Mirko Zorz
Mirko Zorz, Director of Content, Help Net Security

What you can do to prevent workforce fraud

In this Help Net Security interview, Benjamin Racenberg, Senior Intelligence Services Manager at Nisos, discusses the threat of workforce fraud, particularly DPRK-affiliated IT workers infiltrating remote roles. With HR teams and recruiters often unprepared to detect these sophisticated schemes, businesses face significant cybersecurity and employment risks.

Racenberg also discusses the tactics used by these threat actors and offers strategies to strengthen hiring practices and mitigate workplace fraud.

workplace fraud

We’ve seen stories about DPRK-affiliated IT workers infiltrating workplaces. How prepared are HR teams and recruiters to identify and respond to this threat, and what gaps exist in their training?

The employment fraud scheme perpetrated by the Democratic People’s Republic of Korea (DPRK) has presented US-based companies with significant cybersecurity and employment risks since at least 2022. The FBI and a number of cyber security companies, including Nisos, have provided continuous updates on this scheme showing that HR teams and recruiters at many companies are not prepared to mitigate this risk. In your own report, Help Net Security stated that US companies, including a top-five major television network, a Silicon Valley technology company, an aerospace manufacturer, an American car manufacturer, a luxury retail store, and a US-hallmark media and entertainment company, were affected by this scheme.

DPRK-affiliated IT workers are successful at obtaining roles in remote positions because HR teams and recruiters rely on identity verification processes that can be circumvented by obtaining stolen ID documents. Many recruiters are also not asked to perform OSINT (open source intelligence) investigations of potential candidates or their references to ensure that they are real people working in jobs at companies that they claim to be working at.

  • DPRK-affiliated IT workers have become adept at sidestepping traditional recruiting red flags by providing stolen identity information, which is less likely to be flagged by recruiting teams and hiring-related background investigations.
  • Additional training for recruiters on the tactics, techniques, and procedures used by the DPRK-affiliated IT workers to gain employment and conduct their work may help identify red flags in applicants and new hires, but will not necessarily prevent the infiltration of a workplace.
  • As such, HR teams and recruiters should not be the only part of the organization involved in protecting their company’s intellectual property, reputation and finances from DPRK-affiliated IT workers. The onboarding team, IT team, and the employee’s co-workers should be empowered to raise potential red flags to the company’s security team for investigation.
What innovative approaches or technologies can organizations adopt to detect and validate identities during hiring?

There are a number of tactics, techniques, and procedures (TTPs) which DPRK-affiliated IT workers have used to obtain employment at companies. To counter these, we recommend that companies observe the following best practices when hiring new remote workers:

  • Ensure the interview process involves on-camera and/or in-person interviews.
  • Ensure the applicant provides identification documentation in-person in order to better identify falsified documentation. Require mandatory in-person employee onboarding.
  • Conduct a detailed review of the applicant’s online presence for consistency in name, appearance, work history, education, etc.
  • Verify prior employment and perform reference checks.
    • Applicants often list major companies in their employment history, likely both to inflate their experience and to deter the hiring organization from contacting their provided references. Many times the references are the same individual, or connected to the same network of people, as the job applicants.
    • Require the references to appear on camera as well, and that they provide real contextual information of how they supervised or worked with the applicant.

Nisos also found that DPRK IT workers often updated their mailing address prior to their equipment being shipped to them. This is an indication that the identity and information provided during the hiring process may have been stolen.

  • Once an offer is accepted, the threat actor will ask for the laptop to be shipped to a different location from any of the ID documents provided during the application process, claiming they have moved or temporarily relocated. Conduct research into the new address to verify that it is linked to the individual.
  • On the technology side, review and strengthen access controls and authentication processes by using two-factor authentication and minimizing the use of shared accounts. In addition, companies should monitor supplied equipment for piggybacking remote access, which allows others to gain unauthorized access to systems, using a legitimate user’s active session or credentials.
What role should governments and international organizations play in combating nation-state-backed workplace fraud? Are there legal barriers preventing companies from sharing or acting on threat intelligence related to fraudulent workers? How can those be addressed?

Sharing detailed information, such as names, email addresses, IP addresses, claimed work history of confirmed DPRK-affiliated IT workers and updated TTPs is the best model for addressing this rapidly growing scheme. Not all companies have the same resources available to protect themselves from this fraud scheme and sharing information will benefit the community as a whole. We have seen government entities and international organizations echo the call for collaboration.

  • The United States, Japan, and the Republic of Korea joined together to advise private sector entities, particularly in blockchain and freelance work industries, to thoroughly review these advisories and announcements to better inform cyber threat mitigation measures and mitigate the risk of inadvertently hiring DPRK IT workers. Deeper collaboration among the public and private sectors of the three countries is essential to proactively disrupt these malicious actors’ cybercrime operations, protect private business interests, and secure the international financial system.
  • The FBI, CISA and partners released a joint Cybersecurity Advisory in July 2024, highlighting cyber espionage activity associated with the Democratic People’s Republic of Korea (DPRK)’s Reconnaissance General Bureau (RGB) 3rd Bureau based in Pyongyang and Sinuiju. The authoring agencies believe the group and the cyber techniques remain an ongoing threat to various industry sectors worldwide, including but not limited to entities in their respective countries, as well as in Japan and India.
  • International organizations like the U.N. Security Council have also shared information, including email addresses and tactics, techniques, and procedures for identified DPRK-affiliate IT workers.

When companies come across nation-state-backed threat actors within their environments or suspect their presence, they are best served to engage legal counsel (whether in-house or external) to determine next steps. Typically, the decision will need to be made around whether to bring law enforcement counterparts into the conversation on a case-by-case basis, and this best accomplished under attorney-client privilege, when possible, given the illegality of sending money to embargoed individuals/entities. There may also be implications around data breaches and applicability of insurance if there are losses, or anticipated losses or lawsuits.

What are employees’ psychological or cultural challenges when fraud or insider threats are uncovered in their workplace?

Fraud and insider threats don’t just affect business operations—they can undermine trust, engagement, and workplace culture. Employees who experience insider threat or employment fraud may distrust their colleagues and leaders, and may also exhibit feelings of fear, anxiety, and stress around the situation. This distress can impact an employee’s performance and wellbeing.

Nisos advises organizations to foster an environment in which employees feel empowered to report red flags or indications of fraud and insider threats to the organization security team, without fear of retaliation or retribution. Similar to other cyber fraud schemes, such as ransomware and phishing attacks, employee education of risks and best practices helps secure an organization.

What’s the best way for cybersecurity professionals to educate non-technical teams about the risks associated with insider threats and workplace fraud?

Recommendations should be provided to both technical and non-technical teams, relevant to their unique situations, ensuring that each team has the ability to identify red flags for additional investigation. Some of our recommendations include:

  • Ensure employees receive training tailored to their roles that emphasizes handling sensitive information appropriately (e.g. phishing for marketing, data protection for finance, safeguarding personal employee data, securing code to avoid vulnerabilities).
  • Non-technical teams should be trained to report any red flags to their managers and security teams. To establish this as a regular procedure, security teams should train employees from across the company on what examples of red flags are, and how best to report them.
More about

Featured news

Resources