Fake worker scams: the latest online fraud epidemic

Beware the Trojan horse

As Aarti points out, defending against deepfake fraud is becoming something of a game of whack-a-mole, with new techniques popping up as quickly as existing ones are addressed. Organizations are increasingly aware of the need to use know your customer (KYC) measures such as high-quality identity verification identity verification to ensure that clients are who they say they are and keep fraudsters at bay. But what happens when the enemy is actually inside the gates, without you knowing?

One rapidly rising form of online fraud that’s only just starting to get attention is the fake worker scam. The rise of remote working has created opportunities for criminals, who can potentially get work at a business more easily through legitimate routes. Once inside they then use their insider status to commit fraud.

Exploiting your vulnerabilities

“Deepfake fraud designers  know that security teams are on high alert,” comments Aarti. “So, they’re not necessarily targeting the security team where the defenses are strongest. They are targeting peripheral teams such as the CTO and HR offices in an organization.”

At the same time, small-and medium-sized businesses (SMBs) are being used as a gateway to get inside larger enterprises.

“I was speaking to a company just two days ago, a six people company based in the United States,” comments Aarti. “They have some very high-profile clients, and they have become a target of deepfake fraud from ‘IT workers’ wanting to reach the clients they’re serving.”

“If you're an SMB, what do you have?” comments Aarti. “Well, you have a bank account, you have customers. You have data and you probably have some sensitive information about your customers. So already you have assets of value that the attacker might want. If you're in regulated industries, the value of those assets is much higher. And therefore, it's worthwhile them investing more time in creating a very well-designed fraud.”

Smaller businesses tend to be less aware of the issue and have fewer resources to invest in security. Criminals therefore often see them as a ‘sandbox’ where they can test attack vectors before using them to target larger enterprises.

How does it work?

Fake worker scams start on the platforms where jobs are advertised. Fraudsters create profiles with all the right qualifications and experience. Other members of the team are responsible for job applications; this is a numbers game, with criminals applying for thousands of jobs. Often enough, a well-constructed CV can get past a recruiter, who is unlikely to be actively looking for fraudulent applications.

“They don't often do a cross-check of the information,” says Aarti. “They might look at the resume, they might do a superficial search online to see that the resume corroborates with other information that's out there, but they don't necessarily do a reverse check of the picture, for example.

For remote work, if a candidate is successful at the CV review stage, the next step is usually an online video interview. At this point, the interviewee will use deepfake video technology to change their appearance.

“The tech is so good that unless you’re forensically looking for signs of blurriness, etcetera, you can't really tell that this is not a real face,” comments Aarti. 

If the candidate gets through the interview process, the next stage is identity verification. As well as fake documents, which are available cheaply on the dark web, deepfake technology can then once again be used to trick less sophisticated identity verification processes. The criminal has now become your employee…

Spotting the signs

Given the dangers presented by having a malicious actor inside your organization, fake worker scams should be high on the cybersecurity agenda for any business. To combat the issue, it’s vital to treat authentication as an integral part of the recruitment process. Here are a few tips that can help you stop fake worker fraudsters in their tracks.

• Check CVs not just for competency but for authenticity – do qualifications and experience seem coherent both in themselves and with the candidate’s age, nationality, location, etc.?
• Review the candidate’s LinkedIn profile (if they have one), looking out for similar inconsistencies – what is your level of confidence that this person is a genuine applicant?
• Any reluctance to get on camera is a red flag – we can all suffer from network issues, but is missing or poor-quality video being used to mask the use of deepfake tech?
• Look out for candidates employing a ‘copilot’ – if an interviewee appears to be reading responses to a question, this can be a strong telltale sign that they are working with a team
• Ask softer questions to help validate information provided in an application for authenticity – use your own knowledge of companies, academic institutions etc. to ‘sense check’ answers
• Use high-quality identity verification software to authenticate a successful candidate, verifying them not just as human but also as being who they say they are