A new wave of cybercrime that preys on lax hiring and internal security processes requires HR departments to be more vigilant, according to two attorneys who spoke to HR Dive.
The attacks are often perpetrated by state actors — most prominently backed by North Korea, though other nations also may be implicated — and involve the use of fake job candidates to obtain remote work positions at U.S. companies, said Matthew Welling, partner, and Neda Shaheen, associate, both of Holland & Knight. Once hired, these individuals may funnel income received from affected employers to their host countries.
Federal law enforcement officials uncovered one such scheme in 2024, alleging that a U.S. national conspired with North Korean information technology workers to generate $6.8 million in funds from Fortune 500 companies over a period of about three years. Last month, the U.S. Department of Justice announced that two other U.S. nationals had been sentenced to prison for their role in a North Korean remote work fraud scheme, Cybersecurity Dive reported.
Perpetrators employ several different methods to infiltrate employers, including deepfakes — a category of digitally-produced, fabricated content that attempts to pass for real job candidates. It takes bad actors a short amount of time to create deepfaked job candidates that are capable of duping employers during the hiring process.
“They don’t always follow a common pattern, but there are some general commonalities,” said Welling, who noted that victims of the schemes frequently uncover multiple fake employees. “What we’ve seen from organizations that know what they’re looking for is that often, if they find one of these actors, they find more.”
How HR teams spot suspicious activity
Identifying fraudulent employees requires interdepartmental coordination and knowledge of potential red flags, Welling said.
For instance, the actor may connect to an unexpected place within the organization’s systems, including those for which they do not or should not have access. Another example involves the use of unauthorized virtual private network services. Outside security vendors can help alert employers to such activity.
In the recruiting process, Welling said employers should be wary of situations in which an employee’s qualifications do not match what they’ve provided in their written material, or where the employee’s voice or appearance changes.
Finally, employers may receive notifications from law enforcement that an employee is fraudulent. These notifications tend to be retroactive in nature given the length of the typical criminal investigation, Welling noted, and regulators often don’t want to tip off offenders by notifying employers.
If a fraudster as identified by law enforcement has accessed a heavily regulated database or platform, federal and state privacy laws may require employers to disclose that an electronic breach has occurred, he added.
Employers also may face sanctions should a bad actor use funds derived from the scheme to finance unlawful activities, said Shaheen. Sanctions can be imposed on a strict liability basis, she noted, meaning that no intent on the part of the employer is required in order for a violation to occur.
“Companies could face consequences even if they unknowingly hire somebody and give them their regular salary,” Shaheen said. “The company is balancing not just being a victim of the fraud but also being subject to legal and regulatory scrutiny.”
Action items once suspected fraud is uncovered
The process for addressing a false employee follows that of a typical HR investigation, Welling said, with the most comparable scenario being insider risk operations. “These people are going to look the most like malicious insiders,” Welling said of fraudulent employees.
Source – https://www.hrdive.com/news/youve-hired-a-fraudulent-employee-what-comes-next/819365/