Security Advisory: AI-Assisted, Deepfake, and Fake Candidates in Video Interviews

What's Happening

A new threat is emerging inside hiring pipelines, and it does not look like a traditional cyberattack.

Candidates in remote video interviews are increasingly using artificial intelligence (AI) assistance, scripted responses, deepfake-style video manipulation, or outright impersonation to misrepresent who they are and what they know. Multiple government sources, including the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA), have flagged this as a growing and active threat.

ISI's cyber team has directly observed several cases during technical interviews where candidates appeared to be using real-time AI assistance, pre-scripted answers, or video manipulation. In some cases, the individual on camera may not have been the actual applicant.

This risk is especially significant for remote technical roles where the person hired may eventually receive company equipment, access to internal systems, or access to customer environments.

What to Watch For

Potential indicators during live video interviews may include:

1. Lip movement that does not fully match the audio
2. Inconsistent blinking, blank staring, or delayed facial reactions
3. Facial animation that looks frozen, exaggerated, or unnatural
4. Long pauses before answering basic or unscripted questions, often attributed to connectivity issues
5. Candidate avoids turning their head, moving naturally, or adjusting the camera
6. Background blur, lighting, or face edges that look distorted during movement
7. Answers that sound overly scripted, generic, or disconnected from follow-up questions
8. Difficulty explaining resume details, prior roles, or practical scenarios in their own words

Simple Live Validation Checks

If something feels off, interviewers can use the following real-time checks respectfully and consistently:

1. Ask the candidate to briefly turn their head left and right
2. Ask them to touch their nose, wave, or hold up fingers near their face
3. Ask them to adjust their camera angle, lighting, or remove background blur if possible
4. Ask unscripted questions about their claimed location, a prior role, or a specific project on their resume
5. For technical roles, ask candidates to walk through their thought process live, not just provide final answers

In-Person Final Interviews for Local Candidates

For candidates within reasonable commuting distance, making the final interview or panel interview in person is strongly recommended whenever practical.

An in-person final step provides stronger validation before extending an offer, shipping equipment, or granting system access:

1. Identity confirmation
2. Communication style
3. Team fit
4. Technical credibility

How to Apply These Checks

These checks should be used respectfully and consistently across all candidates. They are not intended to target a person's accent, appearance, background, or nationality.

The focus should remain on:

1. Identity consistency
2. Video and audio behavior
3. Interview behavior patterns
4. Ability to demonstrate claimed experience

If You Suspect a Fraudulent Candidate

Treat this as urgent and do not move forward independently:

1. Pause the hiring process immediately
2. Document what was observed during the interview
3. Escalate to Human Resources (HR), the hiring manager, and the cyber team before extending an offer, shipping equipment, or granting system access

For higher-risk roles, additional validation measures may already be in use, including verified identity checks, direct employment verification, controlled equipment pickup or verified shipping, and in-person validation where practical.

Do Not Rely on a Single "Tell"

A sophisticated AI-assisted, deepfake, or fake candidate may pass a normal interview. The safer approach is layered validation:

1. Live movement and interaction checks
2. Unscripted questioning
3. Technical validation
4. Identity verification
5. Controlled onboarding before the person receives equipment or access

What ISI Can Do to Help

If you observe suspicious activity or have concerns during your hiring process, open a support ticket at support@dodsecurity.com or call the helpdesk at (202) 792-3042.

We can assist with triage and guidance per our incident response process, including identity verification recommendations, threat awareness briefings for hiring managers and interview panels, and additional validation measures for higher-risk roles.

Stay safe, stay secure.

-ISI Cybersecurity Team

Reference Resources

• FBI IC3: North Korean IT Worker Threats to U.S. Businesses
• NSA, FBI, and CISA: Deepfake Threats to Organizations
• Help Net Security: How to Spot a North Korean Fake in a Job Interview
• Intel: Real-Time FakeCatcher for Deepfake Detection