Scams are constantly evolving, but it may surprise you to realize scammers can fake an entire person. Deepfake job candidates can slip through the hiring process unnoticed and cause internal security issues.
Although it’s not common, hiring one can be expensive.
What is a deepfake job candidate?
Working from home became popular after the COVID-19 pandemic forced industries to adapt. As of 2022, around 35% of people can work remotely full time, even in sectors that traditionally favor in-person roles. The rise of remote work has plenty of benefits for employers and employees but also poses new cybersecurity challenges.
Deepfake job candidates are a rising security threat. Scammers change their voice and appearance to look like a different person, meaning you may not know who you hired. The technology is advanced, so they can easily alter images, audio and video.
Cybercrime occurring because of COVID-19 caused over $46 million in losses because of the nature of remote work. Employees don’t show up in person, so they can continue pretending to be someone else relatively easily.
How do deepfake job scams work?
Scammers typically start the process by posting fake job listings to collect real candidate information. The Federal Bureau of Investigation (FBI) states that over 16,000 people reported being part of such a scam in 2020. It allows them to build realistic and impressive resumes to get your attention and advance in hiring.
Once they have information and secure an interview, they craft a fake identity. Deepfake job candidates use artificial intelligence and machine learning to create a convincing persona. They overlay a fake face onto their own. The advanced technology can match the natural contours of their face and knows when they’re moving their eyes or lips.
It might sound like a complex process, but it’s surprisingly simple. People can clone whatever voice they want if they have a short audio clip because there’s a public tool on GitHub for that specific purpose. They can fake their experience, appearance and voice with relative ease.
Will you accidentally hire a deepfake candidate?
Although you might assume you’ll be able to spot a deepfake job candidate immediately, it’s not always obvious. For example, an employee transferred $35 million to scammers after they used deepfake audio to pose as the company’s director. The audio and video can be compelling.
Committed fake candidates can even deepfake in live settings, so you aren’t protected by asking them to hop on a video call. Although some technology is less convincing than others, they can brush off slight oddities in their appearance or movement by blaming a slow internet connection.
There are subtle signs someone is using artificial intelligence to change their appearance, but there’s no guarantee you’ll spot them. Think of it like filters on social media. Even though many are poor quality, it can be hard to tell if someone is using one. Scammers can access much more advanced technology, so you might not notice they’re changing their appearance.
What is the purpose of the scam?
The FBI issued a warning in 2022 detailing how scammers use deepfakes to target remote work positions that give them access to company databases and systems. Their goal is to collect, sell or exploit for as long as possible.
Instead of trying to get an employee to click a malicious link that lets them into the company’s systems, cybercriminals can get hired themselves and ensure continued access. If you don’t suspect them, they can continue to find ways to damage your company for the entire time they’re employed.
Scammers will try to get hired using deepfakes because:
- They can steal proprietary information. Proprietary information is valuable, so scammers stand to make a lot of money by selling it. They use deepfakes because it allows them to go after positions where they can access it.
- They can take down the company from the inside. Installing ransomware or taking down systems with traditional methods can take time and effort. A deepfake employee can install malicious software whenever they’d like.
- They can continuously find and exploit security weaknesses. People can cost their employers up to $500,000 for each security breach by accident, so imagine what a scammer could do with malicious intentions. Even if the company is working to fix the issues when they arise, they have all the time they need to find new exploits.
- They gain access to sensitive data. Sensitive financial or consumer data is a large draw for scammers because it’s valuable. They can sell the information or use it for their own gain. It might be hard to access via traditional scams, but security or IT positions give them direct access.
While their motives might differ, they’re not faking an entire personality and appearance because they have good intentions. It might seem convoluted to go through a whole hiring process, but they can manufacture as many personas as they want until successful.
How does it affect a company?
If you hire a deepfake candidate, you potentially put your company at risk for lawsuits, fines and increased costs.
1. You risk discrimination lawsuits
In attempting to prevent hiring deepfake job candidates, you might risk discrimination lawsuits. The federal government prohibits discrimination on the basis of race, sex, age, gender and more. The solution to weeding out deepfakes seems as simple as asking for a form of identification, but they can claim you didn’t hire them based on one of their protected attributes.
2. You face potential regulatory fines
Once a scammer has access to a company database and sensitive information, they can sell or leak it whenever they want. If your company deals with protected consumer or financial data, you are liable for it.
You might have to pay significant fines if regulatory bodies find out you didn’t protect personal information and harmed consumers in the process. For example, Amazon had to pay an $877 million fine in 2021 because of data privacy issues.
3. You may lose proprietary information
Proprietary information is valuable because it gives a business an advantage. Scammers that access such data by posing as someone else are incentivized to sell it. NDAs or contracts do not protect you in this situation because the person you hired doesn’t exist. You likely won’t be able to pursue legal action since finding the scammer will be difficult or impossible.
4. You might have high rehiring costs
Outside of the damage they can do to businesses with malicious software or practices, the cost of rehiring may also affect you. Once you find out you’ve hired a deepfake job candidate, you’ll have to promptly hire a replacement. It can take up to half a year to recoup what you spend on the hiring process, so you won’t break even if you have to hire new employees.
Potential costs also present themselves via hiring delays. You don’t profit off empty positions. In addition, the hiring process itself can be expensive. The longer it takes to find a new candidate, the greater the expense.
5. You risk continued cybersecurity challenges
Deepfake employees can lay low and continue to exploit security weaknesses in company systems. For example, they could install malware under the guise they accidentally clicked a malicious email. Although continued cybersecurity challenges from one employee may eventually be suspicious, you risk expensive issues.
How do you weed out deepfake candidates?
No method guarantees you won’t engage with a deepfake job candidate as you proceed through the hiring process, but you can take steps to protect yourself against them:
- Improve verification: When hiring, you can do background checks and follow legal protocol to ensure everything checks out. Keep in mind that you will likely have to implement these policies across the board to avoid potential discrimination issues.
- Hire cautiously: Deepfake job candidates target roles centered around cybersecurity and IT, so hiring cautiously may help you. Consider hiring solely in-person positions if you feel you can’t fully protect the business against such people.
- Consider interviewing in person: It might not be possible to conduct in-person interviews for remote positions, but it can be beneficial — it may even be worth it to cover candidates’ travel expenses.
- Pay close attention: Although deepfakes that use machine learning seem very convincing, you may notice small inconsistencies. Pay attention to their mouth and eyes to see if they glitch or don’t line up with their movement. Also, look for glitches when they turn their head.
- Change interview styles: Scammers will likely come prepared with fake paperwork and a general understanding of the role, but asking in-depth and specific questions can weed them out. If they’re fake, they’ll have difficulty answering or take a long time to respond.
These methods aren’t foolproof, but implementing each one in your process may protect you and your company. You can weed out many deepfake attempts if you anticipate the cracks in their personas.