close
close

If a cybersecurity firm can fall for the latest AI Workplace scam, you can too: 10 steps to protect your business | Fisher Phillips

Posted on by darion

A well-known cybersecurity training company just fell victim to a growing scam when it hired a remote employee who turned out to be a North Korean cybercriminal who used AI deepfake tools to fake his identity and infiltrate the organization. The Florida-based company caught the would-be thief before he could steal any data, but he tried to load malware and run unauthorized programs on company systems, which could have been a damaging attack. “If it can happen to us, it can happen to almost anyone,” the CEO said after the cyberattack. What are 10 things you can do to make sure you don’t fall victim to the same scam?

What happened?

  • A Florida-based company that specializes in delivering cybersecurity training worldwide was looking for a remote software engineer to join their internal AI team.
  • Ultimately, the remote worker was hired for the job after a typical recruiting process: They selected a resume from a pool of candidates, conducted four video conference interviews with the lead candidate, confirmed via video that he matched the photo provided in the application, ran a standard background check, and even checked references before hiring.
  • The company shipped the new employee a workstation on July 15, and he immediately attempted to load the malware as soon as he received it.
  • Alarm bells went off in the company’s IT security department, and the new employee was contacted to ask what was going on. At first, the new employee explained that he was simply troubleshooting a technical issue. When IT tried to reach him by phone to find out more, he said he was unavailable and then stopped responding. Within 30 minutes of activating the computer, the IT team had blocked his access, and the company terminated his employment.

What Really Has become?

The following information comes directly from the company’s CEO himself, who explained the entire event in detail in a series of blog posts.

  • The cybercriminal used a valid but stolen US citizen identity. He used AI tools to enhance the stock photo and make it look like a completely new person. You can see a comparison of the stock photo and the faked photo of the applicant here.
  • He most likely used AI to change his voice, and may also have used AI technology to change his image (as was done in the recent Hong Kong heist where $25 million was stolen).
  • The fake employee sent his work computer to a physical address somewhere in the U.S. that turned out to be an “IT mule laptop farm.” He then used a VPN to hide where he really was—it turned out to be either North Korea or just across the border in China.
  • He worked in the middle of the night in Asia to give the impression that he was working during the day here in the States.
  • Other details about the attack are not yet known, as the case is part of an active FBI investigation. The fact remains, however, that if it can happen to a cybersecurity firm, it can happen to you.

What are these scams trying to achieve?

There are several reasons why someone might try to impersonate someone else to join your company.

  • In some cases, the fake employee may be part of a network of state-funded North Korean cybercriminals who flood the remote work environment, trying to get jobs at U.S.-based companies. In these cases, they will actually be doing real work for the organization. Much of the money they receive for their work will go toward funding North Korean state operations.
  • In the case described above, the cybercriminal clearly had more malicious intentions. In the very short time he had access to the company’s hardware, he manipulated session history files, transferred potentially harmful files using the Raspberry Pi, and ran unauthorized software. Although his end goal remains unclear, he may have been trying to cause disruption to the company’s services and may have been looking to obtain a ransom in exchange for blackmail. Or he may have been hoping to extract information left on the computer before the company instructed him to do so.
  • The fake employee did not have access to any company systems or information, but other AI fraudsters are using this type of infiltration to steal company data. Your organization could be at a competitive disadvantage if your company information is leaked to the public, or you could find this information for sale on the black market.

10 Steps to Protect Your Organization in the Era of Remote Work

  • Support culture of skepticism when it comes to hiring remote workers, just as employees are now vigilant about phishing emails.
  • Train your recruiting team on social engineering tactics currently exploited by malicious cybercriminals.
  • Conduct all video interviews with the camera on and train your recruiting team to look for deepfake signatures (blurry details, irregular lighting, unnatural eye or facial movements, mismatched audio, lack of emotion, etc.) As technology advances, you should also consider investing in threat detection tools that can identify and flag potential deepfakes.
  • Consider the feasibility of carrying out personal interviewseven for remote positions. Even mentioning that the process includes an in-person interview can dissuade scammers from continuing with the interview process.
  • Make sure laptops provided to new employees are: completely cleaned any residual company data, including data stored in web browsers.
  • Only send laptops to physical addresses at the employee’s place of residence. Or send them to a trusted third party (e.g. a reputable delivery service) where new employees are required to present a valid photo ID to receive them.
  • Hire new employees in very limited environment where they only have access to the systems needed to do their job. Make sure they don’t have direct access to production systems or sensitive data.
  • Make sure that IT Security Monitoring Systems are robust and up-to-date, trained to detect attempts to access unauthorized systems or download inappropriate files.
  • Conduct an audit of all your recruitment practices to ensure your recruiting team is consistently using best practices across background checks, references, resume reviews, interviews, and more.
  • Carry out regular security awareness training sessions for all employees about the latest cybersecurity threats and how to recognize and report them.