persona-logo
Published January 21, 2026
Last updated May 21, 2026

The rise of fake job applicants: Why workforce security must start before day one

Fake candidates are exploiting gaps in the hiring process to access internal systems. Learn how to spot the signs and stop candidate fraud.
Jenna Kim
Jenna Kim
8 min
Key takeaways
Fake job candidates have become a serious security threat that spans the entire hiring journey, from application through offboarding.
Catching fake candidates requires both asking for verification (like ID checks) and detecting suspicious patterns in the background (like mismatched locations or device changes).
A single background check on day one is no longer enough. Instead, employers should verify candidates at every critical stage of hiring.

All over the world, companies are seeing a rise in fake job applicants. You may have experienced it yourself: dozens of near-identical resumes arriving within hours, or candidates who refuse to turn on their camera during video interviews.

Remote hiring, global talent pools, AI-generated resumes, and increasingly sophisticated fraud networks have profoundly changed the hiring landscape. Traditional hiring processes were never built to defend against the types of candidate fraud we’re seeing today. Threat actors know that and are targeting the gaps.

undefined

Candidate fraud puts companies at risk on multiple fronts in the form of data breaches, insider threats, compliance violations, and financial loss. These are critical concerns for HR leaders responsible for governance and workforce integrity, as well as for InfoSec and CISOs tasked with protecting systems and sensitive information. 

Meanwhile, recruiters are expected to source quickly and evaluate dozens, if not hundreds, of candidates at scale. But as the first line of defense against candidate fraud, they're now also expected to verify that the candidate is a legitimate person. Manual verification is something that even professional fraud teams struggle with — yet recruiters are trying to do it between screening calls.

In this post, we’ll break down how candidate fraud is actually happening today, the warning signs to watch for throughout the hiring process, and best practices for preventing and responding to it. Whether you’re recruiting talent, safeguarding your organization, or ensuring compliance, understanding candidate fraud is the first step toward stopping it.

How attackers exploit the hiring process

As any recruiter can tell you, candidate fraud doesn’t happen just once. Today, it’s a security vulnerability that stretches across the entire hiring journey, exploiting organizational blind spots that threat actors have learned to target. 

Without adequate defenses, here’s what the candidate fraud attack chain looks like:

  1. Application. AI-generated resumes with false credentials have become increasingly common and difficult to detect. The threat takes two forms: organized fraud farms that flood inboxes with mass applications, or a single, highly polished candidate with credentials so convincing they're nearly impossible to distinguish from legitimate applicants. Either way, accurately identifying genuine candidates from fraudulent ones over and over, day in and day out, has become time-consuming and nearly impossible.

  2. Screening. If a fake candidate advances past the application, their attack sophistication increases. During technical assessments, they may use proxies (i.e., human stand-ins that help them complete tests). For video interviews, they’ll rely on deepfakes to pass as a legitimate person.

  3. Hiring and onboarding. If a threat actor reaches the offer stage, they receive provisioned devices and valid credentials for internal access. Critically, multi-factor authentication (MFA) won’t work when a malicious insider is granted legitimate credentials — effectively bypassing modern security controls entirely.

  4. In-role access. Once inside the organization, attackers can act quickly with little resistance. For security teams, the challenge is daunting: now they must identify and respond to a threat actor from the inside who looks like a legitimate employee with authorized access.

  5. Offboarding. Even after termination, dormant accounts, unrevoked access tokens, and compromised credentials create footholds for future intrusions. Former employees — whether legitimate or fraudulent — represent ongoing identity-based vulnerabilities that can be exploited long after separation.

Perhaps one of the most well-known examples to date is the North Korean IT worker scam. Since 2020, over 300 companies have unknowingly hired North Korean workers who infiltrate US companies under stolen identities to generate revenue for the regime's weapons programs.  These workers exfiltrate proprietary data, install backdoors, and threaten extortion.

Signs of a fake candidate

Candidate fraud leaves traces at every stage of the hiring life cycle. However, those traces are easy to miss when viewed in isolation.  That’s why it’s critical to aggregate signals — or data points that reveal fraud when viewed together. Common signals include:

  • Passive signals like device fingerprints, location intelligence, and behavioral patterns collected in the background

  • Active detection signals like liveness checks and identity document verification that require user interaction

When multiple signals appear across the candidate journey, chances are high that you’re dealing with a fake candidate. Here's what to watch for:

Signals in the application

Look for resumes with identical document structure, fonts, spacing, phrasing, and even titles and companies; these can indicate fraud rings using the same template. AI-generated resumes will typically look suspiciously perfect (e.g., overly polished, no grammar issues) yet also generic (e.g., stuffed with keywords with perfectly linear career progressions).

Other red flags can include newly created email addresses and VoIP phone numbers. Device intelligence and location data can show when candidates are obfuscating their true location, especially when IP addresses, claimed residences, and application locations don't line up.

Signals during interviews

Keystroke lags, unnatural facial movements, and audio-visual sync issues can indicate deepfake technology and remote proxies. When candidates consistently avoid turning on cameras, can't reproduce work from their portfolios, or exhibit suspicious time zone inconsistencies (like a computer clock showing 3 AM when it should be noon), it's time to investigate further. 

