Imposters at the Gate: Spotting Remote Employment Fraud Before It Crosses the Wire

Have you ever sat in an interview and felt that something wasn't quite right? Your intuition may have been closer to the truth than you realized.

A new kind of adversary has emerged, and they aren’t trying to break through your firewall; instead, they are logging in through your VPN using their freshly issued business credentials.

Welcome to the rapidly emerging threat of Remote Employment Fraud (REF)—where threat actors masquerade as remote applicants, land actual jobs, and integrate themselves within your organization and your environment, often before security even knows their name.

What Is REF, and Who Are the Key Players

REF occurs when threat actors, working alone or as part of an organized group, illegally obtain remote positions, particularly in high-demand sectors such as IT, engineering, or finance. These aren’t ‘resume inflators’; REF actors often leverage knowledgeable stand-ins or proxies to successfully pass them through the interview process undetected. Organizational blind spots and a lack of preparedness can allow these actors to slip through the security cracks.

You may wonder who these actors are and what the end game is. While many high-profile cases have been linked back to North Korea, this tactic has gone global, with additional campaigns emerging from the Middle East, Africa, and Asia. Their goals may vary, but usually include one or more of these specific actions:

• Establish access for future network intrusions, which may result in extortion events
• IP theft
• Profit through paychecks and bonuses
• Generate income for sanctioned regimes

Pre-Hire Detection Matters

REF actors may be discoverable at various points in their cycle of activity, but the pre-hire phase is your earliest opportunity to shut down their operations before they gain a foothold.

This starts with taking a closer look at your organization’s hiring practices. Keep in mind that traditional hiring pipelines weren’t designed to detect adversarial behavior, and REF actors have learned to exploit this.

It is also essential to understand that most pre-hire REF indicators are behavioral, rather than technical. By contrast, technical indicators of REF activity tend to arise after a threat actor has been hired and begun generating a digital footprint within your security team’s visibility. That means your security team can’t do this alone—they need to work hand in hand with HR, talent acquisition, and hiring managers to spot early signs of fraud.

From Awareness to Action: Early Warning Signs of REF

The following are some of the most common indicators that a candidate might not be who they claim to be—and how you can start identifying them.

1. Digital Footprints That Don’t Match the Story

In a world where nearly every working professional has some kind of digital trail, REF actors often build their personas from scratch or stitch them together with bits from stolen identities. While a minimalist social media presence used to be a high fidelity indicator of a potential REF-controlled persona, REF actors are working hard to blend into the crowd by trying to legitimize their digital footprints. This may appear convincing at first glance, but upon closer inspection, the personas start to fall apart.

 What to look for:

• Suspicious LinkedIn profiles — especially ones with a long job history but a brand-new profile creation date (less than a year old)
• Watch for minimal work history, very few connections, or recruiter-heavy networks shared with other questionable profiles
• AI-generated or recycled profile photos
• GitHub accounts that appear active but are just forks of legitimate projects with no real contributions likely represent a quick attempt to manufacture credibility

Quick tip: Use reverse image search and AI image detectors to scrutinize profile pictures. Look up usernames across platforms. If the online presence feels unrealistic—or eerily disconnected from the resume—it’s worth investigating.

2. Resumes That Read Like an LLM-Derived Response

Generative AI makes it easy to polish a resume. However, that shine can potentially conceal a real security threat to your organization. The advancements and availability of generative AI tools have been reflected in their rapid adoption by REF actors looking to increase the appearance of authenticity for their personas.

Resume red flags include:

• Overly formal, vague language with no personal anecdotes
• Cut-and-paste job descriptions that lack specificity
• Identical formatting or phrasing across multiple applicants (sometimes threat actors will submit multiple resumes, upping their chances of being selected to the applicant pool)
• Skills or projects that sound fabricated or exaggerated

Investigation tip: Run suspicious resumes through AI content detectors to identify potential red flags. Scan your Applicant Tracking System (ATS) for patterns—same phrasing, same projects, same suspiciously polished bios. If it feels like copy and paste, it probably is.

