Three Key Takeaways:
1. Global Threat Actors and Diverse Motives: Infiltration isn't just for a paycheck; Russian actors use it for ransomware, Iranian actors for intelligence, and North Koreans for mass-scale profit.
2. Sophisticated Deception: Criminals are "renting" LinkedIn profiles, hiring US-based "actors" to face interviews, and using AI overlays to physically match stolen identities in real-time.
3. AI-Powered Deception: Attackers use AI tools to change their appearance via real-time camera overlays and use AI-drafted scripts to mimic professional fluency during live interviews.
Cybercriminals are increasingly impersonating employees to gain entry into organizations. In a 2025 Gartner survey of 3,000 job candidates, 6% admitted to participating in interview fraud—either by posing as someone else or having someone else pose as them during an interview. Gartner also predicts that by 2028, one in four candidate profiles worldwide will be fake.
This blog shares insights from an RSAC member, Alex Holden, CISO at Hold Security, LLC, and explores the different types of motivations behind why imposters pose as employees. We explore how they bypass background checks and interviews and how organizations can spot red flags during an interview,
Type of Motives
As Holden stated, “There is no single motive or vector of attack for an imposter; the motivations vary. But mostly, it comes down to money and intelligence. How can money be derived? Simply by maintaining employment.”
This specific type of attack is being utilized by bad actors who try to obtain employment within US tech companies under false pretenses. By infiltrating these organizations as remote employees, they gain access to internal systems and sensitive information.
Holden highlighted the different threat actor groups and their motivations for posing as an employee:
Non-Malicious Intent
While some instances of employee impersonation are not inherently sinister, they are still illegal and considered a crime. According to Holden, some individuals from different countries pose as US-based employees because the pay rate allows them to earn significantly more than they would locally.
Intelligence Motivated
Over the last five or six years, impersonating an employee has evolved into a significant criminal threat. As Holdenstated, “Iranian actors were among the first to move from manual impersonation to mass abuse using automation.”
These Iranian actors are particularly motivated by gaining access to an organization’s intelligence. Rather than launching random attacks, they often target specific companies to secure employment. Once they have successfully "onboarded," they work to embed themselves further into the organization to extract sensitive data or monitor internal communications.
Financially Motivated
After Iranian actors began using this attack method, North Korean actors adopted the technique, shifting the focus toward profit rather than intelligence. They have since begun to mass-produce these schemes, creating an ongoing epidemic of criminals acting as imposters to secure remote employment. This trend is expected to continue growing, posing a significant threat not only to organizations in the United States but across the globe, Holden stated.
Ransomware Motivated
Russian threat actors are primarily focused on ransomware. Their objective in posing as employees is to gain internal access, allowing them to deploy ransomware from within the network. By infiltrating an organization as a trusted insider, they can more easily bypass perimeter defenses and escalate their privileges.
How Imposters Slip Through the Hiring Process
While bypassing initial background checks and interviews is typically complex, the COVID-19 pandemic weakened these traditional barriers. With remote work now standard practice, it has become easier to navigate these processes, depending on a company’s policies, Holden noted.
The Rise of Hiring "Actors"
A new trend Holden highlighted, involves cybercriminals hiring inspiring "actors" within the US to serve as the face of the operation. These individuals are offered several thousand dollars to pose as a candidate and "lend" their identity to bypass background checks. Often, these recruits are misled by the criminals, who tell them, "We are landing a big contract; you just need to pass the interview." This creates the illusion of joining a legitimate team with the promise of larger future opportunities.
This tactic mirrors the broader evolution of youth cybercrime. Criminals often reach out to young people, grooming them into illegal activity without being overt. By exploiting the post-pandemic desire for online community, they use a false sense of belonging, telling targets, "If you do well, you'll be part of the team; you belong here."
Beyond hiring actors, Holden mentions that cybercriminals are now targeting legitimate professionals on platforms like LinkedIn. They offer quick cash to "rent" or purchase established accounts, allowing the criminal to pose as a vetted worker in the US. When they aren't renting identities, they rely on traditional methods like forged documentation or the use of compromised, stolen identities.
Manipulation HR Policies and Vritual Barriers
Cybercriminals also exploit corporate sensitivity toward inclusivity. Holdenstated, “A common tactic involves claiming a medical disability or speech impairment to avoid traditional verbal communication.” By insisting on using electronic voice-to-text tools or refusing to appear on video, they bypass the scrutiny of a live interview. Since HR departments must be careful not to discriminate against medical disabilities, they often feel obligated to comply with these requests, unwittingly allowing a fraudster to hide their true identity.
The Role of AI
Finally, AI has become a powerful tool for criminals posing as legitimate US employees. Holdennotes that attackers now use AI-driven camera overlays to alter their appearance in real-time—making themselves look younger, older, or of a different nationality to match a stolen identity. Furthermore, AI-generated scripts allow these actors to speak with a level of professional fluency and cultural awareness that makes the deception even more difficult to detect.
How Organizations can Spot Red Flags
While multi-factor authentication (MFA) using voice recognition, facial recognition, and ID verification is a strong starting point for detecting imposters, modern AI tools have made it increasingly possible to bypass these traditional hurdles. Organizations must now adopt a more layered defense.
HR as the First Line of Defense
Human Resources serves as a critical gatekeeper for spotting suspicious activity. As Holdennoted, platforms like Microsoft Teams and Zoom provide metadata, such as IP addresses, that can reveal geographic inconsistencies. For instance, if an applicant claims to be in the US but their IP address originates from Iran, HR has a clear "red flag" to investigate further. More sophisticated IP interrogation may also reveal use of proxies, VPNs, and other dangerous systems.
Advance Detection Technology
Organizations should implement specialized solutions designed to detect deepfakes, voice spoofing, and AI-generated media. These tools are especially vital in high-stakes departments like finance, HR, and executive communications.
Behavioral Biometrics in Interviews
Interviewers can be trained to look for subtle "tells" that AI hasn't quite perfected. This includes monitoring for behavioral biometrics, such as:
- Unnatural pauses or delays in speech (potential processing lag).
- Irregular eye movements or lack of natural blinking.
- Mismatched lip-syncing or skin texture inconsistencies.
In a world of AI-driven identity simulation, trust can no longer be a one-time "checkpoint" but must be a continuous process of verifying both technical metadata and human authenticity. Organizations must realize that when imposters can mimic a face or voice, the only true defense is a layered strategy that combines advanced detection tools with sharp human intuition.
To find out more about how companies can do to better detect attackers using AI to masquerade as legitimate remote employees during the hiring process, tune into our RSAC January 2026 seminar.