Preparation
Archive Data
Boot Order Manipulation
CCTV Enumeration
Circumventing Security Controls
Data Obfuscation
Data Staging
Device Mounting
Email Collection
External Media Formatting
File Download
File Exploration
Impersonation
Increase Privileges
IT Ticketing System Exploration
Network Scanning
Physical Disk Removal
Physical Exploration
Physical Item Smuggling
Private / Incognito Browsing
Read Windows Registry
Remote Desktop (RDP)
Security Software Enumeration
Social Engineering (Outbound)
Software Installation
- Installing Browser Extensions
- Installing Browsers
- Installing Cloud Storage Applications
- Installing FTP Clients
- Installing Messenger Applications
- Installing Note-Taking Applications
- Installing RDP Clients
- Installing Screen Sharing Software
- Installing SSH Clients
- Installing Virtual Machines
- Installing VPN Applications
Software or Access Request
Suspicious Web Browsing
Testing Ability to Print
- ID: PR027.001
- Created: 07th May 2025
- Updated: 07th May 2025
- Contributor: David Larsen
Deepfake or Synthetic Identity Use in Hiring
The subject leverages synthetic identity elements, AI-generated visuals, deepfake video, or falsified credentials to obtain employment or contractor status under a false identity. This tactic is commonly used to gain insider access to an organization while avoiding standard background checks, attribution mechanisms, or compliance controls.
Common methods include:
- Using AI-generated (GAN-based) profile photos that cannot be reverse-image searched.
- Employing real-time deepfake tools during video interviews to alter facial appearance or impersonate another individual.
- Substituting a more technically skilled individual to complete a remote hiring assessment or interview under a fabricated identity.
- Presenting credentials or documentation (e.g., CVs, diplomas, certifications) created using forgery tools or generative AI.
This tactic is particularly dangerous when used to embed individuals in sensitive roles such as DevOps, system administration, SOC analyst, or software engineering, where access to production systems and intellectual property is granted shortly after onboarding.
Example Scenarios:
- A subject uses a synthetic LinkedIn profile with AI-generated imagery and falsified work history to apply for a remote DevOps role. During the live video interview, they use a deepfake overlay to match their fabricated profile photo.
- A technically skilled individual conducts a coding interview using a deepfake of another person, allowing a less qualified "puppet" to be hired under false credentials. The qualified subject later assists or directs actions remotely.
- A malicious actor obtains employment under an assumed identity to infiltrate a target organization on behalf of a third party, using synthetic documents and deepfake liveness checks to pass onboarding.
Prevention
ID | Name | Description |
---|---|---|
PV052 | Criminal Background Checks | A subject may be required to undergo a criminal background check prior to joining the organization, particularly when the role involves access to sensitive systems, data, or physical spaces. This preventative measure is designed to identify any prior criminal conduct that may present a risk to the organization, indicate a potential for malicious behavior, or conflict with legal, regulatory, or internal policy requirements.
Criminal background checks help assess whether a subject's history includes offenses related to fraud, theft, cybercrime, or breaches of trust—each of which may elevate the insider threat risk. Roles with elevated privileges, access to customer data, financial systems, or classified information are often subject to stricter screening protocols to ensure individuals do not pose undue risk to organizational security or compliance obligations.
This control is especially critical in regulated industries or environments handling national security assets, intellectual property, or financial infrastructure. In such settings, background checks may be embedded within broader personnel vetting procedures, such as security clearances or workforce integrity programs.
Where appropriate, periodic re-screening or risk-based follow-up checks—triggered by role changes or concerning behavior—can strengthen an organization’s ability to detect emerging threats over time. When implemented consistently, background checks can serve as both a deterrent and a proactive defense against insider threat activity. |
PV051 | Employment Reference Checks | An individual’s prior employment history may be verified through formal reference checks conducted prior to their onboarding with the organization. This process aims to validate key aspects of the subject’s professional background, including dates of employment, job titles, responsibilities, and performance, as well as behavioral or conduct-related concerns.
Reference checks serve as a critical layer in assessing an individual’s suitability for a given role, particularly where access to sensitive systems, data, or personnel is involved. When conducted thoroughly, this process can help identify discrepancies in a candidate’s reported history, uncover patterns of misconduct, or reveal concerns related to trustworthiness, reliability, or alignment with organizational values.
Employment reference checks are particularly relevant to insider threat prevention when evaluating candidates for positions involving privileged access, managerial authority, or handling of confidential information. These checks may also uncover warning signs such as unexplained departures, disciplinary actions, or documented integrity issues that elevate the risk profile of the individual.
