Fraudulent hires are no longer theoretical. When KnowBe4 — a company whose entire business is cybersecurity awareness — discovered a North Korean operative on their payroll in July 2024, their endpoint detection caught it within hours. Most organisations will not be that lucky.
The moment you suspect a current employee used a fabricated identity to get the job, activate your insider threat incident response protocol — not performance management. This playbook covers both DPRK/nation-state variants and domestic identity fraud, with branch points where the response diverges. For the full threat landscape context, see our guide to synthetic candidate fraud and how to prevent it.
One principle runs through everything here: do not confront the employee before containment is complete. Confronting before access is revoked gives the operative time to exfiltrate data, deploy malware, destroy evidence, or trigger extortion. This is the point non-security leaders routinely miss.
What Are the First Signs That a Current Employee Is a Fraudulent Hire?
The primary technical detection mechanism is User and Entity Behaviour Analytics (UEBA) anomalies in the first 30–90 days. Think off-hours logins inconsistent with the employee’s stated time zone, unusual data access volumes, mass-copy events, and VPN usage inconsistent with their stated location.
The KnowBe4 case is instructive because detection came from a completely different layer. Their EDR software flagged the operative loading malware via a Raspberry Pi on the same day the workstation arrived. Microsoft Threat Intelligence, which tracks the DPRK remote worker group it calls Jasper Sleet, flags these specific indicators to watch for:
- Impossible-travel authentications: A US-based employee’s laptop authenticating from Chinese or Russian IPs, or from known DPRK laptop farm infrastructure
- Immediate RMM tool installation: DPRK operatives immediately download Remote Monitoring and Management software — JumpConnect, TinyPilot, Rust Desk, AnyDesk — combined with a VPN to maintain geographic deception
- Camera avoidance: Camera always off, persistent reporting of video and microphone issues, refusal to remove background filters
- Off-hours activity patterns: Online activity consistently misaligned with co-worker hours for the employee’s claimed location
The distinction between DPRK operatives and domestic identity fraudsters matters here. A domestic fraudster tries to stay invisible and collect a salary. A DPRK operative installs remote access tooling immediately and begins data collection or malware deployment within hours. If you are seeing RMM software or PiKVM devices, treat this as a nation-state incident from the outset. Full stop.
What Should You Do in the First Two Hours After Suspicion Is Confirmed?
Restrict response to a small, trusted working group. Premature disclosure — even to well-meaning colleagues — can alert the operative. This is not a moment for transparency.
Step 1: Assemble the response team. Security lead, legal counsel, and CEO/CTO only. HR is informed but does not lead. The employee’s manager is not notified unless they are already part of the incident response team.
Step 2: Execute stealth access revocation — all access vectors simultaneously. The goal is simultaneous removal. Close one path before another and you push the operative toward what’s still open. The full checklist: SSO/identity provider, VPN credentials, email and calendar, messaging platforms, code repositories, cloud console accounts (AWS, GCP, Azure), API keys, service account tokens, SSH keys, CI/CD pipeline credentials, and physical access credentials. Run this in parallel, not sequentially.
Step 3: Quarantine the assigned device via MDM or EDR. Endpoint isolation, not remote wipe. The device is evidence. Wipe it and you hand law enforcement nothing.
Step 4: Document every action with a timestamp. Who did what, when, and why. This is the foundation of your legal position.
Step 5: Preserve evidence in parallel with containment. Log retention policies auto-delete. If your SIEM rolls logs after 30 days and you wait a week, they may be gone.
How Do You Preserve Forensic Evidence in a Way Law Enforcement Can Use?
Law enforcement does not need enterprise forensic tooling for initial engagement. It needs documented chain of custody: who collected what, when, from where, and how it has been stored since.
Here is what to preserve: SIEM logs covering the employee’s entire tenure, email and messaging archives, source code repository access logs, cloud service access logs, VPN connection logs, endpoint forensic image or EDR telemetry, and all HR onboarding and identity verification documents.
