2026-01-05
Background Checks for Developer Roles: What to Verify
Background Checks for Developer Roles: What to Verify
Background checks are a critical but often overlooked part of the developer hiring process. While many recruiters focus heavily on technical skills, code quality, and interview performance, background verification protects your company from legal liability, security risks, and costly hiring mistakes.
This guide walks you through everything technical recruiters need to know about running effective background checks on engineering candidates—what to verify, legal requirements, red flags to watch for, and how to integrate screening into your hiring workflow.
Why Background Checks Matter for Technical Roles
Developer positions carry unique risks that make thorough screening essential:
Security and Access: Engineers often have access to production systems, customer data, proprietary code, and critical infrastructure. A background check helps ensure you're not bringing someone into a sensitive environment with a hidden history of dishonesty or criminal activity.
Financial Risk: Bad hires in engineering roles are expensive. The cost of replacing a developer can reach 150–200% of their annual salary when accounting for recruitment, onboarding, lost productivity, and knowledge transfer. Background checks catch red flags early.
Team Safety: Your team's safety and trust matter. Developers work closely together in collaborative environments. Hiring someone with a history of fraud, violence, or dishonesty can damage team morale and culture.
Regulatory Compliance: Depending on your industry, you may be legally required to conduct background checks. Healthcare, finance, government contracting, and public companies all have specific screening obligations.
Code Quality and IP Protection: Candidates with a pattern of dishonesty might also engage in code theft, cut corners, or misrepresent their experience—all problems that compound after hire.
What You Should Verify in a Developer Background Check
Not all background checks are equal. Here's what actually matters for technical roles:
1. Criminal History
What to Check: Felony and misdemeanor convictions, pending charges, and restraining orders.
Why It Matters: While not all criminal history is disqualifying, patterns matter. A single conviction from 15 years ago is different from multiple recent offenses.
Legal Reality: Under the Fair Credit Reporting Act (FCRA) and many state laws, you can only consider convictions that are job-related and proportionate. A DUI from 2010 is less relevant to a developer role than a fraud conviction from 2023.
Best Practice: Use a standard threshold—many companies exclude only violent crimes, sexual offenses, and fraud convictions from the past 5–7 years, though this varies by jurisdiction and company policy.
2. Employment History Verification
What to Check: Previous employers, job titles, dates of employment, and reason for leaving.
Why It Matters: This is where you catch major red flags: - Candidates claiming 8 years of experience when they've only worked 4 - Inflated titles (claiming "Senior Architect" when they were a junior developer) - Multiple short tenures without explanation (possible performance issues) - Employment gaps that don't match their narrative
How to Do It: Contact previous employers directly or use an employment verification service. Ask about: - Exact dates of employment - Job responsibilities (to verify claimed skills) - Performance rating or reason for separation - Eligibility for rehire - Whether they handled sensitive data or had security clearance
Red Flag: When a candidate lists a company on their resume but the company's HR department has no record of them working there—this suggests either dishonesty or they're hiding something about their tenure.
3. Education Verification
What to Check: Degrees claimed, graduation dates, and fields of study.
Why It Matters: Resume falsification on education is surprisingly common. Studies show 15–30% of candidates misrepresent educational credentials.
What Misrepresentation Looks Like: - Claiming a degree they're still pursuing - Listing a school they attended briefly but didn't graduate from - Exaggerating the prestige of their institution - Claiming a degree in Computer Science when they did a bootcamp
How to Verify: Most universities will confirm enrollment and graduation dates directly. Many offer third-party verification services. Bootcamps are more variable—verify graduation through the bootcamp's records directly.
For Technical Roles: While a CS degree is common, many excellent developers come from bootcamps, self-taught backgrounds, or completely unrelated fields. The degree itself matters less than what they can actually do. If someone misrepresents this, though, that's a character issue worth noting.
4. Reference Checks (and What They Actually Tell You)
What to Check: Speaking directly with former managers, teammates, or clients about work performance, collaboration, and reliability.
Why It Matters: References provide insight into someone's real work habits, not just what they claim in interviews.
