Payment Fraud Prevention

Candidate fraud is rampant. Some recent examples I've seen: - fake candidates using the resume/LinkedIn of real people - people using AI filters in interviews - people fabricating experience on their resume - different people showing up at different stages of interviews Companies are already doing many of the following to catch fraud: - checking IP addresses for a match between the stated location and app location - checking for VPN usage since this could indicate someone is attempting to hide their location - checking for unusual behaviors like an app that should take 15 minutes being submitted in 30 seconds as an example indicating an AI-generated app vs human-generated one. - checking the age of your email address - checking the account behind your phone number - reviewing your LinkedIn account to see how it matches the content of your resume - contacting you via LinkedIn to ensure you are the person who applied - checking your previous applications to the company for consistency across experiences - recording interviews or taking pictures at each stage to verify the same person is showing up - verifying the identity and IP address of your references - holding on site interviews, even for remote jobs - running more thorough background checks and employment verifications Most companies recognize that some of the above "flags" will be present in legitimate candidates. For example, VPN use is quite common for many in tech, lots of people use phones that may show a parent or partner's name on the account, you might be applying while on vacation, etc. But if multiple flags are present, they may decide the risk is too great and simply move on the next candidate. So if I were applying right now, I would: 1. Be aware of the above when applying. 2. Put a picture on your profile (this may minimize the chances of someone using your name/profile to apply for jobs and also helps employers verify you are in fact the person on the interview). 3. Consider the content on your public social media profiles - companies will be checking more and more to mitigate their risks, and that means they'll have more line of sight into you how you think about the workplace, your expertise, etc. Make sure this is additive, rather than something that raises flags. Finally, I'll note that the common responses I see to the above are things like, "well employers made this an issue by making it so hard to get a job". And while I could have a conversation about why this is illogical, it's honestly just not even worth a discussion. Because no company is sitting there right now thinking, "gosh, people are struggling to navigate this job market, let's just open ourselves up to risk." They're just not. Their priority is to minimize risks. Hiring a fraudulent candidate with bad intentions could put their entire company at risk and they aren't going to do that. So if you're navigating a job search - especially for remote tech jobs, keep this in mind, and adjust accordingly.

𝗛𝗼𝘄 𝗜 𝗨𝘀𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝗜𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝘁𝗼 𝗦𝘁𝗮𝘆 𝗔𝗵𝗲𝗮𝗱 𝗼𝗳 𝗔𝘁𝘁𝗮𝗰𝗸𝘀 🔍⚡ Last quarter, we almost missed it. It didn’t start with an alert. No high-severity incident. No obvious malware. Just a single line in a log — a failed login attempt from an IP that looked ordinary. But something felt off. 🔍 𝗕𝘂𝘁 𝗵𝗲𝗿𝗲’𝘀 𝘄𝗵𝗲𝗿𝗲 𝘁𝗵𝗿𝗲𝗮𝘁 𝗶𝗻𝘁𝗲𝗹𝗹𝗶𝗴𝗲𝗻𝗰𝗲 𝗰𝗵𝗮𝗻𝗴𝗲𝗱 𝗲𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴... Earlier that day, I had read a deep-dive from a security researcher 🧠 about a new attack pattern: 👉 Low-and-slow credential spraying 👉 Geo anomalies that bypass basic rules 🌍 👉 Minimal noise, maximum stealth That “normal” IP? It matched a freshly reported indicator. 🧠 𝗦𝗼 𝗜 𝗳𝗼𝗹𝗹𝗼𝘄𝗲𝗱 𝘁𝗵𝗲 𝘀𝗶𝗴𝗻𝗮𝗹... 𝗻𝗼𝘁 𝘁𝗵𝗲 𝗻𝗼𝗶𝘀𝗲 Instead of waiting for alerts: 👉 Pulled logs across VPN, IAM, endpoints 🖥️ 👉 Enriched the IP with threat intel feeds 📡 👉 Mapped behavior to MITRE ATT&CK 🧩 👉 Built a hypothesis: early-stage access attempt Then I started hunting 🎯 And found more… Same pattern. Multiple users. Silent attempts. ⚙️ 𝗪𝗵𝗲𝗿𝗲 𝘁𝗵𝗲 𝗶𝗻𝘁𝗲𝗹 𝗰𝗮𝗺𝗲 𝗳𝗿𝗼𝗺 This wasn’t luck 🍀 — it was a system: 👉 Open-source intel (blogs, GitHub, researcher reports) 🌐 👉 Commercial feeds (real-time IOCs & adversary infra) 📊 👉 Dark web monitoring (credential leaks & chatter) 🕶️ 👉 Industry groups & sharing communities 🤝 Each source = a piece of the puzzle Together = the full picture 🧠 🚨 🚨 𝗪𝗵𝗮𝘁 𝘄𝗲 𝗱𝗶𝗱 𝗻𝗲𝘅𝘁 👉 Blocked malicious IP ranges 🚫 👉 Forced password resets 🔑 👉 Tuned detections based on TTPs ⚙️ No breach. No escalation. No damage. 💡 𝗧𝗵𝗲 𝘁𝗮𝗸𝗲𝗮𝘄𝗮𝘆 Attackers don’t kick the door down 🚪 They test it quietly first… If you rely only on alerts, you’re already behind ⏳ Threat intelligence helps you move from: ➡️ Reactive → Proactive ➡️ Alerts → Anticipation 𝗦𝗶𝗻𝗰𝗲 𝘁𝗵𝗲𝗻, 𝗺𝘆 𝗽𝗹𝗮𝘆𝗯𝗼𝗼𝗸 𝗶𝘀 𝘀𝗶𝗺𝗽𝗹𝗲: 👉 Focus on behavior (TTPs), not just IOCs 🎯 👉 Build continuous intel feedback loops 🔄 👉 Hunt with context, not guesswork 🔍 You can use ANYRUN to Speed up and simplify alert triage, incident response, and threat hunting with Threat intelligence Lookup -> https://lnkd.in/gFD8DPJ3 Have you ever stopped an attack early because of threat intel? 🤔 #CyberSecurity #ThreatIntelligence #SOC #ThreatHunting #BlueTeam #InfoSec #CyberDefense For daily cybersecurity updates, follow: Kaaviya Balaji

