B (15:25)

David, it's so great to come Back and see you on this side of the camera.

A (15:30)

That's right. So Brandon was a colleague here at N2K Cyberwire and has moved on to do bigger and better things. And one of those bigger and better things that you were chasing after was a startup of your very own. And as part of that process, you were looking to hire some folks and had experienced an interesting turn of events. What happened, Brandon?

B (15:56)

Yeah, I. And this should come as no surprise to folks in this industry, but, you know, hearing these stories I think is always helpful and informative, but I caught a couple North Korean IT workers running an IT worker scam.

A (16:10)

A couple.

B (16:11)

A couple, yes. More than. More than one. And the surprising thing here is we weren't hiring that many people and we weren't hiring for very long. So just in the short period of time about a few weeks that we were reviewing resumes, two North. What we assumed to be North Koreans ended up in my top 10 candidate list.

A (16:32)

Well, walk us through how this came to pass.

B (16:35)

Sure. So we, we posted some job descriptions on, you know, a few of the standard sites that you've heard of and, you know, within. And these were technical roles, core backend engineering roles for a platform. And so, you know, pretty. Pretty sophisticated and complex technical skills that we were looking to hire. And within a few days we. We had hundreds of applicants. So we shut down the. The open job wrecks and began reviewing the hundreds and narrowed probably about 200 applicants down to our top 10. And we decided we were going to interview our top 10 and ultimately hire one. And within about a week, we had that first interview. And it became quite obvious within about 5, 10 minutes of the interview that this person is not who they claim to be.

A (17:32)

Okay, obvious how. What, what went down here, Brandon?

B (17:36)

Yeah, well, the. I want to start actually with the resumes themselves, because the resume was perfect. It was exactly what we were looking for. It. It covered every core technology we were looking for, expertise in IT cover, amount of experience that we were looking for, all of the key technologies and platforms that we were looking for. This person to have experience with was bolded. So it was very obvious to the eye that this person had the expertise. That being said, it was a pretty simple resume. I wouldn't say that there was a lot of metrics, there was a lot of impact statements. It was simple black and white PDF, no additional colors. Not a whole lot going on there. And that should have been our first clue. But again, the resume of this first worker and actually the second worker too, covered everything we needed. So clearly that it was. It was an easy slot in. And so it seemed like they're probably using AI systems to optimize the resumes for these applicant tracking systems to hit each of the keywords.

A (18:32)

Right. And I guess it's fair to say, contextually, you're also under an avalanche of hopeful resumes.

B (18:42)

Right? Hundreds. And we're reviewing these, you know, quickly to see, okay, we got all the keywords, we got the right programming languages, the right platforms, the right, you know, you. We were doing some stuff with cryptography, so they needed some. Some prior experience there. And so we invited this gentleman for an interview. And in preparation for the interview, I started looking this person up online. I looked for a LinkedIn page. No LinkedIn page. Now, not totally unusual for some of these core backend engineers. However, what I noticed is when I Googled the guy's name, There was a LinkedIn page with the right location. And then when I clicked the link on Google, it went to a. This page does not exist. So there was a LinkedIn. And then the person deleted the LinkedIn, which was another clue.

A (19:31)

Okay, so you get the person on the line. What happens next?

B (19:35)

Red flags. So the trend we noticed was in both of these people, and I'm using one example because this is where we really discovered the trends. Had an Anglicized first name. You know, think of, like, Frank, Albert, Ian, some sort of kind of Anglicized first name, and a Hispanic last name, which fairly usual, this person said that they were living in San Antonio, Texas.

A (20:02)

So.

B (20:02)

Okay, makes sense to me. And when they come on the camera, they are most certainly not Hispanic, which could be. But that was kind of a little unusual. The person was clearly Asian, and they were on camera, but they were definitely not Hispanic. And so, you know, some people might be a little uncomfortable there, but some profiling does have to occur to not get trapped by these things. But it was unusual. And when I wasn't the only one on this call from the company, we surmised at the end that they were using Hispanic last names. Hoping that some Americans aren't used to distinguishing between races very well, especially through camera, because the Hispanic name was far, you know, far enough away. Our normal use, you know, thing that we're typically used to seeing that they were potentially using that to get through your initial gut check filters.

