Fraudulent profiles claiming to work at your company are being used to deceive job seekers, scam investors, and infiltrate organizations. The damage extends far beyond whoever clicks.
In February 2026, security researchers documented a tactical shift in how North Korean IT workers were applying for remote jobs at Western companies. Rather than creating fabricated identities from scratch, operatives had begun applying using real LinkedIn accounts belonging to actual professionals they were impersonating. These profiles often carried verified workplace emails and identity badges, making fraudulent applications appear entirely legitimate. The owners of those hijacked accounts had no idea their professional identities were being weaponized.
The incident illustrates a broader problem that extends well beyond nation-state schemes. Fake employee profiles, whether created from whole cloth or stolen from real people, have become one of the fastest-growing vectors for social engineering attacks. They exploit the trust that platforms like LinkedIn are designed to create. When someone appears to work at a reputable company, recipients extend credibility that attackers then leverage for recruitment fraud, investment scams, credential harvesting, and corporate espionage.
For the companies being impersonated, the consequences are immediate and concrete. Job seekers who encounter fake recruiters often blame the real employer, while customers who receive messages from spoofed advisors associate the scam with the legitimate brand. Research firm Gartner projects that by 2028, one in four job candidates globally will be fake, a figure that reflects both how lucrative these schemes have become and how difficult they are to detect.
LinkedIn and beyond: How the attack surface has expanded
Traditional brand impersonation focused on domains and websites. Attackers would register lookalike URLs, stand up credential harvesting pages, and wait for victims to arrive. That threat persists, but the attack surface now includes every platform where employees have professional presence. LinkedIn profiles, company pages, job listings, and even internal communication platforms have become vectors for impersonation.
The mechanics vary by objective. Some attackers create fake recruiter profiles to run employment scams, posting fabricated job listings and walking victims through elaborate interview processes designed to harvest personal information, banking details, or advance fees. The FTC warned in 2023 about scammers impersonating well-known companies on LinkedIn and other job platforms. Those warnings have only grown more urgent as AI tools make fake profiles harder to distinguish from legitimate ones.
Others target employees and partners rather than job seekers. Attackers posing as colleagues or executives send connection requests to build credibility, then use LinkedIn messaging or email to request sensitive information, authorize fraudulent transactions, or distribute malware. The Microsoft DART investigation into fake employee schemes documented operatives who posed as legitimate remote hires, slipped past HR screening and onboarding processes, then exploited their trusted access to steal data and deploy malicious tools.
Investment scams represent another category. Fraudsters create profiles impersonating financial advisors from specific firms, then approach victims with cryptocurrency or trading opportunities. The professional platform context makes these pitches seem more credible than similar approaches on Facebook or Instagram. State attorneys general have specifically warned about “pig butchering” scams that begin with LinkedIn messages from fake financial professionals.
Nation-state operations at scale
The scope of nation-state involvement has moved from isolated incidents to industrial operation. The U.S. Department of Justice announced coordinated enforcement actions in 2025 revealing that North Korean IT workers had successfully obtained employment at more than 100 U.S. companies using stolen and fraudulent identities. The workers were assisted by facilitators in the United States, China, the UAE, and Taiwan, and the scheme generated hundreds of millions of dollars annually to fund weapons programs.
The scale has grown rapidly. CrowdStrike’s 2025 Threat Hunting Report found a 220% increase in companies unknowingly hiring North Korean software developers over the past year, driven by AI tools that help operatives generate resumes, prepare for interviews, and forge identity documents. To complete the illusion, they rely on domestic infrastructure: FBI raids in 2025 uncovered laptop farms across the country where staged equipment made overseas workers appear to be operating from U.S. addresses.
The KnowBe4 incident demonstrated that even security-focused organizations aren’t immune. The cybersecurity training company hired what turned out to be a North Korean operative who had used AI to enhance a stock photo into a convincing headshot and passed four video interviews before the company’s detection systems flagged suspicious activity. The operative’s company laptop had been shipped to a laptop farm in the United States, from which they VPN’d while actually working from Asia.
The brand protection problem
For most organizations, the concern isn’t that they’ll accidentally hire a state-sponsored operative. It’s that fraudulent profiles impersonating their employees are damaging their brand, deceiving their customers, and creating liability they may not even know exists.
A fake recruiter profile targeting job seekers reflects directly on the employer being impersonated. Victims who pay application fees or provide personal information to fraudsters often don’t realize they’ve been deceived by a third party. They write negative reviews, share warnings on social media, and associate the scam with the legitimate company’s name. The reputational damage grows as potential candidates lose trust in genuine job postings and choose to apply elsewhere.
The challenge is visibility. LinkedIn impersonation is harder to detect than domain spoofing because fake profiles exist within platforms where the impersonated company has no administrative access. LinkedIn doesn’t notify organizations when someone creates a profile claiming employment there. Companies often learn about impersonation only when victims complain or when security researchers surface patterns.
Manual monitoring is inadequate at scale. Any organization of meaningful size has employees creating and updating LinkedIn profiles continuously, former employees who still list their tenure, and contractors whose relationship status may be ambiguous. Distinguishing legitimate profiles from fraudulent ones requires comparing platform data against HR records, analyzing profile photos for AI generation signatures, and monitoring for the behavioral patterns associated with impersonation schemes.
Emerging defensive approaches
Addressing imposter employee profiles requires extending brand protection beyond domains and websites to include social platforms. That means systematic monitoring for profiles claiming employment at your organization, rapid takedown processes when impersonation is detected, and coordination with platforms whose enforcement policies vary in responsiveness.
Microsoft’s guidance for organizations facing fake employee threats emphasizes integrating SOC practices with insider risk strategies. Improving visibility through unified audit logs, protecting sensitive data with loss prevention policies, and monitoring for unapproved IT tools can help detect operatives who slip through hiring processes. But for the impersonation problem specifically, the defensive posture must be external-facing: finding profiles that shouldn’t exist before they’re used to harm your customers or reputation.
The same AI tools that enable attackers to generate convincing fake profiles can assist defenders in identifying them. Computer vision systems can detect AI-generated headshots, comparing photos against stock image databases and analyzing for the artifacts that synthetic images often contain. Natural language processing can identify profiles that replicate corporate language patterns too precisely or inconsistently. Behavioral analysis can flag profiles with connection patterns or activity histories that don’t match legitimate employee behavior.
The Bottom Line
For organizations whose brands are frequently impersonated, the response must be continuous rather than reactive. Attackers will create new profiles to replace those that get removed. The question isn’t whether impersonation will occur but how quickly it’s detected and how effectively it’s remediated before victims are harmed.
