Have you ever sat in an interview and felt that something wasn't quite right? Your intuition may have been closer to the truth than you realized.
A new kind of adversary has emerged, and they aren’t trying to break through your firewall; instead, they are logging in through your VPN using their freshly issued business credentials.
Welcome to the rapidly emerging threat of Remote Employment Fraud (REF)—where threat actors masquerade as remote applicants, land actual jobs, and integrate themselves within your organization and your environment, often before security even knows their name.
REF occurs when threat actors, working alone or as part of an organized group, illegally obtain remote positions, particularly in high-demand sectors such as IT, engineering, or finance. These aren’t ‘resume inflators’; REF actors often leverage knowledgeable stand-ins or proxies to successfully pass them through the interview process undetected. Organizational blind spots and a lack of preparedness can allow these actors to slip through the security cracks.
You may wonder who these actors are and what the end game is. While many high-profile cases have been linked back to North Korea, this tactic has gone global, with additional campaigns emerging from the Middle East, Africa, and Asia. Their goals may vary, but usually include one or more of these specific actions:
REF actors may be discoverable at various points in their cycle of activity, but the pre-hire phase is your earliest opportunity to shut down their operations before they gain a foothold.
This starts with taking a closer look at your organization’s hiring practices. Keep in mind that traditional hiring pipelines weren’t designed to detect adversarial behavior, and REF actors have learned to exploit this.
It is also essential to understand that most pre-hire REF indicators are behavioral, rather than technical. By contrast, technical indicators of REF activity tend to arise after a threat actor has been hired and begun generating a digital footprint within your security team’s visibility. That means your security team can’t do this alone—they need to work hand in hand with HR, talent acquisition, and hiring managers to spot early signs of fraud.
The following are some of the most common indicators that a candidate might not be who they claim to be—and how you can start identifying them.
In a world where nearly every working professional has some kind of digital trail, REF actors often build their personas from scratch or stitch them together with bits from stolen identities. While a minimalist social media presence used to be a high fidelity indicator of a potential REF-controlled persona, REF actors are working hard to blend into the crowd by trying to legitimize their digital footprints. This may appear convincing at first glance, but upon closer inspection, the personas start to fall apart.
What to look for:
Quick tip: Use reverse image search and AI image detectors to scrutinize profile pictures. Look up usernames across platforms. If the online presence feels unrealistic—or eerily disconnected from the resume—it’s worth investigating.
Generative AI makes it easy to polish a resume. However, that shine can potentially conceal a real security threat to your organization. The advancements and availability of generative AI tools have been reflected in their rapid adoption by REF actors looking to increase the appearance of authenticity for their personas.
Resume red flags include:
Investigation tip: Run suspicious resumes through AI content detectors to identify potential red flags. Scan your Applicant Tracking System (ATS) for patterns—same phrasing, same projects, same suspiciously polished bios. If it feels like copy and paste, it probably is.
REF actors often use VoIP numbers or burner emails to spoof a local presence.
What to check:
Helpful tools: IPQualityScore, NumLookup, Twilio Lookup APIs.
Many REF personas are built on doctored documents or stolen identities. Sometimes, it’s a partial truth mixed with fabrication. Sometimes, it’s a total fake.
Watch for:
Real-time test: Consult with your HR and legal teams about the feasibility of requesting live video ID verification as part of your process. If approved, ask the candidate to present their ID on camera in real-time. If they stall, glitch, or abruptly end the call, that’s your cue to escalate the situation.
Even with deepfakes and voice changers, most impersonations start to crack under pressure.
Signs to notice:
On-the-fly validation: Ask a spontaneous question that requires a personal detail, such as, “Tell me about the last technical issue you helped resolve.” Look for hesitation, sudden silence, script flipping, or possible guidance coming from off-camera.
An example to consider: You're in a video interview, asking a technical question. The candidate freezes for a second, glances off to the side, starts typing, and suddenly comes back with a polished answer.
What you don’t see is the accomplice on the other screen—feeding them answers in real time through chat. It's like a silent tag team: one does the talking, the other does the thinking.
This kind of live coaching is more common than you'd expect in REF ops—and those off-camera glances? They may not be just due to nerves.
Security organizations are becoming increasingly aware of the complexities of REF, but the biggest challenge in mitigating the risk is often the lack of awareness outside security organizations, similar to traditional insider threats. Partnership with ‘people’ teams (HR, Talent Acquisition, people managers, etc) will ultimately determine success. Specific actions that security teams can take to establish these vital partnerships include:
This interdisciplinary collaboration isn’t optional—it’s essential. But success won’t come from one-off initiatives or isolated efforts. Defending against REF means operationalizing these partnerships into everyday workflows and processes that can adapt to this evolving threat. The organizations that get this right will not only react faster, they’ll build a lasting advantage.
REF threat actors are evolving quickly: rolling out new personas, more sophisticated backstories, and increasingly clever cover tools. Organizations must take a proactive and collaborative defense, or they are putting themselves at risk.
Coming up next: Behavioral detection offers the earliest window to disrupt REF operations–but timing is only part of the equation. Our upcoming blogs dive deeper into the technical indicators and forensic patterns that emerge when a fraudulent actor gains access, and explore how technical defenses can strengthen a resilient, multi-layered detection strategy.
We’ll also expand the lens: how close collaboration between security, talent acquisition, and legal teams isn’t just helpful, it's essential to success.
Stay with us— we’re just getting warmed up.
If you resonate with the content of this blog, please follow us so you don’t miss future posts in this series.
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.