Attacking The Human Pipeline

I've helped leaders identify business weaknesses throughout my career. My work covered the gamut of cybersecurity and regulatory compliance in FTE and consulting relationships. There are endless regulatory audits, penetration tests, and meetings with leaders presenting loss probability insights and investment recommendations. No threat carries more weight— with an ability to subvert most safeguards than social engineering.

This is not an emerging threat. It is an active, global one. Documented organizations in Russia, Eastern Europe, West Africa, South Asia, and Southeast Asia are deploying the same technique perfected by the DPRK. North Korea runs sophisticated, large-scale fraud operations against businesses. Trained operatives use stolen identities, AI-altered appearances, and accomplices to land jobs inside companies. They are succeeding. And they are no longer alone.

A March 2026 OFAC assessment raised the estimated annual revenue from the scheme to approximately $800 million—up from earlier estimates of $250–$600 million, providing significant funding for North Korea’s weapons programs. The FTC documented job scam losses growing 5.6x in four years, from $90 million in 2020 to over $501 million in 2024. Gartner projects that one in four job candidates will be fraudulent by 2028. This briefing tells you what to do about it.

Who Is Most at Risk

Organizations at highest risk share common characteristics:

• Remote-first or distributed engineering teams with limited in-person interaction.
• Fast-moving hiring processes with minimal live identity verification.
• Access to customer data, financial systems, or third-party infrastructure at scale.
• Providers of platforms or integration products that extend access beyond a single organization’s environment (e.g., Providers of HR platforms, payroll, CRM, ATS, accounting tools). A compromised engineer doesn't simply expose your organization. They can expose every organization you serve.
• Defense contractors, cryptocurrency firms, and any entity handling ITAR-related data.

What Your Recruiting Team Can Do Now

We considered what geographically diverse recruiting teams can do. There are novel technical solutions to defend organizations against this threat, but practical solutions work at scale. Here are a few low-effort, high-value actions your team can take.

• Require camera-on video interviews: Candidates who refuse or experience suspicious technical difficulties should be flagged immediately.
• Verify government-issued photo ID live during the interview: Hold up your ID and ask the candidate to do the same. Document the verification. Don't rely solely on document scans submitted before the call.
• Run a disruption test: Ask the candidate to wave their hand slowly in front of their face. Deepfake overlays frequently fail this test, producing visible artifacts or causing the candidate to disconnect. This technique has been confirmed effective in documented recruiter encounters.
• Check geolocation signals: Cross-reference IP addresses, time zones, and platform-reported location data. Discrepancies between claimed and detected location are red flags (IT support may be required).
• Re-verification post-hire: A one-time identity check at onboarding is not sufficient. Periodic re-verification before increasing access can reduce the risk of substitution or credential sharing.
• Ensure your recruiting team is aware of indicators: Reluctance to appear on camera, scripted answers delivered with unusual delay. Inconsistencies in resume details and follow-up conversations. Voice quality that sounds processed or is out of sync with lip movement. Unnatural eye and mouth movements. These are confirmed indicators from documented cases.
• Audit your device provisioning process: Enable geolocation logging for all company-issued endpoints to know where company-issued devices are physically located. Devices shipped to addresses other than the candidate’s claimed location should trigger a review.
• Evaluate deepfake detection tooling: For high-risk roles with access to production systems, customer data, or third-party integrations the time and money investment is warranted.

Technology Vendor Response

The detection market responded to the surge in deepfake fraud. In March 2026, Zoom expanded its partnership with Pindrop to integrate real-time audio and video deepfake detection directly into the Zoom Marketplace, analyzing live calls for face swaps, voice clones, and synthetic personas. Zoom also partnered with World, a human ID verification company, to add a native human-verification capability. Reality Defender, Resemble AI, HireVue, Persona, Jumio, and Onfido also offer solutions for real-time video deepfake detection to combine document authentication with biometric liveness checks.

Outlook

Multiple factors indicate the threat will worsen before it improves.

• AI tools are becoming cheaper and more capable: Deepfake fraud surged in 2025. The tools used to alter appearances and voices during interviews are commercially available and improving every quarter.
• The accomplice supply is growing: Economic pressure from layoffs and wage stagnation may increase the number of people willing to run laptop farms or facilitate payments. The U.S. DOJ’s multi-state raid revealed a substantial domestic infrastructure network already in place.
• Extortion is now the second revenue stream: Active extortion tactics first documented in late 2024 are likely, (55–80%) to accelerate. Operatives increasingly exfiltrate data before departing and threaten publication, converting a payroll fraud into a data breach incident with regulatory implications.

The worse thing you can do is ignore the issue. Analyze your probability, and revisit the threat with business context periodically.

Our analytic judgments are expressed using standardized probability language. It may help your team align.

Probability Matrix: