IT Nightmare: AI-Assisted Impersonation Enables Fraudulent Employees to Seize Privileged Access to Corporate Systems

Impersonators are increasingly using AI to refine job profiles, pass interviews, and obtain remote access to corporate systems, creating an internal security risk that many organizations fail to recognize until after damage occurs. The problem spans both large and small employers, with remote recruitment processes being exploited to insert “internal threats” through fake hiring.

How AI-enabled impersonation works

Security director Steve Schmidt warned that the scale of attempts to seize IT roles is growing. Amazon said it has blocked more than 1,800 attempts to take IT positions, and Schmidt cautioned that the figure continues to rise. In some cases, individuals impersonating Americans seek personal profit. More serious cases involve international agents using IT impersonation for political and financial objectives.

According to Tom Hegel of SentinelOne, this is not traditional recruitment fraud. It is an internal risk problem in which adversaries aim to be hired as the first step in an intrusion. AI technology can also support deepfake videos and highly convincing online interview sessions, making identity verification difficult when adversaries can change identity rapidly.

Vulnerabilities in remote hiring

• Impersonators conceal their identity, misrepresent qualifications, and present refined skills and experience.
• They progress through screening rounds with minimal suspicious traces.
• They use stolen identities to create credible online profiles.
• During interviews, candidates may rely on prepared scripts, stand-ins, or AI-assisted real-time responses.

SentinelOne previously tracked about 360 fake identities tied to more than 1,000 job applications, including cases where some applicants attempted to apply to the security company itself. Hegel said bad actors use large-scale psychological tactics and identity concealment, turning remote recruitment into a gateway for attacks.

From hiring to access

Investigations cited in the report indicate that HR servers were infected with malware. The attackers also use “laptop farms” to operate company devices from afar across borders. Once hired, they gain access and become trusted internal staff, increasing the risk of long-term exposure of sensitive data.

Data points and observed tactics

The report describes an example from a MongoDB investigation supervised by George Gerchow, which began with a warning that someone was trying to remove security software. Gerchow said the Overwatch system detected a new employee’s laptop communicating with an IP abroad. He described the combination of tampering with security tools and unusual traffic as a red flag.

In that case, the individual used a stolen identity combined with an AI-generated profile. Surface-level background checks failed because they did not detect the underlying fraud, and Gerchow emphasized that many checks cannot reveal a history of fabricated work. The investigation later found that no data was stolen or leaked.

Indicators that can emerge after the hire

• Low-quality interview videos, voice changes across calls, and disjointed interview responses.
• Last-minute changes to the laptop delivery address, a tactic used to move devices overseas.

The report notes that minor anomalies may be treated separately, allowing the pattern to go unnoticed until security alerts trigger in unison. When that happens, security teams can isolate devices, revoke access, and report to federal authorities.

Impact and risk outlook

Gartner forecasts that by 2028, one in four candidate profiles will be fake. The report characterizes this as a “pandemic” targeting global enterprises quietly, with criminals often focusing on highly technical roles.

David Weisong, CIO of Energy Solutions, said adversaries frequently target roles such as DevOps or database administration because they hold control of systems. “These roles hold the keys to the castle,” Weisong said, adding that infiltration value can exceed that of a typical programmer.

Prevention measures and operational changes

One early warning sign described in the report is a sudden spike in applications—hundreds within a few hours can indicate automated, bot-driven activity. The report also notes that fake employees may perform well, meaning detection may rely more on technical signals than on day-to-day work performance.

To counter these threats, Amazon uses AI alongside human review to scrutinize profiles, requires more in-person interviews, and asks employees to come to the office. Hegel suggested treating recruitment as an access-control issue rather than a one-off personnel check, arguing that identity should be treated like the highest level of security clearance rather than a routine HR step.

Energy Solutions’ approach

• Removed the term “fully remote work” from job postings to reduce external applicants attempting fraud.
• Uses strict CAPTCHA to block bots and an employee-referral incentive.
• Implements a 90-day probationary period to closely monitor new hires.
• Requires candidates to turn on video and share their screens to conduct live tasks.
• Disqualifies candidates who use AI to assist answers.
• Requires new hires to come to the office on day one to receive devices and participate in training.

Weisong concluded that trust must be built gradually through stages, and that IT leadership should work closely with HR to build robust security barriers.

Source: CIO