Nearly every company, from tech giants like Amazon to small startups, has first-hand experience with fake IT workers applying for jobs – and sometimes even being hired.
Even so, using a deepfake video to apply for a security researcher role with a company that does threat modeling for AI systems seems incredibly brash.
“It’s one of the most common discussion points that pops up in the CISO groups I’m in,” Expel co-founder and CEO Jason Rebholz told The Register, talking about the North Korean-type job interview scam. “I did not think it was going to happen to me, but here we are.”
Before starting his own AI security shop, Rebholz worked as an incident responder and chief information security officer (CISO). He has researched deepfakes for years, and even used them in his presentations – so he’s not an easy target for this type of scam.
In January, Rebholz posted a few job openings at his firm on LinkedIn. Within a couple hours, he received a direct message from someone he didn’t know personally saying that they knew someone who would be a good candidate for the security researcher role.
The purported job-seeker’s profile pic wasn’t of a real person. Rebholz says it looked like an anime character, and calls it the “first red flag” in this whole experience. But he still gave the candidate the benefit of the doubt.
“In the security community, people get freaked out about privacy, and so it’s not outside of the norm if somebody has an alias or don’t have a real picture,” he said. “This was the first instance of me trying to justify what I was seeing.”
More red flags
Rebholz asked his LinkedIn connection about the job seeker, and the connection send him a link to a resume hosted on Vercel, a cloud platform for building apps that integrates with AI tools. That also seemed a little strange.
“I’m chatting with my co-founder at the time and he said, ‘that’s kind of weird. He probably used Claude to generate that resume,'” Rebholz said, adding that if you ask Claude Code to create a resume or portfolio, it typically deployed these on Vercel.
Rebholz justified this by telling himself the guy’s a developer, it makes sense that he’d use a coding tool to create a portfolio, plus, “it was a good-looking resume. It all looked really professional.”
The LinkedIn contact said he previously worked with the job seeker at his last company, and told Rebholz the would-be security researcher worked overseas. Rebholz said that wouldn’t be a problem. Expel’s a young company, and Rebholz wanted to interview as many people as he could to get a sense of who was right for the job.
“At this point, I didn’t suspect it was a scam,” he said. “It felt a little bit weird with the person, being overseas, even though the last job that they had was in San Francisco.”
Still, Rebholz figured he could ask about this in the interview. He gave the LinkedIn person his email address, asked the mutual “friend” to make the connection, “and within five minutes of the email hitting my inbox, I have a LinkedIn message saying: ‘Check your spam folder, he replied to you, make sure you reply to him.'”
Rebholz started to suspect he was getting scammed. “I’ve never had that level of urgency for an introduction before,” he said. Every security sleuth – or anyone who has gone through anti-phishing training – knows that attackers typically try to create a sense of urgency to get their mark to take a certain action.
When we had the interview, that’s when things just went off the rails right away
“But I thought, all right, let me just talk with them. No harm there. And so we got an interview scheduled,” Rebholz said. “I didn’t reach a point yet where the red flags cross that threshold where I thought this is definitely a scam. We were in the yellow zone. Things were definitely getting a little suspicious. But when we had the interview, that’s when things just went off the rails right away.”
The scammer joined the call with his camera off. Then it took him a good 30 seconds to turn his camera on. “During that 30 seconds, I’m thinking this is going to be a deep fake, all those red flags started popping up from before, this is definitely not going to be real,” Rebholz said.
When the camera turned on, the job seeker was sitting in front of a virtual background – you can see a clip here – his face looked a bit blurry and plastic, there was a greenscreen reflected in his glasses, and at one point dimples appeared on his face.
“At that point, I was latching on to the softness of his face, and as he was moving around you could see if appearing and disappearing,” Rebholz said. “At this point, I know I’m definitely talking to a deepfake. But again, I tried to justify it.”
During our interview, Rebholz repeatedly describes an “inner turmoil” he experienced during this process. “What if I’m wrong? Even though I’m 95 percent sure I’m right here, what if I’m wrong and I’m impacting another human’s ability to get a job? That was literally the dialog that was going on in my head, even though I knew it was a deep fake the whole time. It was this weird juxtaposition. I found myself short circuiting to: there could be an explanation for what I’m seeing. It was a very surreal experience.”
What if I’m wrong? Even though I’m 95 percent sure I’m right here, what if I’m wrong and I’m impacting another human’s ability to get a job?
Rebholz says he noticed that the job seeker had a tendency to repeat the interview questions back before answering them, and many of his answers were almost word-for-word quotes of things Rebholz had said or written that were shared online. “It was almost an out-of-body experience where I felt like I was talking to myself,” he sa