If your promising new hire wasn’t actually a real person, would you even know it? If you automatically think, “Duh, of course I would,” think again. Technology has become so advanced that some businesses, primarily in the tech industry, are running into cybersecurity risks as they unintentionally hire deepfakes instead of real people. Scared yet? Don’t worry. We compiled everything you need to know to protect your business, including tips on how to spot a deepfake during the recruitment process.
What is a deepfake?
A deepfake is when photos, videos and/or audio files are manipulated or altered by artificial intelligence (AI) in a way that appears to impersonate someone else. Do you remember those TikTok videos that circulated a while back that showed Tom Cruise doing random activities, except it wasn’t actually Tom Cruise at all? Those were created with deepfake technology. The output is so convincing that it’s incredibly difficult to tell on the surface that it’s a digital creation and not actual footage of a real person.
While examples like the fake Tom Cruise clips may be all fun and games, that same deepfake technology is also being used to conduct employment scams in which a bad actor pretends to be a serious job applicant. This is especially the case as remote work and virtual-only interactions have become increasingly commonplace, meaning you aren’t actually meeting your new hire in person (and thus confirming their identity). In fact, a McKinsey survey found that 35% of workers have the option to work from home (WFH) 100% of the time, with another 23% privileged with hybrid work options.
Though WFH setups can be an advantageous arrangement that attracts new employees, they can come with risks – and we’re not talking about team members skipping a few work hours to run errands on your dime. Nope, it gets worse. These cybercriminals are using deepfake technology to gain access to your business under false pretenses, all in hopes of getting a piece of your pie; that is, accessing personally identifiable information (PII) and sensitive data stored in personnel files and company systems.
The FBI’s Internet Crime Complaint Center (IC3) released a PSA this year warning employers and job seekers about the rising risk of deepfakes, which are primarily affecting software development, database and other software-related job openings.
What are the risks of hiring a deepfake?
Letting a deepfake into your organization poses several threats, but it all depends on the scammer’s intentions. According to the FBI, these cybercriminals are often applying for WFH positions that include “information technology and computer programming, database, and software related job functions. Notably, some reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information.”
Someone with malicious intentions can do great harm to your organization, employees and customers – even the U.S. government – with this type of information. If they access sensitive data and internal resources, they can blackmail you into paying them, elicit money from others and even commit espionage. Not to mention, you as a business owner won’t actually be getting what you wanted: a real, qualified employee committed to doing honest work for your company. On top of dealing with the fact that you put your enterprise in jeopardy, you’ll need to restart the hiring process to find a legitimate employee to fill the role for which you were hiring.
This isn’t something employers had to worry about in years past, but with new technology comes new risks. That means being on the lookout for deepfakes whenever recruiting for a new position.
How do you avoid hiring a deepfake?
Scammers are using deepfake technology to pose as job seekers and land remote jobs, and the current work climate is one of the reasons they’re able to pull off this charade. Job interviews used to primarily take place in person, allowing you to verify the person who applied is genuine. But now that many companies are hiring employees remotely, video and phone interviews are a common part of employee recruitment. This has allowed cybercriminals to hide their true identity.
Here are five ways to help protect your business from accidentally hiring a deepfake.
1. Train your talent acquisition team on how to spot a deepfake.
The surest way to spot a deepfake is to know what to look for, so you should train your recruiters and hiring managers on how to identify one. Here are a few signs you might be dealing with a deepfake:
- Their application is plagiarized. A scammer most likely won’t take the time to create a résumé from scratch, so be sure to run their CV and application through a plagiarism detector to see if their supposedly unique credentials appear elsewhere online. This is a good recruitment tip in general since you wouldn’t want to hire a candidate who plagiarized their résumé anyway, deepfake or not.
- Their social media accounts are suspicious. This can get a little tricky since checking a candidate’s social media pages can run the risk of unintentionally discriminating against an applicant based on something you see on their profile. But the goal here isn’t to find out how old they are or who they voted for; instead, you should be looking for suspicious account information, like new or empty profiles, generic information, or no followers. Their activity on the platforms may be suspect as well, like plagiarized tweets or spammy messages.
- Their video keeps glitching or is inconsistent. When conducting a virtual interview, does the candidate’s mouth line up with the words they’re saying? Deepfake technology is impressive, but it’s not quite advanced enough to perfectly line up audio and video in a live video interview. If the candidate claims the glitch is due to a poor connection, consider rescheduling for another time. Their willingness or resistance to doing so can be an indicator of their intentions.
- They don’t blink. This might sound silly, but many deepfakes haven’t mastered the art of blinking. If the candidate hasn’t blinked once during your 20-minute interview, you may have caught yourself talking to a deepfake. Although an article in the scientific journal IEEE Access, as shared by ResearchGate, notes that some cybercriminals are making more elaborate deepfakes that are actually capable of blinking, new tools may be able to identify legitimate human blinking patterns versus artificial blinks.
These are just a few ways your hiring team can look for deepfakes during the recruitment process. Encourage them to use their best judgment when vetting candidates, which leads us to our next tip.
2. Use a trusted service to conduct a thorough background check.
Another great way to ensure your new hire is exactly who they say they are is to use one of the best background check services to run a pre-employment screening on them. These companies can conduct a variety of screenings to check criminal history and identifying information, like the person’s Social Security number, address history, employment and education histories, and professional license status. They can also run social media searches and conduct ongoing monitoring.
Since some scammers steal real identities to create deepfakes, it’s important to double-check that the person evaluated by the background check company is actually the same person you intend to hire.
3. Conduct in-person interviews whenever possible.
Many employers have begun conducting remote interviews via phone and video conferencing solutions, especially when hiring for entirely virtual positions or across state lines. While this can be a great way to expand your talent search and diversify your organization, it can also leave you susceptible to cyberthreats like deepfakes.
To help ensure the person you are hiring is actually who they say they are, conduct in-person interviews whenever possible. Even something as quick as a 15- or 20-minute meeting can be enough to verify that you’re hiring a real person who possesses the credentials they claim. Plus, scammers who rely on deepfake technology are less likely to be willing to meet you in person, so requiring an in-person meetup can be a great deterrent in your interview process for disingenuous applicants.
4. Stay up to date with cybercrime trends.
As technology evolves, cybercriminals will continue to think of new ways to scam people online. Stay up to date with cyberthreats as they arise and become more advanced. Make sure your human resources team and hiring managers are aware of what potential threats might come their way as they relate to the employment process so they can be on the lookout for suspicious behavior.
It’s important to take cybersecurity seriously. Conduct a cybersecurity risk assessment on your business to help your organization stay protected, and have a cyber insurance policy in place in case your company is targeted.
5. Be transparent about your hiring practices.
Be aware that recruitment scamming goes both ways. Bad actors aren’t just pretending to be applicants; they’re also creating employment scams where they create fake job sites or job posts, impersonating organizations and hiring institutions. The Better Business Bureau found that such deceptions most commonly victimize women and people between the ages of 24 and 35. If scammers target job candidates using your company brand, it can ultimately hurt your business’s reputation.
To prevent this from happening, be transparent about your recruitment methods on social media and be diligent about sharing your hiring process with job seekers so they know when a job post is truly coming from your organization. Explain where jobs are and aren’t listed and how you intend to communicate with job applicants during the recruitment process. You can also offer a point of contact for applicants to verify your job postings or communication.