AS the number of digital nomads increases and online hiring becomes the norm, even rigorous vetting could fail if companies did not have several layers of security.
Last week global cybersecurity awareness company KnowBe4 said despite their rigorous digital vetting processes, they were scammed into hiring a North Korean spy. The deception was discovered when the “new employee” downloaded malware on a company-issued laptop.
The company said these bad actors used sophisticated strategies helped by artificial intelligence (AI) to create fake but believable identities to get hired. They then used proxies in those countries to gain access to the company’s IT systems.
Identity management expert Dawid Jacobs, who heads up DAL Identity International, said synthetic identities were one of the fastest-growing risks globally. He said having a verified representative from the organisation present during the interview added an extra layer of security.
“With advancements in AI, crime syndicates can create numerous synthetic identities and infiltrate institutions that rely on weak identity verification solutions.”
He said while official identification systems, such as the Department of Home Affairs, were often used for verification, fraudulent records may exist within these systems, making them unreliable for definitive Identity proof. According to Jacobs, with the rise of deepfake technology, it’s easier than ever to manipulate video and audio in interviews.
“AI can alter facial features in real time, making it possible to present a fake Identity during video calls. Voice cloning technology allows individuals to replicate someone else’s voice with just a few minutes of audio. This renders voice biometrics ineffective because criminals can easily manipulate voices during interviews or identity verifications,” he said.
Only forensic-level identity management systems, multi-layered identity verification processes, forensic-level biometric checks, and real-time monitoring can protect organisations from identity fraud and insider threats, said Jacobs.
“The KnowBe4 incident underscores the urgent need for businesses to strengthen identity verification and cybersecurity measures, particularly in the context of remote hiring.”
Jacobs said companies could protect themselves from identity fraud and “insider threats” by adopting multi-layered identity verification processes, biometric checks and real-time monitoring.
He said DAL Identity International integrated their identity management tools with payroll and HR systems so that companies can eliminate ghost workers and “buddy punching" where one worker gets another to clock them in or out of a work shift.
He advised that all interviews should be conducted via video with real-time biometric matching to ensure the individual matched the submitted ID.
Manoj Maharaj, Professor of Information Systems at the University of KwaZulu-Natal, said a company’s security should consist of multiple layers, like an onion.
He said that even though KnowBe4 is a cybersecurity awareness company, it wa not surprising it was duped because it happened to companies all the time.
“On the face of it, when people submit CVs, the CVs are fine. You do the normal checks and you hire the person only to find out later that they may have done something wrong,” said Maharaj.
He said the real issue was that too much emphasis was placed on certifications and when these were produced, there wasn’t rigorous testing to check if they were valid.
“The question should be how widespread is this fake identity scam. There are technologies available right now that do real-time masking. In other words, you can be on a live stream and you can mask that live stream and put somebody else’s face on.”
He said the current technology was “not that good at the moment” and these could be spotted, “but there could be some very good quality ones out there that are not public”.
Maharaj said that while these technologies should be vetted and not used for the “wrong thing”, there are bad actors out there who do.
For instance, he said, when making a phone call someone would assume that the person who answers is the one they are trying to reach, but somebody else could be answering the phone.
He says in the case of KnowBe4 the system worked because it had different layers.
“There’s really no way they could know, unless they had reason to suspect that this guy was a fraudster. But as soon as the laptop started downloading malware, their systems picked it up. That means the system worked and they were able to stop it.
“This is not a slight to the company; it is and should be a wake-up call. This is why many companies who have international hiring processes rely on local agents,” said Maharaj.
Anja van Beek, a talent strategist, leadership and HR expert, said it was a “no brainer” that HR processes should embrace technology as the world becomes more digital, but the “human aspect” is critical in the world of work.
She said during recruitment, companies must consider where in the process they would have “that human touch”.
“The beauty of the world of work that we’re living now is that sometimes you interview or you work for organisations in a different city, sometimes even a different country, but at least have a virtual connect and have an opportunity to get to know the person behind the CV,” said Van Beek.
She said while a CV could look good, in reality the person might not be suitable for the company or the job.
“I would never ever recruit someone basically on a virtual process, where I haven't seen them or even had a few words of interaction face-to-face or virtually. It’s all about alignment with the company values and it’s so easy for someone, if you ask a question, to answer in a specific way, but when you see an individual, you see the non-verbals, you see the reaction,” she said.