The chain-of-trust hiring records are now evidence. Do not alter them. If those records exist, your legal position is significantly stronger. If they do not, you are simultaneously managing a security incident and potential negligent hiring liability — not a fun situation to be in.
Store evidence on a separate, access-controlled system — not on infrastructure the employee had access to. A signed, dated log of who accessed the evidence collection, when, and for what purpose is acceptable for initial law enforcement engagement. Get legal counsel to review evidence handling before any handoff.
When Should You Contact the FBI, and What Does the OFAC Pathway Look Like?
The decision branches based on whether DPRK or state-actor involvement is suspected, or whether the fraud appears domestic.
If DPRK or nation-state involvement is suspected: Report to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov — the standard pathway per both Microsoft and DOJ guidance. Simultaneously, engage legal counsel to evaluate whether OFAC notification is required. Paying the salary of a North Korean national — even unknowingly — may constitute a sanctions violation. OFAC civil liability is strict liability. You can face penalties even when you acted in complete good faith. Voluntary self-disclosure is a significant mitigating factor, so get on the front foot.
If domestic fraud is suspected: Report to FBI IC3 and/or local law enforcement. OFAC is not relevant unless there is a sanctions nexus.
Keep these clearly separated: FBI IC3 is for crime reporting — the fraudulent employment itself. OFAC notification is for sanctions compliance — the potential violation of employing a sanctioned-country national. Filing an FBI IC3 report does not satisfy OFAC notification obligations, and vice versa. Do not wait for a complete internal investigation before reporting — early reporting demonstrates good faith.
For deeper coverage of the legal notification framework, see our companion article on legal notification obligations.
How Do You Assess the Blast Radius of a Fraudulent Employee’s Access?
Start with the access audit. If you implemented least-privilege access control, the blast radius is inherently limited. KnowBe4 was explicit about this: “It’s good we have new employees in a highly restricted area when they start, and have no access to production systems.” That restriction is what turned their incident into a near-miss rather than a full breach.
Review SIEM and access logs for the anomaly period. Look for: mass-copy events, unusual API call volumes, access to systems outside the employee’s normal workflow, large file transfers, email forwarding rules to external addresses, USB device connections, and RMM tool or PiKVM device connections.
Work out what category of data was accessed — customer personal data, employee PII, source code, and financial data all carry different regulatory implications. If personal data was accessed, a data breach notification assessment is required.
If extortion threats emerge, treat this as a separate incident stream. Do not engage. Do not pay. Involve FBI IC3 and legal counsel immediately and preserve all communications as evidence.
What Security Controls Should You Add Immediately After the Incident?
The blast radius assessment tells you what happened. The post-incident review determines whether it happens again.
Identity proofing for all current open roles. Pause active remote hiring and re-evaluate identity verification at every open position — the fraudulent hire’s colleagues may have been placed through the same pipeline. Worth checking.
Chain-of-trust recordkeeping for all new hires going forward. Documented identity verification, recorded video interviews, independently verified references, background screening from authoritative sources. Actual verification, not checkbox compliance. There is a difference.
UEBA implementation or tuning. If UEBA was not in place, implement it. If it was in place and failed, work out why.
Least-privilege access audit across all roles. Not just the compromised role — across your entire organisation.
Continuous identity assurance. Ongoing verification that the person accessing systems today is the same person verified at hire.
Formal after-action review with the cross-functional response team — security, legal, HR, executive leadership. What worked, what was too slow, what was missing from the incident response plan entirely.
For the comprehensive preventive defence stack, see our article on post-incident controls to add to your hiring stack.
How Do You Red-Team Your Hiring Pipeline Before the Next Incident?
Okta explicitly recommends hiring pipeline red team exercises as part of a mature insider-threat programme. They do not detail how to run one. Here is how to do it at SMB scale.
Team composition: 1–2 people from your security or engineering team. No dedicated red team or external consultants required. The primary cost is staff time.