We get an increasing number of client calls at Gartner from HR and recruiting leaders who are concerned about candidates misrepresenting their identities during the interview process. I'm sure many of you read the articles last year about US firms inadvertently hiring North Koreans into remote roles. There are different reasons candidates might do this, such as a candidate with the right skills who happens to be one country trying to get a better paid job in another country. Or it might be more sinister, and could be an attacker trying to get a position that gives them systems access to get up to mischief like stealing intellectual property or planting ransomware. In any case, if an candidate is not using their real identity - something is wrong. I was pleased to co-author a new piece of research Mitigate Rising Candidate Fraud Through Identity Verification, led by my colleague Emi Chiba, explaining how HR and recruiting leaders can mitigate these risks. Robust online identity verification, with appropriate liveness detection, injection attack detection, and checking of identity data from the document against authoritative sources will make it harder for fraudulent candidates to get the job. Clients can read the research here: https://lnkd.in/eKX_6ncX Non-clients can get smarter with Gartner, by exploring our other insights: https://gtnr.it/GExpert Photo by Eric Prouzet on Unsplash

A new Advanced Persistent Threat (APT) that is targeting HR and payroll, CISOs need to take a note. When cybercriminals go after HR, payroll, and internal admin teams, they're not just stealing data, they’re attacking the operational backbone of an organisation. And that’s exactly what our APT Research Team at Seqrite Labs has just uncovered. Over the past week, our researchers identified a new multi-stage attack campaign targeting Russian corporate entities, using extremely convincing HR themed lures. What looks like an “annual bonus policy” PDF is actually the entry point to a stealthy infection chain that delivers a custom implant we’ve named DUPERUNNER, followed by an AdaptixC2 beacon. For CISOs, the message is simple: > Threat actors are shifting left, going after internal business workflows that employees implicitly trust. > A single click in HR can give attackers the same access as a compromised domain controller. > Financial, reputational, and operational risks multiply when attackers remain hidden inside your environment.   Our Seqrite APT team’s deep dive reveals: • A spear-phishing chain built around benign looking HR documents • A previously unknown C++ implant (DUPERUNNER) capable of process injection • A stealthy AdaptixC2 beacon used for command and control • A dedicated malicious infrastructure operated across ASNs in Russia This campaign shows how threat actors are moving toward social engineering that looks legitimate and fits into daily routines. A single click in an HR department can give an attacker access equal to or greater than a compromised server. It is the kind of threat many leaders casually scroll past on LinkedIn until it hits their own organisation. At Seqrite, our protection layers already detect and block each stage of this attack but the larger story is that attack surfaces are evolving faster than traditional defences. We have added full technical details, infrastructure information and IOCs in the blog. You can read the full research here: https://lnkd.in/d9qm-dsq Full credit to our researchers at Seqrite Labs who led this investigation. Outstanding work by the team behind this analysis and write up that includes: Subhajeet Singha Priya Patel Nandini Seth Jyoti Karlekar Quick Heal #CyberSecurity #APT #ThreatIntelligence #CISO #MalwareAnalysis #Infosec #CyberAttack #EnterpriseSecurity #SeqriteLabs #CyberThreats #ThreatResearch #DUPERUNNER #AdaptixC2

