from the can-I-at-least-claim-the-experience-on-my-resume? dept.
FBI warning: Crooks are using deepfakes to apply for remote tech jobs:
Scammers or criminals are using deepfakes and stolen personally identifiable information during online job interviews for remote roles, according to the FBI.
The use of deepfakes or synthetic audio, image and video content created with AI or machine-learning technologies has been on the radar as a potential phishing threat for several years.
The FBI's Internet Crime Complaint Center (IC3) now says it's seen an increase in complaints reporting the use of deepfakes and stolen personally identifiable information to apply for remote work roles, mostly in tech.
With some offices asking staff to return to work, one job category where there has been a strong push for remote work to continue is in information technology.
Reports to IC3 have mostly concerned remote vacancies in information technology, programming, database, and software-related job functions.
Highlighting the risk to an organization of hiring a fraudulent applicant, the FBI notes that "some of the reported positions include access to customer PII, financial data, corporate IT databases and/or proprietary information."
In the cases reported to IC3, the FBI says the complaints have been about the use of voice deepfakes during online interviews with potential applicants. But it also notes victims have noticed visual inconsistencies.
"In these interviews, the actions and lip movement of the person seen interviewed on-camera do not completely coordinate with the audio of the person speaking. At times, actions such as coughing, sneezing, or other auditory actions are not aligned with what is presented visually," the FBI said.
Complaints to IC3 have also described the use of stolen PII to apply for these remote positions.
"Victims have reported the use of their identities and pre-employment background checks discovered PII given by some of the applicants belonged to another individual," the FBI says.
[...] These contractors weren't typically engaged directly in hacking, but were using their access as sub-contracted developers within US and European firms to enable the nation's hacking activities, the agencies warned.
(Score: 4, Insightful) by JoeMerchant on Thursday June 30 2022, @04:13PM (9 children)
I mean, first off no new hire should have access to "highly sensitive" information before their first paycheck.
Then, if I have gone on LinkedIn and obtained enough information to impersonate some perfect fit for the open position, how do I then funnel paychecks for that fake person into bank accounts that I control?
So, the warning should be: don't reveal sensitive information to new hires until you have verified their identity, and how they get paid would be a great start to a positive I.D.
Otherwise, this FBI warning seems to be a shill campaign for background investigation services. How do we know the warning really came from the FBI and not a deepfake?
🌻🌻 [google.com]
(Score: 4, Insightful) by Opportunist on Thursday June 30 2022, @05:08PM (7 children)
Why do you think they can't open a bank account the same way they fake the interview? There's plenty of banks these days that don't even have physical offices anymore where customers can go to, you open your account online.
(Score: 2) by JoeMerchant on Thursday June 30 2022, @05:55PM (6 children)
Every account I have opened in the last 20 years I have had to jump through "anti terrorist ID" hoops to get it established... not saying that can't also be faked, but you'd need more info than you typically see posted on LinkedIn and Facebook to do it.
🌻🌻 [google.com]
(Score: 2) by Opportunist on Thursday June 30 2022, @08:39PM (5 children)
What else do you need? You'd be surprised what people are willing to hand you for a job, or for a chance to get money, or because they're curious...
(Score: 2) by JoeMerchant on Thursday June 30 2022, @09:22PM (4 children)
It was at least SSN, and the SSN is run for a credit check so they would flag a name or address mismatch.
So, yeah, if you've got the person's name, address, SSN and resume, and enough imagery to make a deep fake video call work, then you can impersonate them via video-conference. As if people shouldn't know this already with all the commonly available real-time video modifying tech they see every day.
Back to my point, if you've opened a bank account in this person's name, tied to an address that matches their credit history - at some point the bank's gonna send some physical mail that you might have to intercept to keep the ruse going. Also, the real person should twig to your shenanigans the next time they run a credit check for any reason and find the new account they know nothing about. But, it may well run long enough for a new employer to develop enough trust to expose at least a few keys to the kingdom.
🌻🌻 [google.com]
(Score: 2) by Opportunist on Saturday July 02 2022, @08:34AM (3 children)
Yes, at some point the bank will send that. At that point I probably already got away with the dough. Not to mention that people usually get so much junk mail from their bank that they throw it away without even considering reading it.
We're talking about an operation that takes a few weeks. Tops.