Organizations may perform this function internally or engage trusted third-party screening providers who specialize in pre-employment due diligence. When combined with other vetting measures—such as criminal background checks and social media screening—reference checks contribute to a layered approach to workforce risk management and help mitigate the likelihood of malicious insiders gaining access through misrepresentation or concealment. |
PV053 | Government-Issued ID Verification | An individual may be required to present and verify valid government-issued identification prior to their association with the organization. This process serves as a foundational identity assurance mechanism, ensuring that the subject is who they claim to be and enabling further vetting procedures to be accurately applied.
Verification of official identification—such as passports, national ID cards, or driver’s licenses—supports compliance with legal, regulatory, and internal requirements related to employment eligibility, right-to-work verification, security clearance eligibility, and access provisioning. It also helps establish a verifiable link between the individual and other background screening measures, including criminal record checks, reference verification, and credential validation.
In the context of insider threat prevention, government-issued ID verification helps prevent identity fraud and the onboarding of individuals using false or stolen identities to gain unauthorized access to sensitive roles, environments, or data. This is particularly critical in sectors handling classified information, critical infrastructure, or financial assets, where subjects may otherwise attempt to obscure prior conduct or affiliations.
Organizations may perform this verification in-house using secure document validation systems or biometric identity matching, or they may rely on trusted third-party identity verification providers offering digital identity assurance services. As part of a multi-layered personnel screening framework, this control helps reduce the risk of malicious insiders gaining a foothold under false pretenses. |
PV054 | Human Resources Collaboration for Early Threat Detection | Implement a process whereby HR data and observations, including those from managers and colleagues, can be securely communicated in a timely manner to investigators, triggering proactive monitoring of potential insider threats early in their lifecycle. Collaboration between HR teams, managers, colleagues, and investigators is essential for detecting concerning behaviors or changes in an employee's personal circumstances that could indicate an increased risk of insider threat.
Mental Health and Personal Struggles
Negative Statements or Discontent with the Company
Excessive Financial Purchases (Potential Embezzlement or Third-Party Influence)
Hearsay and Indirect Reports
Implementation Considerations
|
PV038 | Insider Threat Awareness Training | Training should equip employees to recognize manipulation tactics, such as social engineering and extortion, that are used to coerce actions and behaviors harmful to the individual and/or the organization. The training should also encourage and guide participants on how to safely report any instances of coercion. |
PV022 | Internal Whistleblowing | Provide a process for all staff members to report concerning and/or suspicious behaviour to the organization's security team for review. An internal whistleblowing process should take into consideration the privacy of the reporter and the subject(s) of the report, with specific regard to safeguarding against reprisals against reporters. |
PV050 | Social Media Screening | A subject’s publicly accessible online presence may be examined prior to, or during, their association with the organization through the application of Open Source Intelligence (OSINT) techniques. This form of screening involves the systematic analysis of publicly available digital content—such as social media profiles, posts, comments, blogs, forums, and shared media—to assess potential risks associated with an individual.
Social media screening is typically conducted to identify indicators of reputational risk, conflicting motives, or behavioral patterns that may suggest the potential for insider threat activity. Content of concern may include public expressions of hostility toward the organization, affiliation with extremist or high-risk groups, or engagement with topics unrelated to the subject's role that could indicate potential misuse of access.
Trusted service providers specializing in OSINT and digital risk intelligence may be engaged to perform this screening on behalf of the organization. These providers use automated tools and analyst-driven review processes to ensure consistent, legally compliant, and policy-aligned assessments of online behavior.
When implemented as part of pre-employment screening or ongoing risk monitoring, social media screening can serve as a proactive measure to detect insider threat indicators early. To be effective and ethical, such programs must follow applicable privacy laws, data protection regulations, and internal governance standards. When responsibly executed, social media screening enhances the organization's ability to identify individuals who may present an elevated risk to information security, personnel safety, or corporate reputation. |
Detection
ID | Name | Description |
---|---|---|
DT033 | Closed-Circuit Television | CCTV can be used to observe activity within or around a site. This control can help to detect preparation or infringement activities and record it to a video file. |
DT103 | Photographic Identification Comparison | During the recruitment or onboarding process, the individual’s appearance in in-person or online interviews should be compared with their government-issued photographic identification, which must match the details provided by the applicant before the interview. This helps detect potential fraudulent discrepancies and reduces the risk of one person attending the interview while another carries out the work for the organization. |
DT049 | Social Media Monitoring | Social Media Monitoring refers to monitoring social media interactions to identify organizational risks, such as employees disclosing confidential information and making statements that could harm the organization (either directly or through an employment association). |