The Problem: Most candidates provide references who will say only positive things. To get useful information: - Ask specific questions ("How did they handle disagreement with teammates?") - Ask for permission to contact people not on their reference list - Listen for what they don't say (vague responses about reliability might indicate problems) - Ask about specific projects and outcomes
Red Flag: When a candidate can't provide a recent manager reference, or claims their current employer doesn't know they're looking, probe deeper. While some situations are legitimate (startup shutdown, terrible manager), repeated avoidance of verifiable references is suspicious.
5. Professional License Verification
What to Check: Certifications, licenses, and professional credentials they claim.
Why It Matters: Some developer roles require specific certifications (security clearances, AWS certifications for cloud roles, etc.). Verification ensures credentials are current and legitimate.
Who Needs This: Not all developers. Primarily relevant for: - Government/defense contractor roles (security clearances) - Healthcare software (HIPAA-related certifications) - Financial services (compliance certifications) - Specialized roles (cloud architect with required AWS certification)
How to Verify: Most credential-issuing bodies have online verification tools. Cross-check dates to ensure certifications are current.
6. Credit Check (Limited and Intentional)
What to Check: Credit history, debt, and payment patterns.
Important Legal Note: Credit checks are heavily restricted under FCRA and state laws. You can only pull credit reports with explicit written consent and a legitimate business reason. For most developer roles, this isn't justified.
When It's Relevant: Limited to roles with fiduciary responsibility or direct access to financial systems. Even then, use sparingly and document your business reason.
Best Practice: Skip this unless your company has a clear, documented policy and a legitimate business need. The risk of legal issues often outweighs the benefit.
7. Social Media and Online Presence Review
What to Check: Public GitHub, professional networks, blog posts, and technical community engagement.
Why It Matters: A developer's GitHub account is often more revealing than their resume. You can see: - Actual code quality and style - Frequency of contributions - Problem-solving approach - Whether they can work with others (open-source contributions) - Growth trajectory
The Right Approach: Evaluate their technical portfolio objectively. Avoid making judgments based on personal views expressed on personal social media accounts unless they're directly relevant to job performance or company values.
Red Flag: If someone claims extensive open-source experience but their GitHub shows minimal activity, or if repositories are mostly forks with no original contributions, probe deeper.
The Screening and Interviewing Process
Background Check Timing: When to Run Them
Best Practice Timeline:
- Initial Resume Review (Recruiter Screening): Focus on employment history consistency, education timeline, and obvious red flags
- After Phone Screen (Light verification): If they pass basic technical screening, do a quick employment dates and reference check to rule out obvious issues
- After Technical Interview (Full background check): Once they're a finalist, run comprehensive verification
- Before Offer (Final confirmation): Verify all information one more time before making the offer
Why This Order: You don't need to run expensive background checks on every applicant. Running them after technical screens saves cost and time while ensuring you're only checking serious candidates.
Red Flags During Background Checks
Watch for these warning signs:
| Red Flag | What It Suggests | Action |
|---|---|---|
| Employment dates don't match resume | Dishonesty or fabrication | Request written explanation; verify with employer |
| Gaps in employment without explanation | Possible termination for cause or undisclosed role | Ask directly in next conversation |
| Degree claim can't be verified | Misrepresentation of credentials | Ask for diploma/transcript; may be disqualifying |
| Multiple short tenures (< 1 year each) | Performance issues or job-hopping | Explore with references; understand the pattern |
| Reference unavailable or evasive | Possible performance issues previous employer doesn't want to discuss | Red flag; dig deeper with other references |
| Criminal history concealed then discovered | Dishonesty; violation of background check consent form | Likely disqualifying depending on role and policy |
| Credit issues (if relevant) with no explanation | Financial instability or irresponsibility | May be concerning for roles with financial access |
| GitHub claims don't match activity | Misrepresentation of technical skills | Major red flag for a technical role |
Legal Compliance When Running Background Checks
FCRA (Fair Credit Reporting Act): The federal law governing background checks. Key requirements:
- Written Consent: You must get the candidate's written permission before running any background check
- Disclosure: You must disclose that you're using a background check company and provide the name and contact info
- Adverse Action Process: If you're going to deny them based on background check findings, you must provide the report, give them time to dispute inaccuracies, and explain your decision
- Anti-Discrimination: You cannot use background checks to discriminate based on protected characteristics (race, gender, age, disability, etc.)
