TL;DR: Hiring has become a cyber attack surface as fake candidates use AI-generated resumes, synthetic voices and deepfakes to enter organisations, according to Incode, while Gartner projects that by 2028 one in four job candidates could be fake. Traditional hiring controls assume the applicant is a real person, and that assumption is now breaking.
NHIMG editorial — based on content published by Incode: The New Threat Surface, how hiring became a vector for attack
By the numbers:
- By 2028, one in four job candidates will be fake, according to Gartner.
- A recently unsealed case showed one American facilitator helped support North Korean hires at over 300 different U.S. companies.
- One cybersecurity firm found 1,000+ job applications linked to the North Korean program, often for developer and engineering roles.
Questions worth separating out
Q: How should organisations prevent fake candidates from reaching onboarding?
A: Use layered verification before offer acceptance, especially for remote or privileged roles.
Q: Why does remote hiring increase insider risk?
A: Remote hiring removes the in-person cues that once exposed deception and replaces them with distributed trust decisions.
Q: What do security teams get wrong about candidate verification?
A: They often treat candidate verification as a one-time HR checklist rather than an identity assurance control that affects access, compliance, and insider risk.
Practitioner guidance
- Add identity assurance checkpoints to hiring workflows Require stronger verification before interviews, offers, or contractor onboarding when roles lead to sensitive systems.
- Link hiring decisions to IAM onboarding gates Do not allow account provisioning, payroll setup, or device access until candidate identity evidence is validated and recorded in a shared control workflow.
- Train recruiters on synthetic identity warning signs Teach hiring teams to look for mismatched video timing, unnatural facial movement, voice sync issues, and repeated identity inconsistencies across application artifacts.
What's in the full article
Incode's full post covers the operational detail this post intentionally leaves for the source:
- The article's examples of deepfake interview cues and how hiring teams can recognise them in practice.
- The North Korean remote-worker case detail, including how the scheme was organised across U.S. companies.
- The compliance and sanctions exposure that follows when a false candidate becomes a trusted worker.
- The e-book's recommended candidate-verification approach for building a more resilient hiring pipeline.
👉 Read Incode's analysis of hiring fraud, deepfakes, and identity risk →
Hiring fraud and deepfakes: what IAM teams need to change?
Explore further
Hiring fraud is now an identity assurance problem, not just a screening problem. The article shows that attackers are exploiting the trust boundary at application time, before IAM teams usually think governance begins. That shifts the control question upstream: if the candidate is synthetic, every later access decision inherits a false identity basis. Practitioners should treat recruitment as part of the identity lifecycle.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials, according to AI Agents: The New Attack Surface report.
- 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete compliance and breach-investigation blind spot.
A question worth separating out:
Q: Who is accountable when a fake hire gains internal access?
A: Accountability is shared across HR, security, hiring managers, and access governance because each controls a different part of the trust chain. If a false candidate slips through, the failure is rarely isolated to one team. Organisations should define ownership for candidate assurance, onboarding gates, and post-hire access review.
👉 Read our full editorial: Hiring fraud has become a frontline identity security risk