[authors: Carrie Aiken, Gretchen Lindlau, and Briana O’Rourke]*
CEP Magazine (December 2025)
For human resources and technology teams, the talent and recruitment landscape is already a challenging and competitive environment. Extensive steps are taken to ensure the right candidate is sourced to meet the needs of your team and the organization. For those actively recruiting for remote IT opportunities, there is a new compliance wrinkle that has presented itself that requires a critical layer of awareness to avoid organizational risk and necessitates expansion of considerations for background checks during onboarding and within the context of your compliance program requirements.
Offshore applicants using stolen U.S. work credentials — including individuals from the Democratic People’s Republic of Korea (North Korea) — are infiltrating U.S. corporations for the purpose of raising funds for various military and weapons programs and data extortion.[i] [ii] Both the Federal Bureau of Investigation and U.S. Department of Justice continue to issue alerts on the various schemes, which include identity theft and impersonation.[iii] There is also the potential for these individuals to engage in ransom of healthcare, confidential, or proprietary data, which results in access and reputational exploitation.
Not only is North Korea sanctioned by the U.S. for business activity — which can result in Office of Foreign Assets Control conflicts and prohibited financial exchange — but this also raises complications involving regulations or contractual obligations pertaining to offshore data access limitations, the Health Insurance Portability and Accountability Act, and other regulatory frameworks (both domestic and abroad).
Preventing these individuals from infiltrating your organization is key. There are steps that can be taken to identify these individuals and reduce organizational risks. Through partnership between security, IT provisioning, compliance, and human resources teams, there may be opportunities within your organization to evaluate this risk and take prevention steps.
Monitor the timeline of job postings and applications
These individuals, posing as qualified applicants, are often targeting aged job postings that offer the chance to work fully remote. For an application with extended posting visibility, resumes are often generated to align exactly with the requirements of the posted position. This is to give the appearance that the candidate has all the necessary experience to “save the day” and fill a long-vacant role. This gives the impostor an immediate advantage in the interview process. If your organization takes steps to refresh job postings, applicants will struggle to determine which positions have strong candidate pools versus those with stale ones, making it tougher to target hard-to-fill roles.
Résumé analysis
Résumés and experience from these candidates are presented in a way that appears “too good to be true,” with qualifications that align exactly with the position description. These individuals often utilize various tools and technologies to align the content of their listed experience to mirror the exact expectations of an open role. Not only may the contents of these résumés be falsified, but these applicants have also been found to be utilizing recycled résumés that can be found online and are in use by several individuals, containing the same experience, skill set, and work history, but under a different candidate name. Comparison across résumés and/or online searches can be helpful in uncovering this falsification.
Although experience is a key area of focus for those reviewing résumés, further questions arise in other resume details. These individuals often include false contact information, such as Voice over Internet Protocol phone numbers, nonexistent addresses, or educational degrees from institutions that do not offer the listed degree on the résumé. Candidates may also submit multiple résumés, with varying experience and work history, under a different email address with the same candidate’s name. By implementing controls or conducting a swift search in the organization’s applicant tracking system for the candidate’s name or variations, falsified applications may be more easily identified.
Visual confirmation
For additional verification, all candidates for these risk-prone positions are screened live via video. Evaluation is undertaken with scrutiny to asses background, disposition, and demographic alignment with the application. Although many of these applicants are prepared to be on camera, there are ways to remain vigilant during the screening itself. Often, there are details in the background of the video that may raise suspicions. Does the time of day correspond to the amount of sunshine coming through windows in the candidate’s background? Are you able to hear others present with the candidate guiding the interviewee? Are you able to hear others in the background conducting interviews while you are interviewing the candidate (often in a call-center-like environment)?
Not only can the applicant’s environment be a key source of warning signs, but visual facial expressions and body language can assist in determining if a candidate is being authentic during their interview. Candidates expect to be asked questions about their experience, education, and skill set during an interview. By finding a way to personalize questions, these individuals may struggle with a genuine reply. For example, if a candidate shares their attendance at a certain university or technical school, ask about their favorite restaurant near campus. If a candidate expresses that they live in a specific state, ask them how they enjoy the weather. These individuals are trained and prepared to answer questions specific to the applied role. Nontraditional questions may result in an unnatural delay or difficulty in forming a basic response because a response requires actual life experience in that environment.
Identity validation
Unfortunately, many of the identities that these applicants use are stolen and recycled. Traditionally, I-9 documentation is not collected until an offer has been extended and accepted. However, there are additional ways to remain vigilant prior to this compliance step.
Applicants using stolen identities may copy a qualified individual’s history and experience directly from their LinkedIn page. These résumés may mirror the work history and education of the targeted profile. If a headshot or photo is present on LinkedIn, you can verify the candidate’s identity during the video screening. If a photo is not present, further analysis of the profile can still be done. Evaluate factors such as the number of LinkedIn connections, posting activity, and follower interactions to assess the legitimacy of a candidate’s profile and identity.
If a candidate moves forward with onboarding, additional steps may be taken during the collection of I-9 documentation, including state licenses, work authorizations, and passports. These should be scrutinized for aberrancies such as format and alignment with the résumé and application. All documentation should match the person who attended the interview.
Furthermore, as onboarding progresses, it is still critical to remain vigilant and monitor the mailing of candidate equipment. Individuals falsifying information may list an address on their résumé or state of residency that is confirmed during the interview process. However, when equipment is due to be shipped and delivered, the candidate may request that the delivery be redirected to a new domestic location without further context. This is an additional chance to confirm that the candidate resides in the state listed on their application and is actually the person who applied.
Final thoughts
If this risk is not already contemplated in your compliance program, there is ample opportunity to learn more from these law enforcement agencies and their advisories. Take the time to educate applicable staff on their roles, potential controls, and options for intervention. Use due diligence in working through your candidate pool for potential individuals who may fit this profile and determine your strategy to best protect your organization.
Takeaways
- The Federal Bureau of Investigation and U.S. Department of Justice continue to issue alerts on the various schemes countries like North Korea are using to funnel money and data extortion.
- Applicants from sanctioned countries are applying for technology roles using stolen and reused credentials, making it challenging to discern who is a legitimate job applicant.
- The imposter candidates may use “save the day” tactics, such as having an ideal résumé for a niche position that has gone unfulfilled.
- Robust video interview processes, including inspection of the physical location from which the candidate is interviewing and asking complex interview questions, can help uncover undesirable applicants.
- Due diligence and controls can uncover discrepancies, such as schooling/major conflicts and invalid addresses. Last-minute changes in where an applicant asks to send a corporate laptop could be a sign of an imposter.