State Laws: Many states have additional restrictions:
- Ban-the-Box: California, Illinois, Massachusetts, and others require you to remove criminal history questions from initial applications and only ask after making a conditional offer
- Waiting Periods: Some states require waiting periods before you can dismiss someone for criminal history
- Time Limits: Many states exclude criminal convictions over a certain age (7–10 years for most convictions)
- Salary History: Unrelated to background checks but often regulated alongside hiring practices
Best Practice: Work with HR and legal to develop a documented background check policy that clearly: - Specifies what you're checking and why - Explains what disqualifying factors are - Outlines your adverse action process - Documents compliance with federal and state law
Choosing a Background Check Provider
If you're running checks at scale, use a professional background check company rather than doing it yourself. Here's what to look for:
Key Features: - FCRA compliance and documentation - Multi-state coverage (some providers have gaps in certain states) - Turnaround time (most can complete checks in 3–7 business days) - Integration with your ATS or hiring platform - Clear dispute resolution process - Reasonable pricing (typically $30–$150 per check depending on depth)
Popular Providers: Checkr, GoodHire, Sterling, Accurate Background, and Coresecurity all serve the hiring space with strong compliance records.
DIY vs. Outsourcing: For smaller companies, professional providers are worth the cost because they handle legal compliance, reduce liability, and are faster than doing it yourself. For high-volume hiring, they're essential.
How Background Checks Fit Into Your Developer Sourcing Strategy
As you build your developer sourcing and screening process, background checks are one layer of verification among many:
- GitHub review (via tools like Zumo) shows actual technical capability and work style
- Technical interviews assess problem-solving and knowledge
- Background checks verify claims and catch red flags
- Reference checks provide real feedback from people who've worked with them
Together, these create a comprehensive view of a candidate. None alone is sufficient.
Learn more about our developer sourcing guides to build a complete screening framework.
FAQ
Can I legally ask about criminal history on a job application?
In states with "ban-the-box" laws (CA, IL, MA, NY, and others), you generally cannot ask about criminal history on initial applications. You can only ask after a conditional offer of employment. Even then, you must follow Fair Chance Act requirements, considering factors like the age of the conviction, its relevance to the role, and evidence of rehabilitation. Consult your legal team on your specific state's requirements.
What should I do if I find a discrepancy in a candidate's background check?
First, give the candidate a chance to explain. People make honest mistakes on resumes, and some errors are more serious than others. If they can't adequately explain the discrepancy, or if it's a significant misrepresentation (degree they don't actually have, false employment claims), it's usually grounds for rejection. Document everything in case you need to justify the decision later.
Can I use a candidate's GitHub activity as a background check?
GitHub activity is useful for assessing technical capability and work style, but it's not a formal background check. You should treat it as part of your technical evaluation rather than as background verification. It won't catch criminal history, employment fraud, or other critical information. Use both—technical portfolio review and formal background checks.
How long should I wait for background check results before making a decision?
Most professional background check providers return results within 3–7 business days. If you have a strong candidate and the check is simply pending, you can sometimes make a conditional offer "contingent on successful background check." This speeds up your process and signals serious intent to the candidate. Just make sure your offer letter clearly states the contingency.
Is a background check worth the cost and time for junior developers or early-career candidates?
Yes. While junior developers may not have extensive employment history, a background check still verifies what they claim, catches education misrepresentation, and flags any serious issues. It's cheap insurance (usually $50–$100 per check) against hiring someone dishonest. The time investment is minimal when using a professional provider.
Related Reading
- How to Handle Confidential Searches for Developer Roles
- How to Assess a Developer's Open Source Contributions
- The Open Source Developer Economy: Funding and Hiring
Start Building a More Rigorous Hiring Process
Background checks are just one part of a complete developer screening strategy. To hire developers more effectively, you need visibility into their actual technical work—not just their resume claims.
Zumo analyzes GitHub activity to surface developers with proven skills in the languages and frameworks you're hiring for. Combine that with proper background verification, and you'll have a much clearer picture of who you're hiring.
Ready to improve your developer sourcing? Visit Zumo to see how data-driven sourcing can reduce your time-to-hire and improve quality of hire.