Recruiters can watch for odd interview behaviors as well. For example, a candidate may struggle to explain technical decisions they supposedly made or demonstrate skills they claim to have. They may not be able to answer even simple questions like how the weather is in their claimed location. 

Post-offer signals

At this stage, false candidates will provide shipping addresses that don't match claimed residences. They may hesitate to share government-issued IDs, or outright refuse. If there’s a background check at all, they’ll typically submit incomplete information. 

When they do provide identification documents, check for counterfeit documents or synthetic identities (i.e., composite identities made up of real information combined with fake details). Even their references may lead to fake email domains and phone numbers. 

Behind the screen, device changes between application and offer stages — or devices linked to previously declined candidates — can indicate identity swaps or fraud ring activity.

Best practices for detecting candidate fraud

The rise of candidate fraud requires a fundamentally new approach to hiring securely. The answer is Zero Trust for hiring.

Zero Trust is a framework from network security that's now essential for protecting your workforce. It operates on a simple principle: never trust, always verify. 

In the context of hiring, this means treating every candidate as unverified until proven otherwise — and continuing that verification throughout the employment life cycle. Instead of a single background check for day one, Zero Trust for hiring requires continuous verification at every high-risk moment from application to offboarding. 

While Zero Trust will look a little different for every company, we recommend verification at three key points in the recruiting process: before the recruiter screen, prior to the final interview, and at onboarding. Let’s take a closer look at each of these moments.

Verify the applicant before the recruiter screen

Once the candidate submits their application, we recommend running lightweight checks, like email and phone risk reports. In the background, you may check for red flags like VPN usage, device anomalies, and behavioral patterns. If the candidate moves to the initial screening, verify their identity with a government ID and selfie. 

For stronger assurance, you may also want to link the candidate’s credentials to an existing identity record by checking against authoritative sources — known as a database check. Cross-reference their personal information against databases like AAMVA for driver licenses. Depending on your risk posture, you may conduct a database check at the initial screening, with an offer extension, or at onboarding.

Reverify prior to the final interview

At this point, we recommend a government ID or selfie verification/reverification before the final interview and, crucially, before the candidate moves to an offer. 

For the interview itself, you can use active liveness checks (e.g., randomized gestures, multi-point pose verification) and passive detection (e.g., micro-movement analysis, temporal consistency checks) to catch deepfakes, proxies, and replay attacks.

Verify the new hire at onboarding

Before issuing company devices or granting access to internal systems, reverify the candidate’s identity. Reverification confirms the person receiving credentials is the same individual who applied and interviewed — not a fraudster who swapped in at the offer stage.

After hiring, continue verification at high-risk moments (like when an employee has lost or replaced their device) to detect insider threats before damage occurs. (Check out our ebook for more about how modern enterprises are securing their workforces.)

How Persona can help

Persona is a global identity verification platform. Named a Leader in the 2025 Gartner® Magic Quadrant™ for Identity Verification and positioned highest for Ability to Execute, we help organizations ensure candidates and employees are who they say they are.

We partner with leading workforce tools like Okta and Cisco Duo to provide the precision needed to stop sophisticated fraud without overwhelming your teams. We also integrate seamlessly with major ATS platforms like Ashby to embed verification directly into your hiring workflow.

Our Workforce Identity Verification (Workforce IDV) solution enables you to catch advanced phishing, detect deepfake fraud, and stop account takeovers across the entire employee life cycle. At every high-risk moment — from candidate screening and onboarding to account recovery, device enrollment, and offboarding — you can verify identities with a consistent identity authority using:

  • Mobile-first native flows. Deliver a seamless capture experience for candidates and employees while surfacing trusted device and behavioral signals.

  • Workforce identity integrations. Integrate with both IAM platforms (e.g., Okta, Cisco Duo, Microsoft Entra) and workforce tools (e.g., Workday, ServiceNow, Jira, Ashby). 

  • Signals and risk assessment. Layer active verification methods with passive signals (including device fingerprinting, behavioral analysis, IP intelligence, and network telemetry) to dynamically assess risk and adapt verification experiences in real time. Persona validates identity documents against authoritative databases (e.g., AAMVA) and uses link analysis to detect fraud rings operating at scale.

Though fraud will continue to evolve, one thing is clear: workforce security can no longer wait until after an employee is hired. The hiring process itself has become the front line of defense; organizations that fail to verify identities early risk letting threat actors into their networks.

Thinking about how to safeguard your hiring against fake candidates? Explore our Workforce IDV solution. You can also reach out to discuss today’s best practices for detecting candidate fraud. We’re ready to help you build your workforce security strategy.

On-demand webinar
Candidate verification: Stop fraud before it enters your workforce
Watch now

The information provided is not intended to constitute legal advice; all information provided is for general informational purposes only and may not constitute the most up-to-date information. Any links to other third-party websites are only for the convenience of the reader.
Jenna Kim
Jenna Kim
Jenna Kim is a product manager building Persona's third-party integrations marketplace. Outside of work, she can usually be found at the driving range, tennis courts, or park with a book in hand.
Continue reading