(Score: 2) by JoeMerchant on Saturday July 02 2022, @11:05AM (2 children)
And, again, if you are trusting a new hire with the keys to the kingdom in the first few weeks, you get what you deserve. Even in person hires shouldn't get that much trust that fast.
Rule of thumb: employee trust shouldn't grow faster than exponentially doubling every few days, and should start somewhere around their daily pay rate. At 2 weeks you might trust them with three months' pay of responsibility. By a month on the job, if they have demonstrated clear competency, then you might turn them loose on something at a ten years' pay level.
Of course you have to trust your employees eventually, but bigger companies usually have training and such that limit new hires' access for several weeks.
🌻🌻 [google.com]
(Score: 2) by Opportunist on Monday July 04 2022, @02:24PM (1 child)
I want to meet every single employee personally before they even get access to, well, ANYTHING. And given the nature of our job here, I can easily get away with it (I have already joked I want a rubber-stamp with "it's for security" because it would get everything approved, no matter how silly).
But I also know that this is not the case everywhere. Corners are being cut. Because they have to. Economic pressure is weighing down on everyone, and getting good people is not easy. Asking them to fly in for a personal interview is often already enough for them to just flip you off and go somewhere else, especially if they're good enough to have "senior" in their job desc.
(Score: 2) by JoeMerchant on Monday July 04 2022, @10:08PM
I guess I'm saying: the in-person interview is maybe not nearly as important as months of service including clear demonstration of skills in the job. Of course, nation-states can train sleepers to come attack you in person and you'll never detect them - if their backers invest enough in their cover, but that's going to be exceedingly rare because nation-states have budget limitations too.
>Corners are being cut. Because they have to. Economic pressure is weighing down on everyone, and getting good people is not easy.
I feel a strong sense of deja-vu back to the mortgage backed securities crisis of 2008. The job is what the job is, cutting corners isn't an innovative way to increased profits, it's trading known expenses for expensive risks. Even if it's a 1:1 trade in the calculation (save $1M against a 50/50 chance of losing $2M) that's still a bad bet because business thrives on one thing more than any other: predictability. That's what our whole system of laws and courts are about: providing a predictable environment for the operation of businesses. It's why businesses are willing to pay higher labor costs and taxes to operate in more developed societies. I'm getting around to: cutting corners and taking risks is operating your business like you're in a 3rd world of chaos. There are occasional glitters of tremendous profit opportunities, but the losses are even bigger and the lack of predictability is a huge competitive dis-advantage.
🌻🌻 [google.com]
(Score: 1) by khallow on Friday July 01 2022, @10:59PM
I guess the theory is that if you're not looking in depth at them, they can stick around long enough to get something valuable. If this gets cheap enough, just supporting a normal burglary scheme a few days in might pay for the effort.
(Score: 0) by Anonymous Coward on Thursday June 30 2022, @05:48PM (2 children)
Something new (to me) with this post. The block below the story (and above the start of comments) begins with these two lines:
This discussion was created by janrinok (52) for logged-in users only.
FBI Warning: Crooks are Using Deepfakes to Apply for Remote Tech Jobs | Preferences | Top | 9
Is this logged-in users something new today? Anti-spam perhaps?
ps. I'm logged in, posting AC as I usually do.
(Score: 3, Informative) by unauthorized on Thursday June 30 2022, @06:11PM
You could have scrolled two stories down, it's literally on the front page right now.
(Score: 2) by janrinok on Thursday June 30 2022, @06:57PM
There are other options available too:
But we usually leave it at 'Comments Enabled'.
(Score: 0) by Anonymous Coward on Thursday June 30 2022, @06:27PM (1 child)
I'm gonna have to give that a try.
(Score: 2) by janrinok on Thursday June 30 2022, @06:58PM
Let me know how it turns out, please. As I have never made a journal I assume that the same options are available for those too, but I do not know and I am too busy to go and find out at the moment!
(Score: 2) by ElizabethGreene on Thursday June 30 2022, @07:18PM (1 child)
I don't use video during candidate interviews. It's distracting and invites bias. I want to see them whiteboard, demo something, or talk about some stuff in your github repo; I don't really care if you can color coordinate your outfit.
(Score: 2) by JoeMerchant on Thursday June 30 2022, @07:39PM
One of the most important aspects of any employee is their ability to communicate with the team.
These days, our group communicates 99.44%+ via e-mail and Zoom calls with video off.
The old advice: wear to the interview the same clothes you would wear when doing the job might be ill advised these days.
🌻🌻 [google.com]