COMMENTARY: Hiring has always been challenging, but now security threats show up in the recruiting process itself.It’s no longer just embellished resumes or questionable GitHub repositories. Today’s risks include AI-assisted interviews, identity fraud, deepfakes, and potentially moments when a candidate’s VPN slips and reveals they’re actually logging in from Russia, North Korea, or other nation-states.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Candidates from all around the world now use AI to increase their chances of landing a role in a very difficult job market. On paper, the candidate may look solid: relevant experience, a coherent portfolio, and a strong early technical screen. So, how can CISOs, cybersecurity teams and human resources determine if these candidates are who they say they are? And, how can teams determine if existing team members are legitimate?While the threat actors are sophisticated, they are also at the whim of their environments, technology, and societal norms/indicators. Interviewers need to have an exceptionally hands-on interview process with today’s impersonation threats, including the following:With remote work and an international workforce, there are some best practices that can help with preventing impersonating candidates from making it through the interview process. A hiring manager should require at least one in-person meeting, even for remote roles, as well as holding interviews during normal business hours to avoid any outliers in the process.Fraudulent hires can gain access to systems, siphon data, or quietly exfiltrate intellectual property. Recruiting fraud represents a supply-chain attack vector hiding in plain sight.Teams need to empower their employees to look for signs of existing team members that could be impersonating. While this should not turn into a witch hunt, it’s fundamentally important for employees to understand all of the potential attack vectors that are coming their way, including ransomware attacks, phishing instances and any new threats.Human risk can begin before onboarding, and hiring has become a part of every attack surface. We can reduce that risk by training employees to recognize red flags. When people know what to look for, hiring fraud becomes much harder to pull off.Nicole Jiang, co-founder and CEO, Fable SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
- Conduct live technical interviews: What once was a remote or virtual technical interview, now must happen live, with screen-sharing, real-time coding and architectural walkthroughs. Here’s where fraud starts to crack, with fake candidates unable to keep up their ruse at the pace of technology.
- Pay attention to time zone realities: While many cybersecurity professionals keep odd hours, interviewers are encouraged to pay attention to the time that meetings are requested and deliveries are submitted.
- Watch for odd VPN routing: VPNs are a common safeguard for many professionals. If VPNs are routing through unexpected countries, it’s a sign of a potential impersonator.
- Listen for audio background noise: There’s an increase in call centers being used to secure lower level IT positions, where call center operators are interviewing for multiple jobs and securing them. It’s a prime opportunity to listen for environmental indicators of strange behavior and activity.
- Get the candidates to explain their technical work: While AI tools do offer operational efficiencies to teams, interviewers also need to put candidates to the test to explain their technical work and processes, outside of using AI tools.
