Join/Renew
Employers are increasingly reporting attempts by fake candidates to obtain jobs—and gain access to the organization’s systems and properties—for unlawful purposes.
How widespread is this digital duping? A recent survey conducted by GetReal Security of 668 IT, cybersecurity, fraud, and risk leaders at enterprises with 1,000 or more employees found that 41% of their businesses have onboarded a fraudulent candidate and 88% encounter deepfakes and impersonation attempts at least occasionally.
Perhaps the most noteworthy case of large-scale candidate impersonation is when North Korean IT workers stole the identities of Americans to secure remote jobs at more than 300 U.S. companies to collect nearly $90 million in pay. They then redirected these funds to support the country’s military programs.
Jeff Crume, an adjunct professor of cybersecurity at North Carolina State University, who has spent more than four decades in the IT industry, explains that these acts are carried out at all types of organizations, by a range of perpetrators, and for a host of reasons.
For example, a perpetrator could feed the information gleaned from a job posting—such as the job’s requirements, experience levels, and other candidate preferences—into an AI chatbot to build the profile of a fraudulent candidate.
“AI could also generate a name, age, and backstory for this fake candidate, so somebody doesn’t have to dream them up,” Crume says.
“This is especially useful for an actor for whom English is not their first language. On the other hand, the chatbot does know English fluently. AI could create resumes and social media accounts and populate them with posts, friends and followers, and engagement. And the perpetrator can create plausible personas for many candidates for just one job opening. This thrives when it's a remote job and, therefore, location is not an issue, so they're never going to meet in person.”
This fraud is being carried out by nation-states, hacker collectives, individual hackers, and other groups and individuals. But what do they gain from carrying out these acts?
“Maybe they create a fake employee who looks just good enough to be true and a company hires that fake employee. Now, through that fake employee, the perpetrator has access to the company’s systems, allowing them to snoop around and steal intellectual property and sensitive data,” Crume explains.
Another potential use of fraudulent candidates is to plant a “logic bomb,” threatening to, for instance, delete or encrypt key data and alter systems unless their demands are met in a ransomware scenario.
“In these cases, criminals get access not by hacking in, but by the company granting them access because it thought the criminals were employees,” Crume notes.
“In other cases, it’s really easy for perpetrators to use vibe coding and have their chatbot write off code to have multiple jobs and get multiple paychecks for at least a short period of time. There are about a hundred more variations of these uses of fake candidates that we haven't dreamed of that the other side will.”
The use of deepfakes—AI-generated substitutions of one person’s likeness and/or voice in a video, photo, or audio recording—adds layers of depth to an already complex issue.
“A person trying to get a job can generate a fake persona and an accompanying deepfake. Even if they’re from another country and don’t speak English, it will translate in their voice so when doing a web meeting or video call, the interviewer probably would not know that they are interviewing a deepfake,” Crume says.
For organizations dedicated to thwarting such criminal activity, thoroughly vetting each candidate requires a good amount of time, money, knowledge, savvy, and more.
“Of course, the criminals are hoping that companies won’t dedicate these resources to stopping them so they will be free to carry out their fraud,” Crume says.
He emphasizes that the use of AI to commit fraud in the job-search process is not one-sided. Job seekers also need to approach potential jobs with caution because, just like with fraudulent candidates, criminals are also creating fake companies and jobs to deceive real candidates.
“I know of people who interviewed for jobs and realized during the interview that they were talking to a deepfake. These were bogus job offers in the first place,” Crume explains.
“Why would somebody put up a bogus job posting? When someone applies for a job, the ‘hiring organization’ is going to ask for all sorts of details about the candidate, including name, age, date of birth, address, Social Security Number. It’s information the unsuspecting candidate will hand over because it’s a normal part of the process. This is also key information criminals harvest to commit identity theft.”
Employers hoping to mitigate the possibility of being impacted by fraudulent candidates can take steps like remaining on top of cybersecurity alerts and best practices; training their recruiters on what to look for; thoroughly vetting candidates, even through third-party services; and tightening systems and processes to limit access.
Job-seekers can vet organizations by looking for news on it from verified and reliable sources, checking reviews on it on sites like Glassdoor, seeking out legitimate employees of the employer on professional sites like LinkedIn, and more.
“If an organization does identify a fake candidate or a job-seeker does fall victim to a fake company, they should report it to the authorities and work with them to describe the interactions and provide any evidence. However, it does get complicated, especially when dealing with foreign actors,” Crume advises.
“This is a dual threat both ways. Both sides need to authenticate the other. These acts are a form of social engineering, which is an attack where criminals abuse trust. They exploit the tendency of people to trust and to accept things on faith. While you can't verify absolutely everything, you do have to be really cautious when you start getting down to hiring somebody or giving out your personal information.”
