Hiring the Enemy: When Job Scams Target Companies and Consumers Alike

Over the past few months, Socure has found itself squarely in the crosshairs of a new wave of employment fraud—and we’re not alone.

We’ve seen fake candidates applying to work at Socure, using stolen or synthetic identities and AI-polished resumes. What at first appeared to be isolated incidents quickly revealed themselves as part of a broader, coordinated campaign—one that is targeting U.S. businesses and our customers in nearly every vertical, including crypto, gaming, and marketplaces.

In April 2025, HR Grapevine reported that hundreds of North Korean IT operatives have successfully infiltrated U.S. companies, including some in the Fortune 500, by posing as remote software engineers. U.S. intelligence officials estimate these operatives have earned tens of millions in disguised wages—funds believed to be funneled back into North Korea’s sanctioned weapons programs. Beyond financial gain, it is believed that some operatives are aiming to gain access to sensitive codebases and customer systems to steal IP and trade secrets, while others are seeking consumer data to leverage in further attacks.

These actors often disguise themselves as freelancers from South Korea, Japan, or Latin American countries and arm themselves with fake LinkedIn profiles, stolen or borrowed identities, and AI-enhanced credentials. Often they are dependent on U.S. citizens or residents who act as accomplices by establishing bank accounts to receive payroll, and then sending money abroad. This phenomenon is an insidious intersection of fraud, money laundering and sanctions violations.

A May 2025 report from SHRM echoes these concerns, highlighting a sharp rise in employment fraud, especially in remote roles across tech, finance, and defense contracting.

What we’re seeing is a foundational vulnerability: the lack of standardized identity verification in hiring, which is enabling sophisticated fraudsters to bypass existing controls. The U.S. hiring ecosystem is dangerously behind the curve. At Socure, we’re sharing what we’ve learned to help employers stay ahead of this growing threat.

Because without stronger identity defenses, we’re all hiring blind.

Socure vs. Fake Job Applicants

Socure’s own experience makes this problem very real. Our internal recruiters and hiring managers began noticing unsettling trends a few months ago in our applicant pool—particularly for senior engineering roles. What started as a trickle of too-perfect resumes quickly evolved into a deeper concern that aligns closely with warnings from federal law enforcement and investigative reporting.

We discovered that several job applicants were entirely fabricated. They did not exist.

To make sure that the candidates were indeed fake, our Fraud Investigation team compared identity attributes from these suspicious resumes against our proprietary identity graph and third-party investigative tools. We also ran our Email and Phone RiskScores to check the viability and correlation of the contact information on the applicants’ resumes.

The results were striking.

As you can see in the graph above, the Email and Phone RiskScores for ‘good’ applicants were much less risky when compared to the fake applicant population. Specifically, ‘good’ candidates had mature emails with an average of 1,646 days since the email was first seen in the Socure ecosystem vs. 48 days for fake employees. Additionally, correlation of phone ownership to name was much weaker for fake applications –.09 vs .99 for ‘good’ candidates (range of score is .00 to .99, with the lowest being the least likely that the phone is owned by the individual).

These would not just be risky hires—they are potential national security threats.

Spotting the Red Flags Early

Patterns of deception don’t start during the interview—they emerge in the application process, and are seen in online social networks. Common signals in these fraudulent profiles include:

• Resumes loaded with big-brand employers (Google, Amazon, Netflix)
• Western names like “James Bailey” paired with East Asian appearance and accented English in much higher numbers than would match demographics that fit this combination
• Aggressive interest in remote-only roles (candidates will share that their current employer is requiring back to the office – the driver of why they are seeking a new role)
• Sparse LinkedIn activity, often with a single post and minimal connections
• Profiles that disappear mid-hiring process as LinkedIn shuts them down
• Shared patterns across resumes, including impressive educational backgrounds such as Harvard and Carnegie Mellon, suggesting AI-generated content

But making decisions based off of an unusually great resume combined with a shallow LinkedIn profile isn’t exactly scientific and could result in blindspots and great candidates missed.

That’s where data-driven analytics come into play.

Seeking Risk Indicators Behind the Surface

Even the basic contact information on a resume—email, phone number, and name—can reveal powerful signals. With passive verification using Socure’s Email, Phone and Address RiskScores and Correlation Values, you can analyze these identity elements with high precision, enabling organizations to detect anomalies and flag suspicious or synthetic identities early in the hiring process without causing user friction.

This alone helps eliminate unnecessary costs tied to interviewing candidates who don’t ultimately get an offer – estimated at approximately $800 to $1,000 per applicant at Socure. It also prevents lost productivity and time spent recruiting high-impact candidates.

Once an applicant is accepted into the interview process and connects to your internal HR platform, with identity verification solutions integrated, like Socure’s Device Intelligence, you immediately have a view of their device which builds a story of risk around location and additional historic behavior begins to reveal itself. When the applicant then submits additional personal information—such as their home address, Social Security number, and date of birth—Socure can apply advanced passive risk scoring tools like Sigma Identity and Sigma Synthetic. These scores enable recruiters and hiring managers to assess, behind the scenes, whether the applicant is using a completely fabricated identity or attempting to pass off a stolen one. Those that are most risky should be subjected to some form of friction and additional validation. Socure’s DocV, which validates 1,000s of government documents and analyzes live selfies, is the type of step up authentication that should be used.

