You Didn’t Get Phished — You Onboarded the Attacker

When Attackers Get Hired: Today’s New Identity Crisis

What if the star engineer you just hired isn’t actually an employee, but an attacker in disguise? This isn’t phishing; it’s infiltration by onboarding.

Meet “Jordan from Colorado,” who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out.

On day one, Jordan logs into email and attends the weekly standup, getting a warm welcome from the team. Within hours, they have access to repos, project folders, even some copy/pasted dev keys to use in their pipeline.

A week later, tickets close faster, and everyone’s impressed. Jordan makes insightful observations about the environment, the tech stack, which tools are misconfigured, and which approvals are rubber-stamped.

But Jordan wasn’t Jordan. And that red-carpet welcome the team rolled out was the equivalent to a golden key, handed straight to the adversary.

From Phishing to Fake Hires

The modern con isn’t a malicious link in your inbox; it’s a legitimate login inside your organization.

While phishing is still a serious threat that continues to grow (especially with the increase in AI-driven attacks), it’s a well-known attack path. Organizations have spent years hardening email gateways, training employees to recognize and report malicious content, and running internal phishing tests.

We defend against a flood of phishing emails daily, as there’s been a 49% increase in phishing since 2021^[1], and a 6.7x increase in large language models (LLMs) being used to generate emails with convincing lures. It’s becoming significantly easier for attackers to run phishing attacks.

But that’s not how Jordan got in. Despite numerous defenses pointed at email, Jordan got in with HR paperwork.

Why is Hiring Fraud a Problem Now?

Remote hiring has scaled rapidly in the past few years. Industries have discovered that 100% remote work is possible, and employees no longer need offices with physical (and easily defendable) perimeters. Moreover, talented resources exist anywhere on the planet. Hiring remotely means organizations can benefit from an expanded hiring pool, with the potential for more qualifications and skills. But remote hiring also removes the intuitive and natural protections of in-person interviews, creating a new opening for threat actors.

Today, identity is the new perimeter. And that means your perimeter can be faked, impersonated, or even AI-generated. References can be spoofed. Interviews can be coached or proxied. Faces and voices can be generated (or deepfaked^[2]) by AI. An anonymous adversary can now convincingly appear as “Jordan from Colorado” and get an organization to give them the keys to the kingdom.

Hiring Fraud in the Wild: North Korea’s Remote “Hire” Operatives

The threat of remote hiring fraud isn’t something we’re watching roll in on the horizon or imagine in scary stories around the campfire.

A report^[3] published in August of this year revealed over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers with false identities and polished resumes. That single example has seen a 220% increase year-over-year, which means this threat is escalating quickly., which means this threat is escalating quickly.

Many of these North Korean operatives used AI-generated profiles, deepfakes, and real-time AI manipulation to pass interviews and vetting protocols. One case even involved American accomplices who were operating “laptop farms” to provide the operatives with physical US setups, company‑issued machines, and domestic addresses and identities. Through this scheme, they were able to steal data and funnel salaries back to North Korea’s regime, all while evading detection.

These aren’t isolated hacktivist stunts, either. Investigations have identified this as a systematic campaign, often targeting Fortune 500 companies.

The Castle & Moat Problem

Many organizations respond by overcorrecting: “I want my entire company to be as locked down as my most sensitive resource.”

It seems sensible—until the work slows to a crawl. Without nuanced controls that allow your security policies to distinguish between legitimate workflows and unnecessary exposure, simply applying rigid controls that lock everything down across the organization will grind productivity to a halt. Employees need access to do their jobs. If security policies are too restrictive, employees are either going to find workarounds or continually ask for exceptions.

Over time, risk creeps in as exceptions become the norm.

This collection of internal exceptions slowly pushes you back towards “the castle and moat” approach. The walls are fortified from the outside, but open on the inside. And giving employees the key to unlock everything inside so they can do their jobs means you are giving one to Jordan, too.

In other words, locking everything down the wrong way can be just as dangerous as leaving it open. Strong security must account for and adapt to real-world work, otherwise, it collapses.

How To Achieve a Zero Standing Privileges State and Block Fraudulent New Hires Without the Trade-Off

We’ve all heard of zero trust: never trust, always verify. This applies to every request, every time, even after someone is already “inside.”

Now, with our new perimeter, we have to view this security framework through the lens of identity, which brings us to the concept of zero standing privileges (ZSP)^[4].

Unlike the castle model, which locks everything down indiscriminately, a ZSP state should be built around flexibility with guardrails:

• No always-on access by default – The baseline for every identity is always the minimum access required to function.
• JIT (Just-in-Time) + JEP (Just–Enough-Privilege) – –Extra access takes the form of a small, scoped permission that exists only when needed, for the finite duration needed, and then gets revoked when the task is done.
• Auditing and accountability – Every grant and revoke is logged, creating a transparent record.

This approach closes the gap left by the castle problem. It ensures attackers can’t rely on persistent access, while employees can still move quickly through their work. Done right, a ZSP approach aligns productivity and protection instead of forcing a choice between them. Here are a few more tactical steps that teams can take to eliminate standing access across their organization:

The Zero Standing Privileges Checklist

Inventory & baselines:

Request – Approve – Remove:

Full audit and evidence

Taking Action: Start Small, Win Fast

A practical way to begin is by piloting ZSP on your most sensitive system for two weeks. Measure how access requests, approvals, and audits flow in practice. Quick wins here can build momentum for wider adoption, and prove that security and productivity don’t have to be at odds.

BeyondTrust Entitle, a cloud access management solution^[5], enables a ZSP approach, providing automated controls that keep every identity at the minimum level of privilege, always. When work demands more, employees can receive it on request through time-bound, auditable workflows. Just enough access is granted just in time, then removed.

By taking steps to operationalize zero standing privileges, you empower legitimate users to move quickly—without leaving persistent privileges lying around for Jordan to find.

Ready to get started? Click here to get a free red-team assessment of your identity infrastructure^[6].

Note: This article was expertly written and contributed by David van Heerden, Sr. Product Marketing Manager. David van Heerden — a self-described general nerd, metalhead, and wannabe film snob — has worked in IT for over 10 years, sharpening his technical skills and developing a knack for turning complex IT and security concepts into clear, value-oriented topics. At BeyondTrust, he has taken on the Sr. Product Marketing Manager role, leading the entitlements marketing strategy.