Workplace

You just hired a deepfake. Get ready for the rise of imposter employees.

New technology — plus the pandemic remote work trend — is helping fraudsters use someone else’s identity to get a job.

Man wearing mask

Not all job applicants are who they claim to be.

Illustration: z_wei/iStock/Getty Images Plus; Protocol

Mike Elgan is a journalist, opinion columnist and author.

Before COVID-19, job interviews took place in person and new hires worked in the office, for the most part.

But with remote work came an increase in remote hiring, from the job application to onboarding and everything in between. Many employees have never been in the same room as their employers and co-workers, and that has opened the door for a rise in imposter employees.

The FBI is concerned; you should be too.

Lies, spies and deepfake video

Companies have been increasingly complaining to the FBI about prospective employees using real-time deepfake video and deepfake audio for remote interviews, along with personally identifiable information (PII), to land jobs at American companies.

One place they’re likely getting the PII is through posting fake job openings, which enables them to harvest job candidate information, resumes and more, according to the FBI.

Deepfake video sounds advanced. But shady job candidates don’t need exotic or expensive hardware or software to impersonate someone on a live video call — only a photo of the fake person. Consumer products like Xpression Camera enable fraudsters to upload someone’s picture and use their face during a live video interview.

The FBI points out that such deepfake video calls often fail, as the “actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking.”

In other words, dishonest job applicants would like to take advantage of deepfake technology for remote hiring, but the technology isn’t there yet. But soon the technology will be so good that deepfake audio and video will look just like the real thing.

And it’s not just deepfake video: You can clone someone’s voice with just a short audio sample and a publicly available tool on GitHub. It’s unlikely that a cybercriminal would get a job using deepfake audio clone, but attackers can (and do) use cloned human voices for workplace phishing attacks.

What imposters want

The main drivers appear to be money, espionage, access to company systems and unearned career advancement.

Many of the job openings sought by these imposters include “information technology and computer programming, database, and software related job functions. Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information,” according to a June 28 posted alert by the FBI’s Internet Crime Complaint Center. The perfect jobs for spies.

Some imposter candidates actually work for the North Korean government, according to a statement by the FBI and the U.S. State and Treasury Departments. Because of U.S. sanctions, North Koreans are ineligible for jobs at American companies. (Companies that employ North Koreans can be fined roughly $330,000 per violation.) So the North Korean government lets people apply and work as imposters in exchange for taking most of their salaries, or North Korean spies get jobs under false identities in order to steal secrets. Some North Koreans used their real identities, but claimed they were outside North Korea.

The problem of imposter employees exists on a scale from exaggerating experience to lying about credentials and personal details to faking experience to claiming to be an entirely different person. And every facet is growing in scale.

Glider AI’s “The Future of Candidate Evaluation” report found that what they call “candidate fraud” has nearly doubled — a 92% increase — since before the pandemic.

In addition to the imposter employee frauds already reported, it’s easy to imagine other scams that take advantage of new technology and remote work.

Malicious cyberattackers could get hired under stolen credentials in order to gain unauthorized access to sensitive data or systems inside companies. A skilled hacker may actually have the IT skills to get the job, and doing so may prove to be a relatively easy act of social engineering.

The bottom line is that our old habits for verifying employees — namely, interacting with them and recognizing who they are — are increasingly unreliable in the face of remote work and new technology that enables people to fake their appearance, voice and identity.

How to avoid hiring imposters

Remote work is here to stay. And it’s time to revisit and revamp hiring. Here are some tips to bear in mind when hiring.

  • Include real identity verification before hiring, and make sure identity matches background screening. (Don’t assume your background provider is verifying identity.)
  • Asking for a driver’s license or passport can lead to a discrimination lawsuit if the candidate isn’t hired — they can claim discrimination based on age, health or country of birth. Request this information only after you’re certain you’ll hire.
  • Know the law in the state you’re in to find out what’s allowed in terms of biometric data collection.
  • If you’re doing background checks and identity verification on remote hires, do the same for in-office hires to avoid discrimination.
  • Consider abandoning all-remote hiring in favor of in-person interviews, even for remote staff. And bring in remote staff for in-house team building quarterly or annually.
  • Rely more on skills assessment and testing for technical positions rather than resume-based claims of experience, certifications and education. Verify identities at the point of testing and follow up on test results with a post-test interview. Imposters are likely to seek employment elsewhere if they have to prove their qualifications.
  • Take extra care with the hiring of IT people and others who will gain access to email systems, passwords, business secrets, physical security systems and other juicy targets for cyberattack. Do thorough background checks and criminal records checks and verify identity throughout the hiring and onboarding process.
  • Embrace AI fraud detection to evaluate resumes and job candidates. Fraud detection has been used for years in banking, insurance and other fields, and is slowly being applied to hiring.

