Is There a “Ghost” in Your Machine? – Mitigating the Risk Your Employees Aren’t Who They Say They Are

What traits make someone a great employee? 

Typically, we think of someone who is hard working, performs excellent work, and never misses a deadline. Increasingly, however, those things can all be true and yet the employee in question can still be a dangerous bad actor.

In July of 2025, the U.S. Federal Bureau of Investigation’s Crime Complaint Center (“FBI”) issued a public statement warning companies of the increasing prevalence of foreign workers, especially those from North Korea, using fraudulent methods to obtain employment by posing as U.S. persons. Internet Crime Complaint Center (IC3) | North Korean IT Worker Threats to U.S. Businesses

The scenario typically involves an unauthorised foreign worker who uses identify theft to pose as a highly qualified candidate.  The foreign workers choose the identities of people with exactly the type of educational credentials and work experience you would look for in an ideal candidate.  They submit what appear to be exemplary qualifications and list a local in-country home address.  

Once chosen for an interview, they use a proxy person fluent in the local language who is paid to impersonate the real candidate and appear on camera or even in-person for multiple interviews.  With the advent of AI-generated deep fakes, they may also use AI enhanced video images presented in real-time. When a background check is conducted, they pass with flying colors as the person whose stolen background is being checked is actually highly qualified and doesn’t know their credentials and identity are being used without their knowledge.

The foreign worker is hired under these false pretenses and most often appears to be an exemplary remote employee.  They perform high volumes of high-quality work, meet all their deadlines and on paper appear to be great workers.  What you don’t know is that the laptop you provided them has been attached to a KVM device (keyboard, video, mouse) that is “spoofing” their location, so they appear to be working locally while actually dialing-in to your system from some far-flung place on the other side of the world. They have also set up complex front companies and local networks to receive, cash and transfer paychecks to these foreign locations as well – money that is often used to fund corrupt regimes creating very real national security concerns.

In fact, the FBI has discovered so-called “laptop farms” located in multiple U.S. states where a seemingly unremarkable apartment or home has hundreds of laptops in it, all connected to devices that disguise unauthorized foreign access. These “ghost” workers pose many risks, not the least of which are concerns around the security of your company systems.  Having gained insider credentials, it becomes all too easy for one of these workers to install malware into your system and/or exfiltrate sensitive data out of your system.

How can you prevent your company from becoming one of the hundreds of companies that have already fallen victim to these types of schemes?  How can you ensure the employees you hire actually are who they say they are?  Here are a few tips:

1. Make sure your document review is truly robust. Are you checking the veracity of degrees and educational institutions that appear on candidate resumes? Keep an eye open for obvious issues including misspellings and falsified phone numbers and email addresses. Are you cross-referencing details provided in resumes with other sources? Consider reviewing social media profiles, payment platforms, and websites to cross-check candidate photographs, employment dates and details for consistency.

2. Use technology to ensure your background check is more than just document review. LinkedIn profiles can easily be falsified, as can U.S. passports and other forms of identification especially on-camera using AI-generated image falsification. Consider outside verification of government-issued identification and using biometric face matching and liveness detection systems. 

3. Require in-person interviews and/or onboarding and watch for inconsistencies in the different stages of your processes. Have you trained your recruiting teams to recognise potential indicators of deep fake content? For example, does the candidate’s appearance during onboarding “match” their appearance during the interview process? Does their voice also match? There are technology tools that can match voice timber, cadence, and vocabulary to give an indication of consistency or lack thereof to help identify potential deep fakes.

4. If your organisation is not using end-point detection and response software (EDR software), you should be. These systems can monitor your systems for signs of remote access, use of KVM devices or VPN manipulation devices to disguise foreign remote access.

5. Ensure you have controls and systems in place to detect potential laptop farm red flags. Do you have employees that appear to be working unrealistically long hours? Are they logging in to your system during what would be the middle of the night in their assigned work location? Are you checking to ensure you are only shipping laptops to the verified addresses of your employees?  

When it comes to preventing “ghost employees” in your organisation, the best defense really is a good offense. The sophistication of these bad actors is increasing right along with the capabilities of the artificial intelligence tools often used to infiltrate your organisation.  Combining cross-functional vigilance and technology will allow you to quickly detect and prevent these would-be fraudulent employees from compromising your security. Knowing who is really behind the keyboard will protect not only your data and your workforce, but your organisation as a whole.

Gwendolyn Hassan, Vice President, Chief Compliance Officer | Ethics & Compliance Office, Unisys