What is Activity Falsification, and Why Should You Care?

By Luke Parsons, Senior Director of Machine Learning

Teramind’s AI team has uncovered evidence that roughly 7% of employees actively “fake” digital work activity. Let’s define exactly what that means and why it may be a bigger deal than you think.

Pressure to Perform

Shuffling papers loudly, stomping through the office in a rush, or making endless phone calls: “acting busy” at work is nothing new. Rather than giving themselves permission to take an occasional break, some employees feel pressured to appear almost robotic while working. While using physical cues to give the appearance of working may have sufficed in old school office environments, today’s workplaces have undergone digital transformation. Boomer tactics won’t work in a Gen Z world. But where there’s a will, there’s a way, and it would seem that the same tendency to appear busy has taken on new forms.

Appearing Busy During Downtime

Today, activity can be tracked and measured on work machines – and savvy employees know that. They’ve evolved their tactics in an attempt to keep pace with the times. While reasons for falsifying activity may be varied, a definable trend has emerged in which employees mimic true activity in a way that ranges from manipulating digital inputs during a quick break to stretch their legs or make a phone call, to more extreme cases where someone will mimic activity for hours at a time. 

How they found it: The Data

For the past year, Teramind’s AI team has been working with an anonymized sample set of workplace behavioral data, against which they were actively training machine learning models to better understand people and how they work. While testing advanced models for a new feature that will validate a worker’s identity (called worker authenticity) they uncovered an unusual but consistent trend. The behavior patterns of a large group were inconsistent with users’ baseline behaviors.

In other words, AI detected that suddenly and for extended periods of time, the activity on those machines was undoubtedly not coming from the same user. Upon further investigation, the team discovered that the patterns of behavior triggering alarms weren’t created by another person working on the same machines, but they were coming from a synthetic, non-human source.

In fact, the researchers discovered that 6.93% of employees were found to be using activity falsification methods to mask their actual activity levels. Not only did the team rerun tests and confirm the results across a wide variety of sources, but they were able to eliminate the possibility that a small group of bad actors was skewing results for the entire sample set. In short, this indicates that, on average, roughly 7% of employees in any organization are actively faking work activity on their machines.

How is it done?  

The only thing someone needs to do in order to keep their status light green on interoffice collaboration platforms like Teams or Slack is to have their keyboard or mouse “active”. To accomplish this there are both programmatic and physical ways of mimicking input activity. Programmatically, an application or macro (defined as an “automated input sequence that imitates keystrokes or mouse actions” – Techopedia) can be used to move the mouse cursor and press keys in any number of patterns. 

Physical tactics are often achieved by pressing keys down for an extended time with something as elementary as a wedged paperclip or weighted object placed on their keyboard. Physically manipulating a mouse, on the other hand, often takes the shape of something a bit cleverer, ranging from putting one’s mouse on an analog clock and letting the second hand trigger activity, to using a purpose-built external mouse rotation device. Collectively, digital and physical mouse manipulation tools are commonly called mouse jigglers.

Traditional Ways to Identify Activity Falsification 

Preventing falsified activity in the past relied on techniques such as blocking known falsification applications on work machines, or scanning for known USB devices (how one may plug in a physical “jiggler”). These approaches fall short, though, because they can only measure knowns. To keep pace with today’s pace of rapid technological advancement in all areas – not just positive ones, a detection method needs to account for future developments and all the unknowns. 

A New Detection Method

To solve for this, Teramind has developed machine learning models designed to account for all potential methods and outcomes, which gives them incredible accuracy in identifying activity falsification. Our proprietary models understand users’ normal behavior, so they can detect patterns that deviate from the user’s baseline behaviors for input speed, consistency, and variation. As a backstop, they can also detect inorganic movement, so if a user were to implement falsification tactics starting on the day they were hired in an attempt to skew their activity baselines out of the gate, that activity would still be flagged and surfaced by our models.  

When Does it Matter?

Currently, Teramind is focused on instances where such irregularities occur for 15 minutes or more. Identifying a productive, but overly anxious employee who is just worried about making sure they look busy while taking legitimate breaks would miss the overarching goal. Rather, our intention is to hone in on consistent and / or prolonged falsification, because that could be an indicator of bigger problems at play. 

Personal Struggles

If an employee is experiencing burnout, a traumatic life event, or other reasons for withdrawal, they may need support or some time away to recover. Continuing to increase the workload of someone who is not equipped to handle it at the moment can heighten their issues or even lead to losing a valuable member of your team. The Society for Human Resource Management offers research-backed tips on how to help employees when they are struggling with burnout. One thing that’s not on the list? Ignoring it.

Corporate Security Risk

Additionally, employees who mask their struggles with falsified work activity may also be vulnerable to making other choices that can lead to an insider threat. For example, burnout has been found to drive a 60% increase in employee’s willingness to use shadow IT – apps or software that are not vetted, managed, or monitored by corporate IT.

The Importance of Rapid Visualization

Detecting an instance of activity falsification is one thing. Quickly understanding what it means to your organization is another. To do that, you need to know how widespread this behavior is, how many work hours have been lost, who is doing it most often – and even what was happening just before an instance – to provide context for why this may be happening. 

Our development team set out to speed up the time it takes your tool administrators to understand the magnitude of internal behavior alert trends, as well as give them the tools to dig deeper. The result? Teramind OMNI. OMNI is a new platform designed to display these types of insights, among others, in a news style feed. Not only are violations grouped for more rapid understanding, but they have all the tools that make Teramind so powerful: screen recordings, granular data, and a host of clickable rapid investigation tools. 

To see your OMNI insights for activity falsification, specifically, add a Source filter for Insights, then filter the Category for Activity Falsification. Videos, if your screen recordings are enabled, will show any activity that’s quickly recognizable as odd. You can also investigate further to see details such as the key being pressed or activity percentage data that may not align with the video. 

Looking to the Future

As digital capabilities in the workplace continue to evolve on both the user and IT management sides of the coin, so will our data models. Teramind’s researchers are committed to constant innovation and testing, modeling data in ways that help us better understand how people work and identify the workplace activities or trends that matter most to our clients. 

AI and Machine Learning

While some people fear new technologies, most experts agree that used well in the workplace, artificial intelligence can make people faster, smarter, and more efficient. That’s the approach we’ve taken to AI and ML use at Teramind. We are harnessing this powerful technology to improve the speed and efficiency with which our users can understand their data within OMNI. 

Understand Your Workforce. (Now.)

No one understands the need for speed and efficiency more than IT and security leaders, who are often toggling between platforms for which they are solely responsible, long to-do lists, and high priority security alerts. The last thing they have time for is to scroll through data to make sense of what’s happening. They need powerful visualizations, and they need them right now. In the past, we’ve provided BI reports, customized dashboards, and more to speed up your process. While these tools are still relevant and very powerful, we’re excited about the continuous ML and AI development that’s happening at Teramind, and we hope you stay tuned as we continue to release more ways for you to gain insight on your workforce, faster.