TL;DR: Fraudulent hiring attempts now combine stolen or synthetic identities, AI-generated resumes, deepfake interviews, and manipulated onboarding checks to slip past conventional screening, according to Incode. The core failure is that hiring controls still assume a candidate is a stable human identity, while attackers increasingly treat recruitment as an access path.
NHIMG editorial — based on content published by Incode: Anatomy of a Modern Candidate Fraud Attempt
By the numbers:
- Nearly 40 percent of real candidates now admit to using AI for parts of the hiring process.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: What breaks when hiring teams rely on candidate-provided identity evidence?
A: Hiring workflows break when they treat candidate-provided data as proof of personhood.
Q: Why do deepfake interviews create a broader IAM risk?
A: Deepfake interviews matter because they let attackers move a fake identity from application into trusted employee status.
Q: How do security teams know candidate verification is actually working?
A: Look for whether a candidate can advance without independent identity proof, whether proxy actors can still pass interviews, and whether onboarding is separated from access issuance.
Practitioner guidance
- Tighten candidate identity proofing before offer stage Require stronger evidence binding the applicant to a real person before any hiring decision advances to onboarding.
- Separate screening confidence from access readiness Do not let a passed interview or completed background check automatically trigger account creation, laptop shipment, or VPN access.
- Add onboarding controls for proxy and co-conspirator risk Treat remote workers, one-way interviews, and geographically inconsistent profiles as higher-risk cases.
What's in the full article
Incode's full article covers the operational detail this post intentionally leaves for the source:
- The end-to-end candidate fraud examples, including fake profiles, proxy actors, and deepfake interview tactics.
- The hiring pipeline breakdown showing where screening, background checks, and onboarding fail in practice.
- The excerpt from Incode's e-book on securing hiring against deepfakes and identity fraud.
- The vendor's broader candidate verification context for workforce identity teams that need implementation detail.
👉 Read Incode's analysis of modern candidate fraud in AI-driven hiring →
Candidate fraud in hiring pipelines: what identity teams need to know?
Explore further
Candidate fraud is an identity assurance failure before it is a hiring failure. The article shows that once a synthetic or stolen persona reaches screening, the organisation is already validating attacker-controlled evidence. That means recruitment workflows are no longer just people processes, they are pre-access identity controls. The practitioner conclusion is that workforce governance must start at the point of candidate proofing, not at the point of account creation.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, showing how often governance breaks at the execution layer.
A question worth separating out:
Q: Who is accountable when a fake hire receives internal access?
A: Accountability spans HR, identity governance, and security operations because each function influences whether a candidate becomes a trusted account. If a fake hire receives access, the failure is usually a lifecycle problem, not a single missed check. The right control boundary is identity proofing before provisioning, plus ongoing attestation after onboarding.
👉 Read our full editorial: Anatomy of modern candidate fraud in AI-driven hiring