Build the synthetic applicant modelled on known DPRK patterns: AI-generated profile photo, fabricated LinkedIn profile, AI-polished resume, GitHub portfolio, VOIP phone number, references that redirect to accomplices, and synthetic national ID consistent with the claimed identity.
Run the synthetic applicant through the actual pipeline from application to onboarding. Do not simulate — run it. Application, recruiter screen, technical interview, reference check, identity verification, conditional offer, onboarding. Track exactly where the fabrication is detected and where it passes through unexamined.
The exercise tests whether your ATS flags AI-generated content; whether recruiters challenge inconsistencies; whether references are verified by calling numbers the candidate did not provide; whether identity is verified against authoritative sources; and whether MDM/EDR is deployed to the device before it leaves your control.
Expected duration: 2–4 weeks. Act on every finding immediately — each gap is a gap the next fraudulent applicant will exploit.
For the broader prevention framework, see our guide to the prevention side of this problem.
FAQ
What is the difference between a fraudulent hire and a bad hire? A bad hire lacks the skills or fit they claimed but is who they say they are — an HR matter. A fraudulent hire used a fabricated identity to get the job. That is an insider threat incident requiring containment, evidence preservation, and potential law enforcement engagement, not a performance improvement plan.
Can I get fined for accidentally hiring a North Korean IT worker? Yes. OFAC civil liability is strict liability — penalties apply even when you did not know the employee was a sanctioned-country national. Voluntary self-disclosure and proactive remediation are significant mitigating factors. Engage legal counsel immediately.
Should I fire the fraudulent employee immediately or wait? Do not terminate until containment is complete. First, revoke all system access simultaneously, quarantine devices, and preserve evidence. Premature confrontation gives the operative time to exfiltrate data, deploy malware, or destroy evidence.
Do I have to notify customers if a fraudulent employee accessed their data? Potentially. Notification obligations may exist under US state laws, HIPAA, GDPR, or sector-specific regulations, depending on what was accessed and your jurisdiction. Get legal counsel to conduct a formal data breach assessment to determine your requirements.
What is the difference between reporting to FBI IC3 and notifying OFAC? FBI IC3 is for reporting a crime — the fraudulent employment itself. OFAC is for sanctions compliance — employing a sanctioned-country national. They are separate processes. If DPRK involvement is suspected, both may be required.
How long does the FBI typically take to respond after an IC3 report? Response times vary. DPRK-related reports are prioritised — expect initial contact within days to weeks for nation-state cases. Do not wait for FBI response before completing containment.
What if the fraudulent employee threatens to release stolen data? Do not engage. Do not pay. Involve FBI IC3 and legal counsel immediately, treat this as a separate incident stream, and preserve all communications as evidence.
Can a fraudulent hire be detected before any damage is done? Yes — KnowBe4 detected their DPRK hire within hours when endpoint detection flagged malware loading. UEBA monitoring, endpoint detection, and least-privilege access controls working together can catch a fraudulent hire before significant data access occurs.
What should I tell my board of directors about the incident? Get legal counsel to advise on timing and content. Generally, the CEO and legal counsel inform the board once containment is complete and scope is understood. Do not brief the board before containment — premature disclosure risks leaking the investigation.
How do I check whether other current employees might also be fraudulent? Conduct a retrospective review: re-verify identity documents for recent remote hires, review UEBA data for anomalous patterns across all employees, and check for shared infrastructure indicators — same VPN exit nodes, similar access patterns, overlapping work hours with the confirmed fraudulent hire.
What does a hiring pipeline red team exercise cost for an SMB? The primary cost is staff time — 1–2 people spending 2–4 weeks running a synthetic applicant through your actual pipeline. No specialised tools or external consultants required. The cost of not running the exercise is measured in incident response costs, regulatory penalties, and reputational damage.
This playbook is designed to be used in the moment. If you are reading this during an active incident, start with the first-two-hours containment checklist and engage legal counsel immediately. If you are reading this as preparation, the red team exercise is where to invest your time — running a synthetic applicant through your hiring pipeline will tell you more about your vulnerability than any threat intelligence report.