A (20:57)

Okay, interesting.

B (20:59)

So the other red flag was this person wasn't showing their background, which was. Okay, you know, not everyone chose their background. But that's just kind of. As these things start to stack, it gets more and more unusual. Okay, can't find this guy online. Has a name that doesn't actually match his ethnicity. He's not showing his background, very thick accent. And something that is unique to me is I grew up with folks from South Korea. I went to school with a whole bunch of folks from South Korea, and it sounded to me like a native Korean speaker trying to speak English.

A (21:34)

Oh, interesting. Okay, so just by pure luck of the draw, you had a little background expertise or at least experience on this sort of regional accent.

B (21:46)

Right. And I've traveled to Korea as well, and I have a number of friends from high school and college from Korea. So I was kind of used to this, just what Korean speakers sound like when they're speaking English. And it sounded like, like that region of. Of. Of East Asia to me. The other. And this. The other red flag as we got into the interview was this person said that they had lived in la. This person said that they had lived in New York, that they currently live in San Antonio. Myself and the other person on the interview have spent both of us a good amount of time in each of those places. And so as we're getting to know this person, we want to kind of reminisce about some of our favorite places in each of those regions. And the candidate couldn't offer any specific details about any of those regions. And so kind of one lesson learned, I think, for folks listening to this is get into the personal side a little bit. Right. Ask specifics. What was your favorite thing to do in those, you know, cities or, you know, where. Where. Where'd you like to go eat? You know, I love restaurants. I have some favorites in la. What are some of the. Your favorites from that region? And this person couldn't offer any specifics.

A (22:53)

Hmm. It's interesting to me, the high number, you know, relatively speaking, 2 out of 10. And as you said at the outset, this was not a huge dragnet for folks to be hired. This is a small startup. You're looking to hire one person. And I wouldn't have thought that the odds would have been in your favor of scooping up one, much less two of these folks.

B (23:25)

And not only that, the startup itself doesn't have much of a presence online. And so that was a little unusual. And then when we were looking at the timestamps of when these folks actually applied, they applied almost immediately. So they have some system that is ready to go as soon as these things align. The other element that I would note, though, is we did conduct the technical interview. We did go through the interview. This person knew Their stuff, they were actually answering quite well, some pretty technical, deep questions around cryptography and core backend systems, especially in the networking stack. And so either in real time, this person was getting fed answers, or they actually do have the knowledge to do the job, which we found fascinating.

A (24:11)

Was the story pretty much the same with the second candidate?

B (24:15)

Yeah. So after that first candidate and after we got off the call and we said, yeah, that, that definitely was not what we thought it was. That was a IT worker scam. And, and we actually did challenge him a little bit on where he's from. And he said, oh, I'm. I'm from the Philippines. And again, the accent wasn't Filipino. I spent a lot of time in the Navy. There's a lot of Filipinos in the Navy. Again, I know what that accent sounds like. But we said, okay, let's re. Let's look at the 10 candidates we've invited to interview again. And we found another candidate with the exact same model, the resume, Very similar format, right? Simple black and white format, Very simple outline, all of the key words from our job opening, bolded, covered everything we needed in a similar way, but not exactly the same way. The name, Anglicized first name, Hispanic last name. The LinkedIn profile, exactly the same situation where I looked up this person on LinkedIn, Google said there was a profile. I clicked it, it said, that profile no longer exists. They get on the call, same game, right. Gentleman who looked Asian had a Hispanic last name. The background looked like a beach scene or something like that, but it was one of the fake backgrounds. And within five minutes, similar accent. We said, we're going to actually end the interview and move on. But it was it. It checked each of those boxes.

A (25:50)

Did you and your colleagues at any point doubt yourselves and wonder like, you know, is this really what's happening here? Or, you know, a little healthy skepticism of your own senses?