The new world of remote work calls for a new approach to hiring. It’s time to rethink your HR practices to make sure the people you’re hiring and employing are who they say they are — and not imposters.

Policy

Steel decided World War II. Chips will decide whatever is next.

“Chip War: The Fight for the World’s Most Critical Technology” foreshadows the coming battle between nations over semiconductors.

“Chip War” outlines the nature of the coming battle over semiconductors, showing how the power to produce leading-edge chips fell into the hands of just five companies.

Image: Scribner; Protocol

“World War II was decided by steel and aluminum, and followed shortly thereafter by the Cold War, which was defined by atomic weapons,” Chris Miller, a professor at Tufts University’s Fletcher School of Law and Diplomacy, writes in the introduction to his latest book. So what’s next? According to Miller, the next era, including the rivalry between the U.S. and China, is all about computing power.

That tech rivalry and the story of how the chip industry got from four to 11.8 billion transistors are all part of Miller’s book, “Chip War: The Fight for the World’s Most Critical Technology,” which comes out Oct. 4. “Chip War” outlines the nature of the coming battle over semiconductors, showing how the power to produce leading-edge chips fell into the hands of just five companies: three from the U.S., one from Japan, and one from the Netherlands.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Policy

Musk’s texts reveal what tech’s most powerful people really want

From Jack Dorsey to Joe Rogan, Musk’s texts are chock-full of überpowerful people, bending a knee to Twitter’s once and (still maybe?) future king.

“Maybe Oprah would be interested in joining the Twitter board if my bid succeeds,” one text reads.

Photo illustration: Patrick Pleul/picture alliance via Getty Images; Protocol

Elon Musk’s text inbox is a rarefied space. It’s a place where tech’s wealthiest casually commit to spending billions of dollars with little more than a thumbs-up emoji and trade tips on how to rewrite the rules for how hundreds of millions of people around the world communicate.

Now, Musk’s ongoing legal battle with Twitter is giving the rest of us a fleeting glimpse into that world. The collection of Musk’s private texts that was made public this week is chock-full of tech power brokers. While the messages are meant to reveal something about Musk’s motivations — and they do — they also say a lot about how things get done and deals get made among some of the most powerful people in the world.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Fintech

Circle’s CEO: This is not the time to ‘go crazy’

Jeremy Allaire is leading the stablecoin powerhouse in a time of heightened regulation.

“It’s a complex environment. So every CEO and every board has to be a little bit cautious, because there’s a lot of uncertainty,” Circle CEO Jeremy Allaire told Protocol at Converge22.

Photo: Circle

Sitting solo on a San Francisco stage, Circle CEO Jeremy Allaire asked tennis superstar Serena Williams what it’s like to face “unrelenting skepticism.”

“What do you do when someone says you can’t do this?” Allaire asked the athlete turned VC, who was beaming into Circle’s Converge22 convention by video.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Enterprise

Is Salesforce still a growth company? Investors are skeptical

Salesforce is betting that customer data platform Genie and new Slack features can push the company to $50 billion in revenue by 2026. But investors are skeptical about the company’s ability to deliver.

Photo: Marlena Sloss/Bloomberg via Getty Images

Salesforce has long been enterprise tech’s golden child. The company said everything customers wanted to hear and did everything investors wanted to see: It produced robust, consistent growth from groundbreaking products combined with an aggressive M&A strategy and a cherished culture, all operating under the helm of a bombastic, but respected, CEO and team of well-coiffed executives.

Dreamforce is the embodiment of that success. Every year, alongside frustrating San Francisco residents, the over-the-top celebration serves as a battle cry to the enterprise software industry, reminding everyone that Marc Benioff’s mighty fiefdom is poised to expand even deeper into your corporate IT stack.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at JoeWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Latest Stories
Bulletins