Microsoft Threat Intelligence is sharing research and insights into #NorthKorea, and #China threat actors, and their evolving tactics North Korea ▶️ Masquerading as venture capitalists, to set up fake meetings ▶️ Posing as recruiters on LinkedIn to deliver fake skills assessments ▶️ Phishing campaigns targeting aerospace and defense, to increase understanding of missiles, drones, and related tech ▶️ Dispatching thousands of IT workers abroad, to earn money for the regime, and to obtain access to sensitive intellectual property ▶️ Using third party facilitators to create fake LinkedIn and jobsite profiles, bank accounts, purchase mobile phones, to aide in the recruitment process ▶️ Using AI tools such as Faceswap and voice-changing software to steal, or change identities China (Storm2077) ▶️ Using overlapping tools and tactics of other threat actors to avoid tracking and attribution ▶️ Targeting defense, aviation, telecommunications, financial, and legal services for intelligence purposes ▶️ Harvesting email data, for further analysis, using eDiscovery and other methods Check out the blog for more information.... https://lnkd.in/eP5VSiWZ

⚠️ Our team at Google Threat Intelligence Group (GTIG) just published new research on how adversaries are operationalizing generative AI. We are tracking a maturing transition from simple experimentation to the industrial scale application of models within adversarial workflows. Threat actors are no longer just using AI as a basic assistant, they are embedding it directly into their attack lifecycles to scale and automate operations. Here are the key takeaways from our Q2 2026 AI Threat Tracker: 🔥 For the first time, we have identified a cybercrime threat actor using a zero-day exploit that we believe was developed with the assistance of AI. 🛡️ Suspected Russia-nexus threat actors are leveraging AI-driven coding to generate large amounts of decoy logic, helping malware families like CANFAIL and LONGSTREAM evade static security controls. 📱 We analyzed an Android backdoor called PROMPTSPY that uses the Gemini API to dynamically interpret device environments and autonomously simulate physical gestures on the screen. 📦 Threat actors like #TeamPCP are targeting popular AI integration libraries, compromising tools like LiteLLM to steal high-value API secrets and cloud credentials. To help defenders stay ahead of these evolving threats, our report also details key mitigations and how we are using AI agents to find and automatically patch software vulnerabilities. I will drop the link to the blog in the comments below.

If you or anyone you know is job hunting, read this! There’s a new - and frankly unsettling - tactic emerging in the threat landscape that professionals in tech, recruiting, and security should be aware of. Threat actors are now posing as legitimate employers and guiding candidates through seemingly normal hiring pipelines… right up to the live interview stage. Here’s where it gets dangerous: Candidates are invited to a Zoom interview that includes a “coding exercise.” Nothing unusual on the surface - until they’re asked to run provided code, install a dependency, or share their screen while interacting with a prepared environment. That’s the trap! The exercise environment or instructions are weaponized. In some reported cases, candidates unknowingly execute malicious scripts, expose sensitive local data, or grant access that enables compromise of their machine or accounts. Why this works: * It exploits trust in the hiring process * It targets technically capable individuals (high-value access) * It happens in real time, under pressure, with lowered skepticism Red flags to watch for: * Being asked to download or run code from unfamiliar, unverified sources * Interviewers pushing you to disable security controls or “just trust the setup” * Unusual urgency or pressure during technical exercises * Requests to access local files, system info, or credentials unrelated to the task What you can do: * Treat interview environments like production: verify everything * Use isolated environments (VMs, containers, or throwaway machines) * Never run unknown code on your primary system * Ask questions—legitimate companies won’t object to reasonable security caution This is social engineering evolving to meet modern workflows. The hiring process itself is becoming an attack surface. Would you recognize this in time? Have you or anyone you know encountered this firsthand? Stay sharp out there! #CyberSecurity #InfoSec #ThreatIntelligence #SocialEngineering #CyberThreats #Malware #Phishing #SecurityAwareness #TechCareers #JobSearch #RemoteWork #Zoom #Hiring #Developers #ITSecurity #DigitalTrust #CyberDefense #SecurityCulture

