In a March 15, 2026, article, the Financial Times reported that North Korean operatives are increasingly using stolen identities, forged credentials, AI-assisted interviews, facilitators, and ‘laptop farms’ to place so-called fake workers inside European companies – an expansion of a scheme that had already been extensively documented in the United States. The article’s most important observation was not only the tradecraft, but the failure point it exploits: recruitment is still not naturally treated as a security issue, even though hiring decisions can lead directly to device issuance, account creation, payroll enrolment, and access to sensitive systems. Official US actions since 2025 reinforce that assessment. The U.S. Department of Justice says schemes involving remote North Korean IT workers have used stolen and fake identities, shell companies, facilitators, and laptop farms to obtain jobs at more than 100 US companies, while the U.S. Department of the Treasury says these programs generated nearly $800 million in 2024 alone. The Federal Bureau of Investigation has further warned that these actors are now moving beyond wage collection into data theft and extortion.

For CISOs, the implication is straightforward: fake-worker risk is not merely hiring fraud. It is a human-risk scenario that spans identity proofing, onboarding, payroll integrity, endpoint handling, access governance, and post-hire detection. It also exposes a broader governance truth: a cyber strategy for human risk cannot sit inside security alone. HR owns the first trust decision; security and IAM own technical trust enforcement; finance owns payment integrity; managers own contextual challenge and early escalation; and leadership owns the cross-functional operating model.

Assumptions: This article assumes a mid-sized or large enterprise with remote or hybrid hiring, an ATS/HRIS, payroll platform, centralised identity management, endpoint telemetry, and a legal environment requiring proportionate, documented verification and monitoring practices.

‍

Recruitment as a security boundary

The most dangerous misconception in this space is that cyber risk starts after employment. In reality, once a fake worker is hired, the organisation has already issued trust: a personnel record, a payroll destination, a corporate device, credentials, and often access to source code, customer information, or internal systems. Under the Cybersecurity and Infrastructure Security Agency definition, an insider is anyone with authorised access to or knowledge of organisational resources; the moment a fraudulent applicant clears hiring and onboarding, the problem has already crossed from recruitment fraud into insider-risk territory.

This is why the fake-worker issue deserves to be treated as a control-system failure rather than a one-off scam. The public reporting is consistent: actors have used false personas, proxy infrastructure, payment manipulation, interviewer stand-ins, and remote access to company laptops to sustain the deception. In practice, that means the attack succeeds only when several protective layers fail together - screening, identity proofing, device delivery, access provisioning, payroll scrutiny, and post-hire monitoring.

‍

‍

HR as the first gatekeeper of workforce trust

If recruitment is a trust boundary, then HR is not adjacent to the control set – it is part of it. The FBI’s January 2025 guidance is explicit: organisations should implement identity verification during interviewing, onboarding, and employment; cross-check resumes and contact information across applicants; educate HR staff and hiring managers; review reused phone numbers and email addresses; validate staffing firms; and ask role-appropriate, location-specific questions that are harder to outsource or spoof. The FBI also notes that these actors have used AI and face-swapping technology in video interviews and have exploited changes in address or payment details during onboarding.

The right CISO response is not to “shift security into HR” in a vague sense. It is to help define an HR cyber strategy: a focused operating model for how recruitment, onboarding, re-verification, mover events, and offboarding contribute to cyber defence. The National Institute of Standards and Technology identity guidance is useful here because it frames identity proofing and authenticator management as structured assurance activities, not as informal checks. In a workforce context, that translates to a simple rule: do not issue durable trust until the person, the account, and the authenticator have been bound through evidence-based verification.

‍

Trust is not suspicion – it is a control decision

A critical distinction must be made when discussing fake-worker risk: this is not about pre-emptively criminalising individuals. Most human risk in organisations emerges not from malicious intent, but from a complex interplay of context, incentives, capability, and environment.

However, the point of entry into an organisation is fundamentally different. At this stage, the organisation has not yet established trust – it is being asked to grant it. In this context, verification is not suspicion; it is due diligence.

Mature organisations therefore apply a simple principle:

Trust in people is built over time, but trust in identity must be established upfront.

This distinction allows organisations to remain human-centric in their risk philosophy while still applying rigorous controls where they matter most.

The role of HR as a gatekeeper is therefore not to be suspicious of people, but to be rigorous about trust. Done well, this creates the conditions for a far more balanced approach later: one that replaces blanket suspicion with situational trust, grounded in evidence and reinforced over time.

