Remember simpler times when business scams were things like fake invoices for printer toner? No one knows how much toner is used or who ordered a renewal so Accounts Payable just paid the invoices until Audit noticed the discrepancy. Easy to guard against. More recent BEC scams convincing a company to wire funds to illegitimate destinations seem quaint now that we know how to protect against them. But faking an entire human to compromise hiring processes seems far from quaint.
We have already seen stories about scammers with false online personas and CVs getting jobs at victim companies. Once in, they steal whatever valuable data they can. We don’t know how pervasive the issue is, but last year we uncovered two organized networks supporting these attacks. You don’t setup organized networks without a lot of profit opportunity.
Here is a report of another company who faced two deepfake job applicants in two months! The hirer is a cybersecurity expert working for a cybersecurity company so their paranoia is turned up to high. Both fake applicants were caught before being hired — but after several steps in the default HR process.
The fake applicants were only discovered in the video interview process. They used deepfake technologies to alter their appearance in the video to appear European where they claimed to be from, but their accents were Asian raising questions in the interviewer mind. With elevated paranoia, the interviewer started probing to determine the legitimacy of the applicants. Being familiar with ChatGPT, the interviewer also determined that the applicants were relying on the AI service to answer technical questions. It was only because the interviewer had a special set of skills that the deepfaked applicants were discovered before they could effect harm.
What should we learn from this?
– This company is very small: In today’s cybercrime landscape, everyone is a potential target.
– There is no cost to creating false online personas. You cannot blindly trust anything you see online.
– Deepfake technology is widely available: You cannot blindly trust anything you see online.
– AI LLMs are at least as good as your newest employees: Basic capability skill tests are pointless. You should be interviewing for skills demonstrating ability to grow in the job, work with a team, be valuable in the future.
– Your HR hiring process reduces the volume of applicants to a manageable amount, not as a reliable filter for capabilities. You need additional controls for hiring.
– The interviewer was a suitably paranoid security expert: you can’t rely on people to guard against thousands of potential attackers. You need additional controls for hiring.
Relatively cheap email encouraged scammers to develop profitable phishing techniques. With AI support, scammers are leveraging relatively cheap humans for the next wave of cybercrime. Are you ready?
