Managing Insider Threats and Fake Remote Worker Risks

The rise of remote and hybrid work has expanded opportunities for organizations to access talent across jurisdictions but also created new cybersecurity, compliance, and national security risks. Among the most concerning developments is the growing prevalence of so-called fake remote workers: individuals who use stolen identities, artificial intelligence tools, and sophisticated remote-access techniques to obtain employment under false pretenses while gaining access to sensitive company systems and data.

While attention has focused on North Korean information technology (IT) worker schemes, organizations should view these incidents as part of a broader insider threat landscape. Insider threats can arise from malicious employees, contractors, third-party personnel, corporate espionage efforts, financially motivated actors, or individuals who unintentionally access or expose sensitive information.

What makes insider threats particularly challenging is that the threat actor is already inside the organization, often using legitimate credentials, approved tools, and authorized access, making detection significantly more difficult.

This Insight, based on a recent Morgan Lewis Technology Marathon webinar, outlines key developments and practical considerations for organizations seeking to identify, prevent, and respond to insider threats and fake remote worker risks.

HOW THE SCHEME WORKS

According to US, EU, UK, and other Western governmental agencies, these schemes often begin with the use of AI-generated profiles, fabricated resumes, and stolen US or EU/UK-based identities. Once the faux candidate is hired, company-issued devices are typically shipped to US or EU/UK-based “laptop farms” where facilitators install remote-access tools, allowing overseas workers to access company systems while appearing to operate domestically.

Organizations should remain alert for a collection of red flags rather than any single indicator. Warning signs may include:

• Inconsistent personal information, including names, locations, employment histories, or educational backgrounds.
• Sparse or difficult-to-verify social media profiles.
• References that cannot be independently verified.
• Requests to change addresses or payment methods during onboarding.
• Multiple logins from different IP addresses within short periods.
• Refusal to appear on camera during meetings or interviews.
• Repeated absences from in-person meetings or company events.
• Use of unusual remote-access software or other tools designed to conceal activity.
• Requests for payment through cryptocurrency or third-party accounts.

When viewed individually, these issues may appear innocuous, but collectively, they may warrant further investigation.

THE LEGAL AND REGULATORY LANDSCAPE

In the United States, unauthorized access to personal information by a fake employee may trigger state breach notification requirements, regulatory inquiries, contractual notification obligations, and potential litigation exposure. State laws vary, but many require notifications when personal information is accessed or acquired without authorization.

Companies operating internationally are contending with an increasingly complex regulatory landscape that includes the European Union’s and the United Kingdom’s General Data Protection Regulation, EU and UK Network and Information Systems Directive–related laws, Digital Operational Resilience Act, Cyber Resilience Act, and EU Artificial Intelligence Act as well as other related cybersecurity requirements.

Depending on the circumstances, notification requirements may extend beyond incidents involving personal data and encompass broader disruptions affecting critical systems, processes, and operational resilience more generally.

Organizations must also consider sanctions compliance. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has repeatedly warned about North Korean IT workers seeking employment while posing as non-North Korean nationals. Because US sanctions on North Korea are enforced on a strict liability basis, organizations may face compliance risks even where they were unaware of a worker’s true identity.

Against this backdrop, organizations should consider a comprehensive approach to reducing insider threat and fake remote worker risks.

STRENGTHENING GENERAL INSIDER RISK PROGRAMS

To establish a comprehensive insider threat program that addresses both traditional insider risks and the unique challenges associated with remote workers, contractors, and other third-party personnel, organizations should consider:

• Mapping potential insider threats across the enterprise, including risks associated with remote employees, contractors, and third-party personnel.
• Conducting periodic risk assessments and asset classification exercises to identify and protect the organization’s “crown jewels,” including intellectual property, trade secrets, sensitive personal information, and critical business systems.
• Developing and regularly updating policies, procedures, and incident response plans that specifically address insider threat scenarios and a complex web of regulatory laws in the United States, Europe, and Asia.
• Ensuring legal, human resources, finance, operations, and information security teams are integrated into insider threat planning and response efforts.
• Reviewing employee and contractor screening, monitoring, and offboarding procedures to identify potential gaps.
• Implementing strong identity and access management controls to limit unauthorized access and reduce opportunities for misuse.