Shared defence across the business

Fake-worker schemes thrive at departmental seams, which is why the response has to be enterprise-wide. The Software Engineering Institute is clear that insider-risk mitigation requires a coordinated, proactive, enterprise-wide effort, and the National Cyber Security Centre similarly frames insider mitigation as work involving technical leaders, business owners, HR, legal, and data-protection teams - not just security operations.

The practical question is not “who owns fake workers?” but “who sees which signal first, and how fast does the organisation act?”

‍

The inclusion of marketing and communications is an inference from the threat pattern: if attackers exploit recruiter identity, public professional profiles, and employer reputation to look legitimate, brand integrity becomes part of the defensive surface too.

Building an HR cyber strategy

A useful starting point is to treat hiring the way mature security teams treat privileged access: as a high-consequence workflow that deserves explicit controls, exceptions, ownership, and evidence. That does not mean turning recruitment into a hostile process. It means making workforce trust issuance deliberate, traceable, and risk based. The controls below synthesize the FBI’s remote-hiring guidance, Treasury’s 2022 advisory, NIST identity-assurance principles, and the enterprise-wide mitigation approach recommended by SEI.

‍

Practitioner playbook

First, reclassify remote hiring and contractor onboarding as security-relevant workflows in the risk register. If the organisation treats recruitment as an HR-only process, it will continue to miss the fact that hiring can create a fully authorised insider with adversarial intent.

Second, define a minimum verification standard by role sensitivity. Not every role needs the same depth of scrutiny, but roles with access to source code, financial operations, customer data, or regulated information should require stronger identity proofing, direct reference validation, controlled device shipment, and phishing-resistant authentication from day one.

Third, make finance part of the detection fabric. The Treasury and joint advisory material make clear that payment routes, virtual-currency use, and beneficiary changes are not peripheral details; they are part of the scheme. Payroll irregularities during onboarding should be treated as risk signals, not only administrative exceptions.

Fourth, instrument the first 30 days. If the worker is fraudulent, this is often when identity cracks, access anomalies, or collaboration inconsistencies appear. Monitor for unusual VPN patterns, impossible travel, abnormal repository cloning, remote control artifacts, and mismatches between the claimed role and actual system behaviour.

Fifth, keep the response proportionate and governed. Stronger verification and monitoring can be necessary, but the NCSC and SEI both emphasize that insider-risk programs work best when controls are coordinated, legitimate, and bounded by clear governance rather than improvised suspicion.

‍

‍

Detect, respond, learn

When suspicion arises, organisations need a cross-functional path that is fast enough to contain risk but disciplined enough to preserve evidence and fairness. NIST’s incident-response guidance emphasizes that incident handling should be integrated into broader risk management and coordinated across organisational functions; that principle applies directly here because fake-worker cases blend cyber, HR, legal, payroll, and sometimes sanctions concerns.

The post-incident review (PIR) is where the organisation either repeats the same mistake or actually matures. The wrong question is “How did HR miss it?” The right question is “Which control layers failed to connect?” That framing turns a fake-worker event into a broader human-risk lesson: workforce trust is a shared security architecture, not an administrative convenience.

Closing perspective: redefining workforce trust

The fake-worker problem is not an anomaly. It is an early signal of how identity, work, and trust are being redefined in a remote and AI-enabled economy.

What makes these schemes effective is not technical sophistication alone – it is organisational misalignment. Recruitment is treated as an administrative workflow, while access, identity, and risk are treated as security concerns. In reality, they are the same decision, made at different points in time.

For CISOs, this creates a clear inflection point.

You can continue to treat hiring as an upstream dependency – something to be “influenced” but not owned – or you can recognise it for what it has become: a primary control surface in the organisation’s security architecture.

That shift is not about expanding the remit of security. It is about redefining how trust is issued across the enterprise.

Because in a world where adversaries can convincingly simulate identity, pass interviews, and operate as legitimate employees, the question is no longer:

“How do we detect malicious insiders?”

It is:

“How do we ensure that the people we trust are who we think they are – before that trust is ever granted?”

The organisations that answer that question deliberately – through integrated HR, security, and business controls – will not just reduce fake-worker risk. They will build a more resilient model of human trust.

Those that do not will continue to discover the same lesson the hard way:

By the time a fake worker behaves like an insider threat, the organisation has already made its most important security decision – and made it incorrectly.

If your organisation is rethinking how trust is issued across hiring, onboarding, identity, and access, Kudelski Security can help you turn that challenge into a stronger cross-functional control model. Contact us to discuss how to strengthen workforce trust before risk becomes access.

‍