Scripted Interviews, Synthetic Responses

Even with great passive verification tools running, there are telltale signs to look out for during the interview process – ones we documented live during actual interviews.

Candidates who sail through initial questions often stumble on follow-ups. They read answers out loud, clearly generated by AI. Some even repeat ChatGPT responses nearly word-for-word.

They struggle with:

• Contextual or situational questions
• Multi-part problem-solving
• Adapting when the interviewer changes direction
• Questions related to where they live

In one case, a Socure interviewer had tested a technical prompt in ChatGPT before the call. The candidate’s response matched it exactly.

Meet “Anthony” – A Real-World Example

To illustrate how this type of fraud plays out in practice, consider a candidate we encountered—let’s call him “Anthony.” He had a polished resume, a LinkedIn profile, and all the surface markers of legitimacy. But as we examined his application more closely, several red flags began to emerge.

“Anthony’s” LinkedIn profile featured an “Open to Work” banner and a resume filled with impressive credentials. However, his profile had minimal engagement—few posts, limited connections—and many of the indicators outlined earlier were present. Our internal Fraud Investigation team, supported by Socure RiskScores and correlation analysis, flagged the application as likely fraudulent. We decided to invite “Anthony” to a video interview.

To our surprise, he agreed.

On camera, “Anthony” came across as articulate, personable, and well-prepared. He had clearly studied the technical details of the roles he claimed to have held. But his answers closely mirrored AI-generated responses—often sounding like something produced by ChatGPT—and he paused noticeably before replying to each question. At times, he shifted his eyes left to right during his responses, like he is reading a script. Despite having a surname with Italian or Catalan roots, his accent was clearly North Korean.

But here’s the biggest giveaway – we ran a specific question – Have you worked with sensitive PII and how do you protect that data? – through ChatGPT before the interview.

Below you can see the striking likeness in response:

We scheduled a follow-up interview and at the end of the session sent “Anthony” a Socure DocV request for document verification and a live selfie. He never completed the verification, nor did he attend the second interview. However, he did click the verification link, allowing us to capture valuable device intelligence.

While his stated location was Staten Island, New York, the IP address used to access the link originated from a New York-based data center VPN, suggesting the activity could have come from anywhere in the world. It’s worth noting that when Anthony was randomly asked about how he felt about Staten Island vs living in Brooklyn, he tried to evade the answer.

To date, “Anthony” has not responded to multiple follow-up requests.

Why This Threat Is Different

Identity fraud in hiring used to be rare—and usually caught during background checks or I-9 verifications. But in a remote-first world, we rarely meet the person behind the resume. Today, AI allows bad actors to fake credentials, photos, documents, and even live interviews at scale.

And legacy hiring systems weren’t built to catch this. I-9 verification confirms document format, not identity. E-Verify checks SSN, DOB and Name validity, not ownership. Background checks assume the identity is real in the first place.

What Employers Should Do

This isn’t just about hiring the wrong person. It’s about risking exposure to hostile nation-state actors, data exfiltration, and regulatory liability.

If your company hires remotely—or grants employees access to sensitive systems or consumer data—here’s what we recommend:

• Train recruiters and hiring managers to spot the red flags: mismatched names and accents, AI-heavy interview answers, LinkedIn profiles with no engagement.
  
• Incorporate real-time behavioral interviews that go beyond static questions.
  
• Verify LinkedIn and resume claims via third-party validation or referrals.
  
• Flag and investigate applicants with no verifiable work history or social footprint, especially in senior-level roles.
• Use identity and device verification tools—not just I-9 and background checks, but solutions designed to catch synthetic identities and identity theft, and identify where they are attacking you from. Passively assess risk as you go and only step-up those potentially fake candidates to document and selfie checks.

Consider options to integrate identity verification workflows into your existing HR platforms for a more frictionless experience which also creates an opportunity to pick up information related to the applicant’s device, which will help you understand what location they are actually coming to you from. BTW … this would also identify the insidious US based computer farms managed by US accomplices that help to enable attacks from outside the country.

We know how important it is to not add friction to great candidates in the hiring process. Socure is in a very competitive employment market and we want to make sure we hire the best candidates (who also happen to be real). It’s important that we don’t make the onboarding process difficult, especially in the initial reach out to new potentially great candidates.

We believe the best process is to use “passive authentication” of job candidates early on. Passive authentication is a fraud detection process deployed by sophisticated financial services organizations for years. As mentioned earlier, we have seen that our RiskScores can do a great job of separating “fake” from “real” candidates using just the information found on every job applicant’s resume – their name, email, and phone number.

By analyzing this simple information quickly and behind-the-scenes, your recruitment team and hiring managers can cut the time they waste on fake applicants, and ensure only friction and ask for additional validation of only those candidates that are much more likely to be fake. Additional “step up” authentication should include automated digital validation of a government document, like a passport or US drivers license and a live selfie, which can help to identify any deepfakes or camera injection attacks.

Identity Is the New Perimeter

In cybersecurity, we used to say the firewall was the first line of defense. In hiring, identity now plays that role.

Bad actors are using AI, stolen data, and deepfakes to gain access to companies and exploit consumers. It’s time we adapt with the same level of sophistication. Identity must be verified as early as possible—quietly, passively, and precisely.

We can’t stop every fake applicant from applying. But with the right defenses, we can stop them from getting in.