Fake IT Workers: The Cyber Threat Hiding in Your Hiring Process

share:

You vet CVs. You check references. You run interviews. But what if the person you just hired to manage your IT systems is secretly funnelling money to a hostile foreign government?

It sounds like a spy thriller, but it is happening right now, to real businesses, across 40 countries. And if you are a UK SMB hiring remote IT contractors, you need to pay attention.

What Is Actually Going On?

This month, researchers from IBM X-Force and Flare Research published a report that maps out, in detail, how North Korea operates an army of approximately 100,000 fake IT workers. These are not hackers trying to break into your systems from outside. They are people who apply for legitimate IT jobs, get hired, and then quietly siphon data and money back to Pyongyang.

The numbers are staggering. According to the US Government, these workers can earn over $300,000 per year each, generating roughly $500 million annually for the North Korean regime. They are spread across 40 countries, working as remote developers, system administrators, and IT support staff.

That is not a niche problem. That is an industrial-scale operation.

How the Scam Works

The operation is surprisingly well-organised, with clear roles and a structured hierarchy that mirrors a legitimate recruitment business.

The Recruitment Pipeline

• Recruiters screen potential IT workers and record interviews, much like a normal hiring process
• Facilitators review candidates and decide who gets placed, acting as hiring managers
• IT Workers are the operatives, typically skilled in full-stack web development, .NET, and WordPress
• Western Collaborators provide their real identities for the workers to use, sometimes knowingly, sometimes not

Many candidates may not even realise who they are really working for. Recruiters tell them they are joining an “early-stage stealth startup” with no public information. They are given a US or UK-based identity to use, complete with fabricated credentials and work history.

How They Get Hired

The fake workers target freelancing platforms like Upwork, LinkedIn, and Freelancer. Researchers found timesheets detailing how many “bids” workers made on freelancing sites each day and how many messages they sent on professional platforms.

They use counterfeit accounts or verified profiles linked to real people. Their applications look legitimate because they are crafted using professional templates and translated through Google Translate.

Once hired in a full-time role, these workers are often highly productive. Why? Because multiple people may be collaborating behind the scenes to do the work. The goal is to perform well, earn promotions, and gradually gain more privileged access to company IT systems.

Why UK SMBs Should Care

You might think this only affects large enterprises or American tech companies. It does not.

UK SMBs are increasingly turning to remote contractors for IT work. It makes sense: you get specialist skills without the overhead of a full-time hire. But this trend also makes smaller businesses a prime target.

Here is why SMBs are particularly vulnerable:

• Smaller HR teams with less capacity for thorough background checks
• Tighter budgets that make affordable remote contractors attractive
• Less sophisticated identity verification processes
• IT contractors often get broad access to systems, networks, and sensitive data
• Manufacturing, construction, and engineering firms may not consider themselves cybersecurity targets, making them less vigilant

If you run a manufacturing company in the Midlands and you hire a remote developer to build an internal tool, that person could potentially access your production systems, customer data, financial records, and intellectual property.

The Real-World Damage

This is not just about money being funnelled to North Korea. A fraudulent IT worker inside your business can:

• Steal customer data and intellectual property
• Install backdoors for future attacks
• Exfiltrate financial information
• Deploy ransomware (North Korea’s Lazarus Group is already targeting UK organisations with Medusa ransomware)
• Use their access to pivot into more sensitive systems over time

The Stryker cyberattack this month, where Iran-linked attackers used Microsoft Intune to remotely wipe employee devices, shows what happens when hostile actors get inside your management tools. A fake IT worker with admin access could do the same thing.

How to Spot a Fake IT Worker

The IBM/Flare report identifies several red flags that businesses should watch for during the hiring process.

During Video Interviews

• Fake or blurred backgrounds that seem inconsistent with where they claim to live
• Signs of AI face-changing or deepfake technology (unnatural facial movements, lighting inconsistencies)
• AI voice changers (slight robotic quality, delays between question and answer)
• Reluctance to turn on the camera or meet in person
• Discrepancies between their CV and what they say in conversation, especially around location and language skills

During the Hiring Process

• Employment history that does not quite check out when you contact references
• Portfolio work that seems inconsistent in quality (suggesting multiple people contributed)
• Unusually low rates for highly skilled work
• Profiles on freelancing platforms with very recent creation dates but extensive claimed experience
• Multiple accounts or profiles that share similar photos or details

After Hiring

• Unusual working hours that do not match their claimed timezone
• Use of VPN connections from unexpected locations
• Requests for unnecessary access to systems or data
• Reluctance to participate in team video calls or company events
• Performance that varies dramatically (because different people may be doing the work at different times)

7 Steps to Protect Your Business

You do not need to stop hiring remote workers. But you do need to be smarter about it. Here are practical steps every UK SMB should take.

1. Verify Identity Properly

Do not rely on a CV and a video call. Use identity verification services that check government-issued ID. For UK-based contractors, verify their right to work. For international hires, use platforms that include identity verification as part of the process.

2. Conduct Thorough Video Interviews

Insist on camera-on interviews. Ask candidates to show their physical workspace. Ask spontaneous questions that require real-time thinking rather than scripted answers. Watch for signs of deepfake technology or AI voice manipulation.

3. Check References Independently

Do not just call the number on the CV. Look up the company independently and call their main line. Verify that the reference person actually works there. Cross-reference LinkedIn profiles with company websites.

4. Apply the Principle of Least Privilege

Give every contractor the minimum access they need to do their job, and nothing more. This limits the damage if someone turns out to be fraudulent. Review access permissions regularly and revoke anything that is no longer needed.

5. Monitor Access and Behaviour

Use endpoint management tools to monitor what devices are connecting to your network. Log access to sensitive systems. Set up alerts for unusual activity, like data downloads outside normal hours or connections from unexpected locations.

6. Use Managed IT Support

One of the best ways to reduce risk is to work with a trusted, local IT support provider rather than hiring unknown remote contractors. A managed service provider gives you vetted professionals, proper security controls, and accountability. You know exactly who has access to your systems.

7. Train Your Team

Make sure anyone involved in hiring IT staff, whether that is HR, department managers, or directors, knows about this threat. The warning signs are not obvious unless you know what to look for.

The Bigger Picture

This is not just a North Korea problem. The techniques being used, fake identities, AI deepfakes, stolen credentials, will inevitably be adopted by other threat actors. Criminal groups, corporate espionage operations, and other state-sponsored programmes are all watching how this plays out.

The shift to remote work has created enormous opportunities for businesses. But it has also created new attack surfaces that did not exist five years ago. Your hiring process is now part of your cybersecurity strategy, whether you like it or not.

What to Do Next

If you are hiring remote IT contractors, review your vetting process this week. If you are not sure whether your current setup is secure, that is exactly the kind of thing a good IT partner can help with.

At Magnetar IT, we help businesses across the Midlands build secure IT operations without the guesswork. From endpoint management and access controls to vetting and monitoring, we handle the security so you can focus on running your business.

89% of our support tickets are resolved within an hour, and we have over 10 years of experience keeping SMBs safe.

Get in touch for a free consultation and let us make sure your hiring process is not your weakest link.