Sophos warns of the fact that job candidates constructed with false identities are taking advantage of digital anonymity, generative artificial intelligence and synthetic identities to infiltrate European companies, where manipulated identities become a key tool of deception.
Their objectives are diverse: evade international sanctions through fraudulently obtained jobs, access confidential systems or extort their employers, all through the strategic use of fraudulent identities. This persistent campaign was discovered by researchers from the Sophos X-Ops Counter Threat Unit (CTU), supported by Sophos advanced security technologies to detect new threats, including those related to the creation of false identities and attack techniques.
“The inconsistencies are not limited to the online image and CVs. In several cases reported by European companies, candidates have falsified technical tests, evaded identity checks or required to use personal devices instead of the company’s equipment, which has security solutions. Others have frequently changed delivery addresses or bank details, trying to cover their tracks or avoid internal procedures, which shows the systematic use of multiple identities,” explains Rafe Pilling, Director of Intelligence against Threats in Sophos X-Ops.
AI ‘democratizes’ identity fraud in personnel selection
The proliferation of generative artificial intelligence tools has ‘democratized’ identity fraud in hiring processes, facilitating the mass creation of credible digital identities. Today, any malicious actor can generate impeccable resumes, personalized cover letters, profile photos and fictitious professional ecosystems with email accounts, coherent identities and internally consistent LinkedIn profiles in a matter of minutes.
To help detect these fake candidates and their manipulated identities, Sophos has published a guide for CISOs that combines threat intelligence with practical application in the enterprise.
“Video interviews, which for years were the only reliable method of remote verification, no longer guarantee the authenticity of identities: some fraudulent candidates claim technical problems to avoid turning on the camera, manipulate virtual backgrounds or demonstrate a superficial knowledge of the local context despite claiming to reside in Europe,” continues the head of Sophos.
State actors: the ‘Contagious Interview’ campaign
The phenomenon is not limited to fraudulent job applicants or artificially constructed individual identities. Sophos CTU has documented in detail the ‘Contagious Interview’ campaign, carried out by NICKEL ALLEY, a cyber threat group acting on behalf of the North Korean government. This group specializes in targeting technology professionals by posting fake job offers, creating fictitious corporate identities, tricking potential candidates through a simulated interview process, and ultimately distributing malware.
In targeted attacks, NICKEL ALLEY often creates a fake company page on LinkedIn to gain users’ trust and bolster the credibility of their digital identities, and maintains a GitHub account to coordinate malware distribution. In some cases, attackers have used the well-known ‘ClickFix’ tactic to distribute malware using fake job skills assessment tests, again relying on deceptive identities.
HR teams as pillars of corporate cybersecurity
These situations highlight the strategic importance that HR teams have acquired. HH. Not only are they responsible for finding the ideal candidate for each position, but they also constitute a first line of defense against suspicious identities based on the general consistency of the candidate: the agreement between documents, statements and environment, the ability to verify history through official or independent channels and the willingness to undergo standardized identity verification processes.
HR teams HH. They are increasingly on the front line of the challenge of validating identities. In 2025, the GOLD BLADE group was found to be attacking recruiters by sending malicious applications to job ads, using various identities to increase their chances of success.
HR teams HH. are increasingly on the front line of the challenge of validating identities
“Without needing to be cybersecurity experts, those responsible for recruiting personnel must now be extremely vigilant by observing the general coherence of the candidate and their identities: their image, the consistency between their documents, statements and environment, and the possibility of verifying their history through official or independent sources,” Pilling concludes.
