How to identify fake employees and candidates?

Recently, companies have been facing an uptick in fraud and other employment attacks that put them at risk. HR, recruiting, and people teams face immense numbers of candidates and typically lack the tools, processes, and availability to thoroughly vet potential new and existing employees. There are plenty of different types of fraud around identity, and their facets span many scenarios, making it more difficult than ever to feel secure about hiring. Furthermore, many laws hamstring anti-fraud and security checks due to discrimination and anti-AI usage, as mentioned here: Navigating the AI Employment Bias Maze: Legal Compliance Guidelines and Strategies - Business Law Today from ABA. The result is teams are left wondering what they can and cannot do to secure their employers. Governments have vast resources and are able to brute force their way out of the situation. They can be very prescriptive on who they hire, especially for DoD and security clearance positions, and time is on their side by waiting for a person to meet the criteria that is least likely to result in some fraud.

Fake employees and candidates start in a funnel, and the most significant volume will reach the gates of your hiring process. Catching them here is critical as once they get past a few months of work, it is almost impossible to catch them later without the help of a professional. Fraudsters and adversaries seek out positions for financial gain or other malicious activity in countless ways. Our focus for identification will be at the start of the process, resulting in the greatest ROI as it can be mostly automated. We will also limit it to IT and remote jobs as those positions are hit hardest and have the most significant potential for damage to a company. Investigating employees once they are hired becomes a much more complex process, especially in remote positions and countries where privacy regulations block more advanced techniques to identify someone. Catching these bad actors early in the process saves tenfold in costs compared to later identifying a problem after a background check or the person has been hired.  In the post-mortem, a cybersecurity company even provided tips and examples of what went wrong. How a North Korean Fake IT Worker Tried to Infiltrate Us While these might work for some time, expect the techniques to be adjusted to bypass the obvious additional security controls.

Bad actors like to work in a tiered and siloed system to ensure not all cases are not caught or exposed. In the North Korea case, plenty of other unnoticed employees are likely blissfully collecting a paycheck each day. Also, profiles of fake employees are constantly rebuilt from the ground up to ensure a constant supply of new identities. Like bad actors laundering money with businesses, they have an endless supply of new ways to continue operations when one gets shut down, as it's a cost of doing business. The various bad actors work their way up to higher-value positions. They can provide stepping stones to launch an attack against a company, especially if a vendor works with a high-value target company. In our research, Trust Swiftly has identified candidates with suspicious pasts and ones with patterns that pointed to state-sponsored infiltration. As the threat actors learn enterprises have upped their security game, they will likely move to softer targets such as SMEs.

Identity verification is also not enough to thoroughly vet each candidate, but it should be one step that whittles down your list. The problem is that identities can be completely fabricated with enough resources, so even a matching government ID will not be enough to truly trust an employee. Experience and history are the last frontier to catch fraudsters in the future. The hope is that these bad actors cannot keep the charade up when working at multiple companies and eventually slip up. As we have detailed, most identity pieces can eventually be bypassed, making a data network critical to finding abnormalities. Other unwitting employee data is also stolen and then reused to apply to companies. The fraudsters also reserve their high-value assets for only specific steps of an employment process. AI makes it even more manageable as an initial interview and video chats may be a completely separate person who does a physical appearance. The only difference would be the actual thought process and knowledge of a person vs. an expert person facilitating part of a fake employment mill. A profile can also be built up by using multiple resources over time, working at a small or obscure company, and then working their way up to a higher value target. All this will appear like normal behavior and difficult to sniff out with conventional tools.

Now, we will look at top tips and tricks that have helped expose fraudulent candidates and employees. The primary checks will look at identity versus a simple resume and formatting, which can eventually be caught by a background or reference check. If you are not doing the basics to catch fake candidates, you should start there before exploring more thorough methods. The signs usually exist but can be subtle depending on the sophistication of the threat actor. For instance, a candidate who is overly eager to start work immediately without much negotiation or a candidate who is not willing to provide references from their previous jobs could be potential red flags. Some of these checks may appear discriminatory, so they should be first reviewed with your legal team to ensure no local laws are being violated. Also, different checks should be adjusted per your industry and company size as each risk profile changes. For example, if you have a position for the head of DevOps with access to almost every system, it will have greater risk than an IT helpdesk analyst with restricted permissions.

