Identifying risky candidates: Practical steps for security leaders

Effective insider threat defense begins with candidate vetting.

Background checks and reference calls can confirm elements of an applicant’s history, but they rarely surface the deeper risks that can turn into costly problems down the line. Identity verification, credential validation, and digital risk assessments need to be layered into the hiring process.

Indicators such as reused or doctored photos, a minimal online presence, or newly created social media accounts can signal that a candidate may not be who they appear to be. Similarly, applicants who provide fake references, use suspicious email addresses (those from uncommon domains, which include numerous letters or numbers, or that were recently registered), or avoid appearing on video during interviews may be attempting to mask their identity.

Verifying qualifications independently and comparing references across candidate pools helps expose patterns that traditional HR processes may miss. The goal is not to create a climate of mistrust, but instead to establish a consistent, transparent framework where candidates know that vetting is rigorous and proportional.

It’s about assuming trust and knowing how to spot employment fraud and insider threat risk to keep your people and organization safe. When combined with HR’s understanding of cultural fit and contextual insight into a candidate’s intent, this approach helps organizations filter out fraud before it becomes a security liability.

Look beyond the firewall

Having vetted employment risks pre-hire, companies building a trusted workforce should continue to look for new and meaningful signals to maintain the integrity of their teams.

Today’s fraudsters and malicious insiders often leave digital breadcrumbs outside a traditional organization’s direct visibility. Hiring teams cannot connect those breadcrumbs on their own, and they should partner with the security team to surface hidden affiliations, past fraudulent activities, or concerning behavioral patterns as a part of the overall candidate assessment.

For example, a malicious employee’s external digital footprint may reveal unusual network connections, involvement in adversarial online communities, or patterns of “polywork” that suggest divided loyalties. An employee’s resume may look great, but a review of online activity may raise red flags about involvement with hacking collectives or known hate groups, for example.

In addition, cross-checking IP activity or device histories during onboarding can validate whether a remote employee is who they claim to be, and whether company-issued assets are being sent to legitimate addresses. For an example, we don’t need to look further than the stories of North Korean IT workers establishing fake personas in order to be hired by U.S. companies.

Outside-the-firewall checks are especially important in a remote or hybrid work environment where face-to-face verification is limited. The practical takeaway is that companies need to broaden their visibility: the more you combine traditional HR processes with external digital risk signals and collaborate across internal teams, the harder it becomes for a fraudulent candidate to work within your company undetected.

Recognize behavioral indicators

Even with rigorous hiring practices, insider risk is not static. People’s motivations and circumstances can change, and there are sometimes benign explanations for potential red flags. Nevertheless, organizations must remain vigilant even after a candidate is hired, to make sure there are no behavioral shifts that point to rising risk.

Red flags do more than just indicate insider threat risk, they often provide outside indications of employees who may need help, or who may be the target of outside influence or control. But, it’s important to remember that a single red flag isn’t enough to label someone an insider risk – it’s the accumulation of several red flags that points to an actual problem.

Red flags that your team should watch for regularly include:

• Unexplained changes in work hours, especially increased late-night or weekend activity.
• Frequent policy violations or noncompliance with mandatory training, suggesting disregard for company protocols.
• Increased visits to job search sites or the sending of emails to competitors, which may indicate disengagement or preparation for departure.
• Hidden relationships with competitors or contractors that suggest potential conflicts of interest.
• Controversial social media activity or frequent complaints about management, which can point to dissatisfaction escalating toward destructive behavior.

These signals, on their own, do not confirm malicious intent. But when they show a deviation from an employee’s normal patterns, they are an early warning that intervention or at least closer monitoring is warranted.

Look for technical red flags

Behavioral indicators are only part of the equation. Technical and organizational signs also provide tips to security teams that require them to look deeper into individuals. Excessively large downloads, the use of unauthorized devices, and attempts logs or disable security features all point to deliberate circumvention of controls. Likewise, accessing systems outside of one’s role or sending sensitive files to personal accounts are direct signs of potential exfiltration.

Employees under stress or facing job insecurity may become more prone to misconduct, either through negligence or malice. Those with declining performance reviews, who are facing disciplinary action, or that have presented resistance to security upgrades are worth closer scrutiny. Employees that give notice of resignation should be keenly watched for unauthorized activity.

As mentioned before, the key is not to treat these events in isolation. A single poor review may not be a security concern, but combined with disparaging posts, unusual system access and late-night data transfers, it can provide a strong signal that insider risk is escalating. If you wait until the risk becomes real, it is often too late.

Consider the possibility of fraud

Employment fraud adds another layer of complexity. Fraudulent candidates may gain entry under false pretenses, using falsified credentials or misrepresented identities. Once inside, they can exploit access to sensitive data, outsource their work, or juggle multiple jobs in violation of policy.

Warning signs of fraudulent candidates/employees include:

• Inconsistent performance compared to interview claims.
• Avoidance of video in remote settings.
• New or artificial-looking online profiles.
• Reused stock images in resumes or LinkedIn accounts.
• Unauthorized use of remote access software.

These patterns are increasingly common and require HR, security, and legal to collaborate on an investigation. Enhanced applicant screening, multiple reference checks, and secure onboarding practices – such as robust virtual identity verification – are essential safeguards.

Integrate into the employee lifecycle

The definition of insider threat is shifting. Where once the focus was on accidental misconfigurations or negligence, today it increasingly includes malicious acts, fraud, and hybrid cases where dissatisfaction or personal pressures drive risky behavior.

Identifying risky candidates is no longer just about preventing one-time fraud, but also about continuously assessing human risk across the entire employee lifecycle.

A lifecycle approach combines three principles:

• Proactive vetting at the point of hire. Don’t let fraudulent candidates in the door.
• Ongoing monitoring of behavioral, technical, and organizational indicators. Detect changes before they escalate.
• Collaboration between HR, legal, and security. Ensure insights are shared and then are acted upon quickly.

Organizations need to innovate when it comes to surfacing and preventing insider threats. By going deeper than check-the-box background checks, expanding visibility outside the firewall, and recognizing the interplay between behavioral, technical, and organizational signals, organizations can establish an effective “early warning system” and build a robust trusted workforce.