3. Shady Communication Channels

REF actors often use VoIP numbers or burner emails to spoof a local presence.

What to check:

• Has the candidate provided a phone number associated with known VoIP services or disposable providers?
• Has the applicant’s provided email address appeared in other/past suspicious applications?
• Whether or not the email associated with the applicant’s VoIP number was recently created (with an email address with little-to-no public history as a potential red flag)

Helpful tools: IPQualityScore, NumLookup, Twilio Lookup APIs.

4. Forged or Borrowed Identity Documents

Many REF personas are built on doctored documents or stolen identities. Sometimes, it’s a partial truth mixed with fabrication. Sometimes, it’s a total fake.

Watch for:

• Reluctance to provide ID during video interviews
• Unwillingness to show ID and face on camera at the same time
• Poorly edited documents (e.g., poor image quality, blurry text, mismatched fonts, inconsistent addresses, etc.)

Real-time test: Consult with your HR and legal teams about the feasibility of requesting live video ID verification as part of your process. If approved, ask the candidate to present their ID on camera in real-time. If they stall, glitch, or abruptly end the call, that’s your cue to escalate the situation.

5. Unnatural Behavior During Interviews

Even with deepfakes and voice changers, most impersonations start to crack under pressure.

Signs to notice:

• Audio that lags or doesn’t sync with lip movement
• Eye movement that’s erratic, delayed, or too fixed
• Rehearsed answers that dodge real experience
• Short, stiff, or otherwise suspicious responses when asked to share common personal anecdotes (for example, their claimed location or recreational activities)
• Generic virtual backgrounds or actual backgrounds that don’t match time zones or location claims

On-the-fly validation: Ask a spontaneous question that requires a personal detail, such as, “Tell me about the last technical issue you helped resolve.” Look for hesitation, sudden silence, script flipping, or possible guidance coming from off-camera.

An example to consider: You're in a video interview, asking a technical question. The candidate freezes for a second, glances off to the side, starts typing, and suddenly comes back with a polished answer.

What you don’t see is the accomplice on the other screen—feeding them answers in real time through chat. It's like a silent tag team: one does the talking, the other does the thinking.

This kind of live coaching is more common than you'd expect in REF ops—and those off-camera glances? They may not be just due to nerves.

Security Is Ultimately Accountable, but REF is Everyone’s Responsibility

Security organizations are becoming increasingly aware of the complexities of REF, but the biggest challenge in mitigating the risk is often the lack of awareness outside security organizations, similar to traditional insider threats. Partnership with ‘people’ teams (HR, Talent Acquisition, people managers, etc) will ultimately determine success. Specific actions that security teams can take to establish these vital partnerships include:

• Training hiring teams (recruiting/talent acquisition, hiring managers) on behavioral red flags
• Creating internal escalation paths for suspect candidates for TA and HR
• Partnering with legal and HR to navigate the ethical and compliance minefield

This interdisciplinary collaboration isn’t optional—it’s essential. But success won’t come from one-off initiatives or isolated efforts. Defending against REF means operationalizing these partnerships into everyday workflows and processes that can adapt to this evolving threat. The organizations that get this right will not only react faster, they’ll build a lasting advantage.

Final Takeaway

REF threat actors are evolving quickly: rolling out new personas, more sophisticated backstories, and increasingly clever cover tools. Organizations must take a proactive and collaborative defense, or they are putting themselves at risk.

Coming up next: Behavioral detection offers the earliest window to disrupt REF operations–but timing is only part of the equation. Our upcoming blogs dive deeper into the technical indicators and forensic patterns that emerge when a fraudulent actor gains access, and explore how technical defenses can strengthen a resilient, multi-layered detection strategy.

We’ll also expand the lens: how close collaboration between security, talent acquisition, and legal teams isn’t just helpful, it's essential to success.

Stay with us— we’re just getting warmed up.

If you resonate with the content of this blog, please follow us so you don’t miss future posts in this series.