1. To start, look at how a candidate came into your hiring funnel. Inbound vs. outbound leads can affect a person's risk. Usually, a resume that has been sought out by a recruiter will at least have some initial checks. Bad actors sometimes spray and pray resumes, hoping that some remote position will get them to the next step of a real interview.

2. Check a resume and compare the experience with any digital footprints. Sometimes, a person may leave out experiences that appear elsewhere, such as a previous company blog post or research paper. Any discrepancies should be looked into to see if more research is required.

3. Going further into the digital footprint, more details can be checked. Username, email, name, phone numbers, GitHub profiles, and other social media accounts tell a story about the candidate. While the information exists, it can be easily fabricated. Someone with actual knowledge must review the data. For example, in one case, we found a GitHub account that matched all relevant identity data and showed repos that appeared genuine. Upon further investigation, it was determined that the profile was actually acquired from an account broker and repurposed explicitly to apply for one job. Looking at the history of an account and any public activity helps. Furthermore, profiles such as LinkedIn provide verification checks but are not without fault, and a verification done by CLEAR is valued differently than one by Persona. The history from LinkedIn can also point to any suspicious activity in case a name was changed, or fake profile connections were made. Verifying the ownership of a LinkedIn account is also critical, and tools like Trust Swiftly can help with that process. There are also other data brokers and sources available that can lead to more historical accuracy.

   

4. Searching online presences may lead to certificates and papers by an applicant. Do not be fooled by some of them, as many online reputations can be synthetically generated with the proper funds. Paper mills: the 'cartel-like' companies behind fraudulent scientific journals. The information should be vetted, and the contributions of an applicant need to be checked, as opposed to what they claim to do. Furthermore, even certifications like CISSP and other high-security professional certificates can be fooled. Even though they require in-person test taking, they are not doing much to validate the photos of test takers from a government source.

5. A pre-screening/background check costs less than a dollar, and you can also find some items to look into further. An ID, Selfie, and liveness check will provide valuable data on the expected location of a person. One data point might appear where the person owns a property in one state with an ID from another and then a job location in a third location. Residents are supposed to keep up-to-date IDs, and expired or dated identity data could mean invalid residency information. Carrier information from telecoms and soft-credit checks can also provide a pattern to their identity, but sophisticated actors will have profiles built for it. Lastly, GPS geolocation checks can offer more accuracy vs simple VPNs and proxy locations from an IP. Even easier checks include banking verifications to validate their legitimate accounts, as salaries/bonuses should be done to banks with vigorous KYC checks and name validation. Many foreign fraudsters use neo-banks with online signup processes like Payoneer, Wise, and Bunq. A small sign-on bonus can aid an employee's financial analysis.

6. Identify devices attached for any remote tools or other internet-controlled parts. Threat actors know how to spoof and mirror device IDs with PIKVM/Tinypilot, so monitoring that is not enough.  Also, some advanced techniques to catch remote activity are device sensors and vibrational activity. A laptop that appears to be typing but can not be corroborated with another sensor part of a computer, such as this https://www.lenovo.com/us/en/glossary/ffs/. A presence sensor, too A look at the human presence detection sensor in the Lenovo ThinkPad X1 Carbon (Gen 9)  can be another datapoint. Combining behavioral analysis will eventually help catch environmental factors that show a laptop or remote farm. More advanced fraudsters will purchase a house and create an entire front to bypass all identity and IP checks. There are breadcrumbs though exposed for example the utility usage might not match rates expected. The purchase history and later buyer transactions can help identify out-of-place behaviors. However, the environment and other sensors embedded in a laptop can be used to detect remote-controlled devices. As more fraudulent employees are caught, their behavior can be used to train future models and create profiles of bad actors.