By 2028, 1 in 4 job candidates worldwide will be fake. That's not a prediction. It's from Gartner. At Deel we're seeing a significant rise in applications, and specifically in Engineering there are larger spikes of fake candidates. Stay vigilant! What's happening? Scammers are scraping LinkedIn profiles and company staff lists. They're building convincing fake candidate profiles. Real-looking faces, real-sounding credentials, real video calls powered by AI. This is impacting remote roles! When they are hired, they walk remotely straight into your systems, not office. Your proprietary data. Your business records. Your customers' personal information. So what should companies actually do? Verify identity before day one. Video interviews aren't enough anymore. Use layered identity verification to spot fraud detection. Don't simply rely on this, ensure background checks, government ID checks, liveness detection, and third-party background screening that goes beyond a CV. cc Neev Wilf and the Clarity team. Thank you for your partnership. Train your hiring teams. Recruiters need to know the signs: slight video lag, unnatural blinking, audio that doesn't quite sync. Deepfake detection is now a hiring skill. Build a compliant global onboarding process. Ad hoc remote hiring with no structured verification is where the gaps appear. Process beats panic every time. The companies that win are the ones who hire globally and verify rigorously. Don't let a fake face cost you a real fortune.

Group-IB Threat Intelligence team just published research on Operation #Olalampo — MuddyWater's latest campaign targeting organizations across the MENA region. What stands out is not only the four new malware families deployed, but the operational maturity behind them: #AI-assisted development, #Telegram-based command-and-control, and infrastructure reused from months-earlier operations. The most valuable intelligence came from an unexpected source. By identifying and monitoring the adversary's own Telegram C2 bot, our analysts gained real-time visibility into hands-on-keyboard activity — specific commands, post-exploitation techniques, data exfiltration patterns. This is what adversary-centric research delivers: not retrospective indicators, but predictive insight into how threat actors think and operate. This campaign reinforces a structural shift. Nation-state actors are adopting AI to accelerate malware creation. They are migrating C2 to legitimate platforms to evade detection. And they are running sustained, multi-variant operations designed for long-term access. Reactive defenses cannot match this pace. The organizations that will stay ahead are those investing in deep threat intelligence — the kind that lets you see the adversary's playbook before the next move is made. Read it here: https://lnkd.in/d2reRM69

Fraudulent Candidates Are Everywhere—Here’s What We’re Doing About It Over the last few months, we’ve seen a huge rise in fraudulent applicants here at Tailscale. In some cases, as many as half of applicants on a job are not who they say they are. Yes, really. The good news: we’ve gotten very good at spotting it, and I wanted to share what I have learned. 🎯 Who’s a Target? -remote-first tech companies -companies with fully remote interview processes ❓ Why? Fraudsters are hoping they can: -impersonate someone else -use deepfake video or audio -bypass less-rigorous screening steps -eventually steal data or paychecks Basically, anywhere the hiring process happens behind a laptop, fraud is rising. 🛑 The Most Telltale Signs: -no profile photo (or a cartoon avatar- as much as we love them!) on LinkedIn -no connections or a brand-new LinkedIn account -application language suspiciously close to the exact verbiage in your job description -different name on the resume vs email vs LinkedIn (not just a nickname… literally different identities) -repeated applications even after being rejected -listing n/a in job posting questions to bypass or writing nonsensical answers ⚠️ Important: One flag alone does not mean fraud—but multiple flags together should absolutely make you pause and verify. Some Tips 👉 Message them on LinkedIn before the interview If the LinkedIn looks legit but something else feels off, send a message and ask them to confirm the interview time. If it’s a fraudulent applicant, 1 of 2 things might happen: 1) the real person responds (“um…who??”) 2) the scammer disappears Either way, you get clarity without wasting time. 👉 Email before the interview. You can literally say: “We’ve been seeing a lot of fraudulent applications—would you mind confirming X?” Most legitimate candidates won’t mind at all. 👉 For Engineers, ask for a GitHub link in your application questions & have them to add you to a private repo (takes 30 seconds). 👉 Use verification tools. We use tofu, and it’s been excellent. It can tell you: -if their email address or LinkedIn was created yesterday -whether the email matches the LinkedIn signup -if the phone number is tied to prior scams -whether the same resume shows up under multiple names at your company or the countless others in their network It’s worth the investment—especially if you’re remote and high-volume. 💡 Remember: Behind every scam attempt, there’s sometimes a real person whose identity is being abused. If you confirm something is fraudulent, be kind and send a quick InMail to the person. Most have no idea someone applied on their behalf. TL;DR Fraudulent applicants are here, they’re getting more sophisticated, and we’re not tolerating it. At Tailscale, we’re actively verifying identity, tightening processes, and investing in tools. If you’re a hiring manager or recruiter dealing with the same, I hope this helps. And if you’re a scammer thinking of applying here… please don’t. We’re onto you. 😉