When you’re having a bad day, just remember—it could be worse. You could’ve hired a North Korean government operative posing as an American tech worker.
It might sound dramatic, but it’s a real concern for today’s employers. These operatives use stolen or fake identities and AI-generated documents to infiltrate U.S. companies through remote roles.
OpenAI has banned accounts linked to this activity, and cybersecurity firms continue issuing alerts. However, the headlines haven’t disappeared, and neither has the threat. And the consequences are anything but subtle.
The scheme works via North Korean operatives obtaining legitimate jobs at Western organizations and funneling earnings into the country’s regime, including its weapons programs. Some operatives have even accessed sensitive data from U.S. defense contractors.
Companies risk serious legal consequences if they unknowingly hire sanctioned individuals or enable unauthorized access to sensitive systems. It is HR teams—not IT or security—that actually serve as the first line of defense.
See also: Could that new hire be a deepfake? These pros say the risk is growing
Knowing what to watch for is key. While there’s rarely a single red flag, there are telltale patterns. Spotting fraudulent candidates early can prevent a high-risk hire before they ever log in.
Red flag #1: Inconsistent digital footprints
Generative AI enables bad actors to pose as qualified candidates. With just a few prompts, they can spin up polished resumes, tailored cover letters and even realistic headshots blending real and stock imagery.
A closer look often reveals inconsistencies. Job titles, employment dates or company names might not align across a candidate’s resume, LinkedIn profile and other materials.
What to do: Cross-reference application materials with public profiles to spot discrepancies in dates, titles or company details. Validate work history through official channels, such as direct outreach to former employers or third-party verification services.
During interviews, ask candidates to confirm their name and walk through their work history to validate details. Avoid relying solely on candidate-provided references and confirm that listed companies and contact details are legitimate.
Red flag #2: Recycled contact information
Some applications reuse the same phone numbers, Voice-over Internet Protocol (VoIP) lines or email addresses across multiple candidate profiles. Repetition can signal a coordinated effort by individuals tied to a broader, state-sponsored operation.
In some cases, candidates may list one another as professional references or even fabricate entire companies to legitimize their backstories. These patterns can be difficult to detect without reviewing applications side by side, highlighting the importance of HR documentation and recordkeeping.
What to do: Require verifiable proof of identity and a secondary document, like an employment verification letter or government-issued ID, to cross-check with application materials. Use applicant tracking systems or internal processes to keep a record of candidates’ contact details and more easily spot recycled contact information.
Red flag #3: Reluctance to show real environments
Blurred or virtual backgrounds are common in remote interviews. However, if a candidate refuses to appear on camera or is consistently evasive, it may be an effort to obscure their surroundings. Background noise, like call center chatter or a crowded environment, can also suggest the individual isn’t working from their claimed location.
What to do: Prioritize live video interviews whenever possible and pay attention to environmental context. Post-hire, ensure company devices are equipped with antivirus and endpoint detection and response (EDR) tools to flag suspicious behaviors, such as logins from unexpected locations or signs of third-party access.
Red flag #4: Lack of local awareness or familiarity
Casual conversation at the start of an interview can serve a purpose beyond breaking the ice. If a candidate claims to be based in a specific location but struggles to reference local context, such as time of day, weather or regional norms, it may suggest they aren’t where they say they are.
What to do: Use informal conversation to gauge whether a candidate’s location aligns with their claims. This isn’t about catching anyone in a “gotcha” moment, but listening for context clues that support (or contradict) their stated location. Keep in mind that legitimate factors like a recent relocation can explain gaps in familiarity, so evaluate alongside other signals.
Red flag #5: Pressure to move quickly or avoid verification
There’s a difference between a candidate who’s eager about advancing in the hiring process and one who’s rushing to avoid scrutiny. Pay attention if someone asks to skip steps in the standard process, delays sending documents or pushes to rely solely on unverifiable documents.
What to do: Stick to a standardized hiring process—with no exceptions. Always verify identities and documentation before extending an offer, even if a candidate presses to move quickly. Consistency and thoroughness are your best defenses against urgency-based tactics.
Red flag #6: Unusual equipment and logistics requests
Some candidates may ask to use personal laptops to bypass corporate security protocols or request last-minute changes to shipping addresses. Once hired, they might also repeatedly alter direct deposit details. These behaviors can reduce visibility and complicate oversight once someone is in the system.
What to do: Require employees to use company-issued devices with standard security and compliance controls. Investigate any unexpected changes to delivery addresses and confirm their legitimacy. Post-hire, flag abrupt or repeated updates to payroll information and confirm changes through a secure, internal process to prevent redirection of funds.
Smart hiring starts with consistent practices
You don’t have to be a cybersecurity expert to help protect your organization. These red flags aren’t meant to spark panic. Instead, they serve as layered signals that can point to a larger pattern of suspicious activity.
While a single inconsistency or unusual request may not be cause for concern, hiring teams equipped with the proper knowledge and foresight can identify fraudulent applicants sooner.
Follow standardized hiring protocols, no matter how strong a candidate appears on paper. By grounding processes in consistency and verifying details through trusted sources, HR is an invaluable first line of defense.
You’re not sounding the alarm. You’re doing what hiring teams do best: following processes, staying consistent and putting safeguards in place that do the heavy lifting from the start.