7. Monitor an employee, too, once they become hired. In some cases, a proxy person will take over the job and do the day-to-day activity. The clever fraudsters will also use AI voice cloning so that if any interviews require different experts, they will look and sound similar throughout the process. Lip syncing is an old method since deepfakes can be streamed that are lifelike. Especially for a state-sponsored attack, they can reserve the most advanced techniques for a highly sought job. The completely different person should have their biometrics verified. A simple way is through facial verification as well as fingerprint checks. These can be incorporated into your login or SSO process at set intervals or session reauthentication. Deepfakes are ways around it, but a solution with liveness checks should be used to catch more sophisticated fakes.

8. Implement company phones for high-risk employees. It is an added cost, but company phones and devices will provide even more data about an employee. Part of the contract can require certain security features to be enabled on a phone that can aid in the detection of abnormal behavior. Lack of usage or static GPS locations of the device may look strange, as well as the requirement to physically control and pick it up. Phones are usually more accessible to lockdown and already have many anti-tampering protections, giving powerful insights into usage. A simple passkey authentication could be enough with the bonus of added security, but it again stops some remote cases as it can detect the physical motion of the phone. Highly privileged systems typically require high assurance, which can provide added security for authentication. In many cases, they can use travel routers to mask their IP, which forces companies to use multiple methods to track a device's actual location.

9. More profound questions are also helpful to throw off an unprepared candidate. It should not appear like an interrogation but one that elicits specific responses that can help build an overall story. Lead one question to the next and even go back to previous questions to verify they keep their story straight. One way is also to ask vague, false questions about a department, co-worker, or manager where you try to see if they fabricate a story or can correctly identify it as an irrelevant question. Also, casually hinting at a physical offsite meeting occasionally can spook them enough to not waste your time anymore.

10. Overemployed or multiple-job employees are another critical aspect to look out for during hiring. Their behavior and signals overlap with some fake employees. Searching Search results for 'multiple%20jobs' - Blind, you can find many cases there and on other communities about different schemes to hold multiple jobs. The break of trust between an employee and employer is the primary failure here, and, in many cases, it can be caught by looking at similar patterns of these types of workers. A lot of it boils down to ethics, so you must identify the archetypes and behavior that would lead them down this path. Review their job history, but be careful with specific careers that are more difficult to verify, such as startups or university jobs. Sometimes, these positions will not translate well into acceptable performance, which is why experience vetting is critical. Lastly, The Work Number (TWN) checks can be useful but most know to freeze this to prevent obvious reporting.

11. Working with your cybersecurity department is also critical, as there are ways to limit the scope of damage if a fake candidate gets through. Locking down a computer is vital to prevent unauthorized tools from being installed and data exfiltrated. This will stop many bad actors from getting far as they can be impatient and try to configure a laptop for a particular setup. Also, having a tiered onboarding process can further catch fake employees. If they swap the person right away, the new proxy may fail basic training exercises or projects. Also, even small companies can easily monitor the traffic of an employee for free. You can see what a specific employee does all day using Cloudflare Zero Trust. i.e. browses social media but has no activity or behavior that matches other validated employees. Things like looking at ping times and other devices on a remote network can help identify edge cases, too. Scanning nearby WiFi networks can also catch any overlaps or be used for geolocation tracking.

12. Doing physical checks and using a PI is another high-security method to check about a potential employee. Security clearance jobs will never tell you all the details of vetting a candidate. Still, for some jobs, a company might monitor a person for a while before even putting them to the next step of an interview process. This allows a company to have a physical check and behavior verification review. Another more straightforward method is to do a random audit using a physical mailed letter with signature tracking to verify their location. It can be timed for optimal verifications when used in conjunction with other checks.

Companies have plenty of options for identifying fake candidates. Businesses promoting remote work should be especially vigilant when protecting against new workarounds. Identity verification is one robust method that costs little compared to a full background check. It even filters out time-wasting bot submissions and other candidates who cannot make it to the offer stage. However, the key to staying ahead of fraudsters and other unethical candidates is to keep them on their toes with innovative solutions. Nothing you read here or find online should be your best defense, as it has been published widely. Instead, you need asymmetric information that gives you an advantage in uncovering fakes. There are entire communities, teams, and fraud groups working together either knowingly or unknowingly to gain jobs through illicit means. Companies don't have that advantage due to their siloed natures, so you have to outthink them with better solutions to make up for it. In review having an evolving strategy to handle these candidates will make the process secure and manageable for your company's future.