Someone claiming to be a senior executive contacts a finance officer with an urgent request. These scenarios are not hypothetical. The DOJ indictments cited above grew out of exactly this kind of contact, with conversations that began on a professional platform and ended in payments, data transfers or system access well outside any monitored channel.

The Public-Sector Stakes

For a private firm, the consequences here are mostly commercial: lost money, stolen intellectual property and reputational damage. For public institutions, the stakes go further.

A vendor relationship that begins in a private LinkedIn message rather than an official solicitation compromises procurement integrity before any formal record exists. Substantive business conducted on professional platforms may produce communications that meet the threshold for federal or state public records under existing retention schedules and may fall within the scope of FOIA or state public records laws. When employees represent their agency in semi-public digital spaces without clear policy guidance, judgment errors do not stay internal. They land on public accountability.

The 2025 enforcement actions make the federal exposure concrete. If operatives placed through these schemes can reach ITAR-controlled defense data and apply for positions at federal agencies, then platform-based fraud is already a public-sector problem. The remaining question is whether existing governance frameworks treat it with the seriousness the threat warrants.

From Cybersecurity to Governance

Existing risk management frameworks were built for environments agencies directly control. Professional networking platforms blur that line. Employees act as representatives of their agencies on LinkedIn, but few agencies have written policy on what that representation actually entails. In the absence of guidance, staff may act on unverified requests, sensitive discussions can move to channels nobody is watching and threats develop unnoticed.

What this calls for is a wider definition of the organizational attack surface, one that includes the external platforms where staff actually do business. Closing the gap does not mean abandoning LinkedIn. The platform has real value for recruitment, collaboration and public engagement. It also does not require new technology spending or specialized detection tools.

For most agencies, the infrastructure to manage this risk already exists. It is embedded in internal control frameworks, productivity platforms agencies have already licensed and federal compliance obligations agencies are already required to meet. The missing piece is governance integration.

Four Steps, No New Procurement

First, embed professional-platform risk into existing internal control frameworks. OMB Circular A-123 already requires federal agencies to assess and manage fraud risk as part of enterprise risk management. The GAO Green Book, which serves as the benchmark for state and local governments receiving federal funds under 2 CFR Part 200, includes external fraud risk assessment within its standards for internal control. The work is to name professional networking platforms within those existing assessments instead of treating them as a separate cybersecurity concern. That is a documentation decision, not a budget request.

Second, write down what cannot happen on these platforms. Agencies should publish a short list of actions that may not be initiated, approved or finalized through LinkedIn or similar channels: payment instructions, vendor onboarding, contract negotiation, data sharing and authentication requests. Most agencies can carry the rule through their existing acceptable-use frameworks rather than adding a new one.

Third, verify sensitive requests using identity systems agencies already operate. Agency email directories, HR systems, vendor management platforms and federal registries like SAM.gov are authoritative sources. Any sensitive request that arrives through a professional platform should be confirmed against one of these before any action follows. Again, this is a procedural change, not procurement.

Fourth, treat records retention as part of the same problem. When agency staff conduct business on professional networking platforms, those communications can meet the threshold for federal or state records under retention schedules already on the books. Agencies should clarify in writing when platform interactions become subject to records management and where they fall under FOIA or state public records laws. The right people to answer that question are records officers, not cybersecurity teams.

None of these four steps requires new procurement. What they require is coordination across functions that already exist in every agency: internal audit, records management, IT governance, human resources and program leadership. The shared task is to recognize that the attack surface now extends beyond the systems an agency owns.

Public sector trust used to be defended at the inbox and the internal network. Those defenses still matter, and they still work. But fraud has moved into adjacent territory, where credibility is assumed by default and oversight is thin.

The Chapman case shows that adversaries are already operating in that territory, and that federal agencies are within their reach. Closing the governance blind spot is not a technical project. It is an institutional one. What public institutions are accountable for now extends past the systems they own. It includes the spaces where their staff actually conduct business.

---

Author: Edward Kingsley Ocran is a business analyst specializing in compliance-focused financial reporting systems and fraud risk management for government and regulated organizations, with a focus on improving accountability through data automation. He can be reached at [email protected].

(No Ratings Yet)
Loading...