STRENGTHENING REMOTE HIRING AND ONBOARDING PROCESSES

Because fake remote worker schemes frequently exploit weaknesses in recruiting, interviewing, and onboarding processes, organizations should consider:

• Implementing identity-verification procedures during recruiting, interviewing, and onboarding and throughout the employment lifecycle for remote personnel.
• Training human resources professionals, hiring managers, and business teams to recognize indicators associated with fake remote worker schemes.
• Reviewing applicant contact information carefully, including email addresses, phone numbers, and other identifiers that may appear on multiple resumes or applications.
• Verifying educational credentials, employment history, and references through independent sources whenever possible.
• Using targeted interview questions that test an applicant’s familiarity with claimed educational, geographic, or professional backgrounds.
• Reviewing resumes and application materials for inconsistencies, unusual terminology, frequent misspellings, or other irregularities.
• Requiring in-person interactions where feasible during hiring, onboarding, or subsequent employment milestones.
• Confirming that third-party recruiting and staffing firms maintain robust hiring, screening, and verification practices.

ENHANCING DATA MONITORING AND ACCESS CONTROLS

Strong technical controls can help organizations detect suspicious activity and limit the potential damage caused by malicious insiders or fraudulent remote workers. Organizations should consider:

• Applying the principle of least privilege and limiting employee access to systems and data based on business necessity.
• Monitoring for unusual network activity, including unexpected remote connections, atypical access patterns, or the installation of unauthorized software.
• Reviewing network logs, browser activity, cloud storage usage, shared drives, and private repositories for signs of data exfiltration.
• Monitoring endpoints for software that may facilitate multiple concurrent audio or video sessions, unauthorized remote access, or other suspicious activity.
• Evaluating whether certain remote-access tools, browser extensions, or other applications are necessary for business purposes and restrict those that create unnecessary risk.
• Investigating situations involving multiple logins from different locations or IP addresses within compressed timeframes.

ADDRESSING SANCTIONS AND COMPLIANCE RISKS

To ensure that cybersecurity and employment-related investigations are coordinated with sanctions compliance processes, organizations should consider:

• Establishing screening and due diligence procedures designed to identify potential sanctions risks during hiring and vendor onboarding.
• Incorporating OFAC guidance and related government advisories into compliance programs and training efforts.
• Escalating potential sanctions concerns promptly to legal and compliance personnel for evaluation.
• Immediately suspending automated payments if a potentially sanctioned individual or entity is identified.
• Assessing whether voluntary disclosures to OFAC or other government authorities may be appropriate under the circumstances.
• Coordinating cybersecurity, employment, privacy, and sanctions analyses to ensure a comprehensive response when issues arise.

MANAGING THIRD-PARTY VENDOR AND STAFFING AGENCY RISKS

Because many organizations rely on staffing agencies, recruiting firms, and other third-party providers to source and manage remote talent, vendor oversight should be treated as a critical component of any insider threat risk management strategy. Organizations should consider:

• Requiring staffing agencies and recruiting partners to follow identity verification and screening procedures that are consistent with internal company standards.
• Conducting periodic audits or assessments of third-party hiring, onboarding, and compliance practices.
• Evaluating vendor controls related to remote access, employee monitoring, and cybersecurity safeguards.
• Establishing contractual requirements addressing sanctions compliance, cybersecurity expectations, and identity verification obligations.
• Developing a response plan for potential third-party compliance incidents, including investigative procedures, risk mitigation measures, and notification protocols.
• Confirming that vendors understand and can support the organization’s broader insider threat and cybersecurity objectives.

LOOKING AHEAD

As organizations continue to embrace remote work models, insider threats are becoming increasingly sophisticated and more difficult to detect. The convergence of AI-enabled deception, remote-access technologies, cybersecurity risks, privacy and operational resilience obligations, sanctions compliance requirements, and national security concerns has created a threat environment that extends well beyond traditional hiring fraud.

Organizations that approach these risks holistically, combining thoughtful hiring practices, ongoing monitoring, strong access controls, cross-functional planning, and vendor oversight, will be better positioned to detect early indicators and reduce the likelihood of malicious acts.