Employee onboarding attack surface: are identity checks early enough?

TL;DR: Gartner says one in four candidate profiles worldwide could be fake by 2028, while real cases such as KnowBe4 and suspected North Korean applicants at Amazon show how stolen identities and deepfakes can get through hiring controls, according to 1Kosmos. The governance gap starts before onboarding, where identity verification must move earlier than traditional HR and security checks.

NHIMG editorial — based on content published by 1Kosmos: Research from Gartner highlights employee onboarding as part of the attack surface

By the numbers:

• By 2028, one in four candidate profiles worldwide will be fake.
• Amazon blocked more than 1,800 suspected North Korean job applications between April 2024 and December 2025.
• KnowBe4 hired a North Korean threat actor who, started loading malware within 25 minutes of receiving a company laptop.

Questions worth separating out

Q: What breaks when employee onboarding does not verify identity early enough?

A: When identity is not verified before credentials are issued, onboarding becomes an access pathway for impostors.

Q: Why do fake candidates create an IAM problem instead of only an HR problem?

A: Fake candidates create an IAM problem because the risk materialises when a false identity receives accounts, devices, and access rights.

Q: How can organisations detect onboarding fraud before access is granted?

A: Use layered verification that combines government document authentication, live biometric matching, and contextual risk signals from the application and interview process.

Practitioner guidance

• Move identity proofing into the hiring workflow Require proof of identity at the offer or hire stage before credentials are issued, and do not rely on post-hire checks to catch impersonation after access has already been granted.
• Link HR and security approval paths Define a shared process between CHRO and CISO teams so contextual risk signals, interview anomalies, and document verification results can block or escalate suspicious candidates.
• Extend insider-risk monitoring to new employees Watch for abrupt location changes, unauthorised remote access tools, unusual login timing, and early signs of device abuse during the first period of access.

What's in the full article

1Kosmos's full article covers the operational detail this post intentionally leaves for the source:

• How Gartner frames hire-phase identity verification as a minimum control point before credentials are issued
• Examples of the recruitment-stage safeguards the source recommends for interview, offer, and hire phases
• The specific fraud patterns seen in practice, including deepfake interviews, fabricated IDs, and remote facilitation
• The article's discussion of how CHRO and CISO teams can share responsibility for onboarding risk

👉 Read 1Kosmos's analysis of employee onboarding as an attack surface →

Employee onboarding attack surface: are identity checks early enough?

Explore further

View Full Forum →  |  NHI Foundation Course →