COMMENTARY: Employment fraud is no longer about elaborate spy rings slipping agents into U.S. companies - it is now as simple as a laptop, a VPN, and AI tools. Remote work era and generative AI have reshaped the attack surface. The KnowBe4 infiltration attempt reads like a case study in how convincing fake applicants can become, and it underscores why HR and security can’t operate in silos anymore. The takeaway is clear: the hiring process itself has become a front line of cybersecurity, and organizations that ignore that reality are leaving the door wide open.In 2010, the Pentagon described far-reaching Chinese cyber espionage campaigns. Those operations required extensive planning and trained operatives embedded in the US as technical experts to steal sensitive government and high-tech information.
Today, an operation like that might only require access to AI and a VPN.
The remote work attack surface
The remote work boom between 2020 and 2021, triggered by the COVID-19 pandemic, reshaped how companies hire. Like any sudden shift, it created new opportunities for exploitation—and threat actors moved quickly.
In May 2022, the FBI and the Department of the Treasury warned that North Korea was digitally dispatching thousands of IT workers worldwide to generate revenue for its weapons programs.
For many organizations, the odds of unknowingly hiring a threat actor during that period are uncomfortably high, especially in technical roles, critical infrastructure, or government contracting. Several Fortune 500 companies later discovered they had hostile actors on their payrolls.
A North Korean infiltration attempt
The now-infamous case of a North Korean IT worker who tried to infiltrate KnowBe4 in July 2024 offered a glimpse into these scams. The attempt was convincing but ultimately unsuccessful.
The applicant passed a background check by using a legitimate but stolen US identity. He completed four video interviews and appeared to match the person in the application photo, which investigators later determined was AI-enhanced. To date, KnowBe4 has not confirmed whether AI was also used to alter his image or voice during interviews.
Upon hiring, KnowBe4 shipped a company laptop to what was believed to be the applicant’s home address. It was actually a “laptop farm”—a location maintained by a US-based facilitator and filled with devices shipped to fraudulent remote employees. On the day the laptop arrived, KnowBe4’s security team received alerts around 10 p.m. EST that malware was being loaded onto it. That was the first clue: while late for a US worker, it was 11 a.m. local time in North Korea. The team responded quickly, contained the device, and prevented any breach.
This is one powerful example of how vigilance during hiring can stop an operation before the damage is done.
When fraud becomes a trend
Since then, pentesters and analysts have infiltrated North Korean communication rings. The FBI sentenced a woman who facilitated their efforts by running a laptop farm and managing payroll. Hiring managers have reported spotting fraud by catching inconsistencies between phone and video interview answers, noticing applicants reading from screens, or seeing interviewees wear earbuds to receive prompts. Some companies now even require in-person interviews for remote roles to verify identity.
Sharing these insights helps defenders, but it also risks teaching malicious actors how to refine their tactics.
Since the remote work boom and the launch of ChatGPT in 2022, the tools for fraud are far more accessible. AI-powered face-swapping, voice cloning, and identity fabrication are improving quickly, with some tools open source and free. While AI helps falsified resumes and deepfakes slip through, it’s also becoming an ally, with detection tools capable of flagging inconsistencies in real time.
We’ve entered a new era of digital fraud where anyone can be whoever they want—but probably not in the way parents intended when they told kids that. According to a ResumeGenius report, 17% of hiring managers are already spotting deepfakes, and Gartner predicts one in four job applicants will be fake by 2028. With continued training and investment, those numbers should improve.
Bring security into the hiring department
It’s time for HR teams to work closely with security—sharing data on network anomalies, running deeper background checks, and spotting behavioral red flags. Some companies already use tools that alert on irregularities during interviews, but it may also be time to include a security specialist in interviews for manual assessment. If there’s one thing we’ve learned about AI in security, it’s that keeping a human in the loop is essential.
But what about potential infiltrators already on the payroll?
HR and insider threat teams can reopen background checks, cross-reference employee data, and investigate sudden travel or behavioral shifts. Security teams can write detections for suspicious activity such as remote desktop use, data exfiltration, unusual logins, VPN or proxy anomalies, or the use of virtual phone numbers.
If these indicators are present, federal law enforcement should be the first call. Whether it’s a nation-state actor, a ransomware group, or even a script kiddie, the damage from an insider can be significant.
Be yourself
This isn’t science fiction anymore. You’ve likely seen celebrity deepfakes on social media, but the business implications are far more serious. Fortunately, the playbook is no longer a mystery. Every exposed scam, flagged application, and arrest makes it harder for threat actors to succeed.
In this new era of digital fraud, preparation is the strongest defense. With the right mix of technology, human skill, and team collaboration, defenders can stay ahead—because security favors the prepared.
MSSP Alert Perspectives columns are written by trusted members of the managed security services, value-added reseller and solution provider channels or MSSP Alert's staff. Do you have a unique perspective you want to share? Check out our guidelines here and send a pitch to [email protected]. 
