How a fake candidate gets hired, not just how one defrauds you
Most owners now brace for the deepfake that attacks from outside: the cloned voice of a CFO approving a wire, the video call that turns out to be synthetic. The pattern in the June 2026 alerts from firms such as Skadden and Crowell runs the other way. Here the deepfake does not phone in a fraud. It applies for a job. It passes the live video interview, submits an AI-generated portfolio and a work history that looks clean, and presents a stolen or borrowed identity that clears a standard background check. Then it gets hired into a remote engineering or IT role, and no one in your company has ever met the person behind the screen.
The reporting describes state-linked operatives using these methods at scale. Once inside, the worker draws a salary, gains legitimate access to code and customer data, and in documented enforcement cases routes the wages abroad, sometimes while a domestic facilitator houses the company laptop in a so-called laptop farm to hide the true location. Prosecutors have cited well over a hundred corporate victims across sectors. The uncomfortable point for an owner is that the fraud is not a single stolen wire you can claw back. It is a person on your payroll with a badge, a login, and time.
Why the exposure lands on you, the company that hired them
The instinct is to assume that a company fooled by a professional operation is simply a victim, and to a degree the alerts do describe hiring firms that way. The harder reality is that the downstream risk still lands on the employer. If an operative exfiltrates source code, customer records, or trade secrets, you carry the data-breach and notification obligations. If they touched controlled technology, you carry the export-control question. And where a sanctioned jurisdiction is involved, sanctions liability can attach on a strict-liability basis, which means exposure can exist even where the company did not know who it was really paying. The alerts do not describe an explicit safe harbor that clears an inadvertent hire.
None of this is a prediction about your firm, and nothing here is legal advice or an accusation against any individual. It is a description of a pattern regulators and law firms are now flagging, and of where the consequences sit. Enforcement to date has largely treated hiring companies as victims rather than targets, but the same guidance signals that a firm with weak hiring and monitoring controls stands in a very different position than one that can show it checked. For a remote-first business hiring engineers you will never shake hands with, that distinction is the whole game.
What owners hiring remote engineers should actually check
The defenses are not exotic and they are not expensive relative to the exposure. Verify liveness properly rather than trusting that a working camera means a real person: an in-person step where feasible, or interview techniques robust enough to strain a synthetic feed, such as asking the candidate to move, hold up an item, or change the scene on request. Verify credentials and references independently, contacting institutions and prior employers through channels you find yourself rather than the phone numbers and emails the candidate supplies. Treat identity documents as something to confirm against the person, not just collect.
Two operational controls do a lot of quiet work. Ship company hardware only to the verified address on the identity document, never to a forwarding address or a drop, which breaks the laptop-farm mechanic directly. And require hardware-based multifactor authentication tied to the issued device, so a login from an unexpected country does not simply sail through. Watch for the tells that recur in the reporting: mismatched login geographies, reluctance to appear on camera in changing conditions, and pressure to route pay or equipment somewhere other than the verified identity. Ask HR and IT, together, one question about your last few remote hires: could we prove, today, that each of them is who they said they were.
Read next: Your AI Now Speaks for You in Law · A US Quantum Deadline Reaches Your Supply Chain