B (26:02)

Totally. And I think that's why we went through the entire first interview, you know, a full hour with this person, you know, myself and my colleague jumped on a call right afterwards, and he kind of looked at me and said, is that what I think it was? And I said, I think it might be. And then we started running through the experience again, and we got more and more sure that what we had experienced was one of these IT worker scams. Now, we second guessed ourselves as someone who's sensitive culturally. You don't want to profile. You don't want to do things that. That, you know, necessarily maybe rejects a good qualified candidate. But at the end of the Day, when you're looking at the sum total of the evidence, how uncomfortable we were, how few specifics there were about, you know, their experiences in America. I actually did follow up with a couple of the companies on his resume that he said he worked at, and none of them had ever heard of them. And so I, I did that, though, you know, weeks after, just. It was bothering me and I wanted to double check.

A (27:06)

So what are your recommendations then? I mean, if this really is that rampant. Have you been thinking about this? Have you thought of any shortcuts to weed these folks out?

B (27:18)

Yeah, practically speaking. And this is hard at scale, but it has to come from that high touch, face to face, at least through a video camera, of getting into the personal specifics of, oh, I see you worked at this company. Give us some specific examples and. And the less specific they can get, the more red flags there are. Now, of course, people can make things up, so that's not a panacea. It's not a perfect solution. But that's the area. That's when we really started getting uncomfortable on the calls, when we started asking specifics, digging into this person's story, oh, why did they move to New York? Why did they move to la? What took them to San Antonio? What took. What other things outside of work were you doing at those places? What are some of your favorite things in those places? Kind of getting to know the candidate. I think universally that'll actually make you hire better candidates in general because, you know, these are your colleagues, hopefully, and so you get to know them. But at the same time, it also will demonstrate if someone really does not know what they're talking, if someone's really from a foreign country, especially a North Korean, you know, type person who genuinely wouldn't have the cultural awareness to talk about it. Trust. Trust your gut there. That's kind of the first. The second is these automated applicant review systems at scale, people have to use them. But it's very easy now with Gen AI to build a model that is just going to send out the perfect resume. And that's what we saw. These were literally the perfect resumes. That actually could also be a signal that this isn't quite right. If you're getting a resume that is absolutely perfect, everything you want, what are the chances of that?

A (28:59)

Right, Right. All right, well, Brandon, thank you for sharing your experience with us. Brandon Karp is my former colleague here at N2K Cyberwire and has since moved on to bigger and better things that we will talk about in the future. Looking forward to having you back, Brandon. Thanks for taking taking the time for us.

B (29:17)

Thanks, Dave.

A (29:30)

You hear from us here at the Cyberwire daily every single day now. We'd love to hear from you. Your voice can help shape the future of N2K networks. Tell us what matters most to you by completing our annual audience survey. Your insights help us grow to better meet your needs. There's a link to the survey in our show notes. We're collecting your comments through August 31st. Thanks. And now a word from our sponsor. ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allow Listing is a deny by default software software that makes application control simple and fast. Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

B (30:33)

Shh. Hear that? Big waves are calling. Dive into refreshment with Kona Big Wave Tropical flavor and the taste of aloha in every drop this summer.

A (30:46)

Don't just listen.

B (30:47)

Join Kona on the Big Wave Bonfire tour. More information@konabigwave.com BigWaveMusic Kona Big Waif Liquid Aloha Copyright 2025 Kona Brewing Co. St. Louis, MO.

A (31:00)

Mahalo for enjoying responsibly. And finally, it turns out that being a smooth talking English speaker can now land you a gig in the cybercrime underworld. No resume required, just a knack for sounding like it. Support ReliaQuest says demand for English language social engineering has more than doubled since last year with job ads hawking impersonation as a service, packages, coaching scripts, even tech support for your scams. Gangs like Scattered Spider and Shiny Hunters have been perfecting the art, tricking DeOrr, Chanel, Google and others into handing over Salesforce credentials with AI lending crooks, superpowers and nation state tactics trickling down to the masses. Phishing calls have evolved far beyond prank territory. Instead of that old chestnut, is your refrigerator running? It's more like this is workday. It's more like this is workday. It Can I have your password? Unfortunately, people keep saying yes. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting our insights through the end of August. There's a link in the Show Notes. Please take a moment and check it out. Be sure to check out this weekend's research Saturday and my conversation with Dr. Renee Burton, VP of Infoblox Threat Intel. We're discussing their work on Vextrio, a notorious traffic distribution system involved in digital fraud. That's research Saturday. Check it out. N2K's senior producer is Alice Carouse. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next week.

B (33:50)

Sam.