Fake IT worker threat spreads outside tech sector in Australia

Australia is increasingly in the sights of employment fraud operators placing workers inside organisations across healthcare, civil engineering and customer service, moving beyond technology companies, security researchers have found.

Alex Tilley, Okta's global threat research coordinator and former AFP cybercrime analyst, told the AUSCERT 2026 conference on the Gold Coast that the threat is widely mischaracterised as a US technology sector problem, leaving healthcare, civil engineering and other sectors unprepared.

Okta's research began with 40,000 identities flagged as North Korean-linked personas or email addresses.

Tilley said the true signal turned out to be far smaller than it appeared, as at least half of the identities were false positives.

After filtering out activity attributable to operators in Pakistan, India, Malaysia, the Philippines and Russia, a few hundred confirmed identities accounted for roughly 25,000 interviews with around 6000 organisations over eight years.

Tilley warned against treating large indicator lists as reliable, noting that at least half the 40,000 identities in Okta's starting dataset were false positives.

Blanket blacklisting on that basis risks flagging legitimate job seekers, and may expose organisations doing so at scale to legal liability.

In the dataset, Australian organisations rose from 1.7 percent to 10 percent of the non-US slice over the study period.

The most recent six months showed a jump from around 600 to approximately 1200 Australian organisations receiving multiple approaches, Tilley added.

Almost half the targeted organisations were not technology companies, and close to a quarter were outside the United States.

Healthcare emerged as an unexpectedly prominent target.

Tilley described a pattern of health firms building patient-facing apps using cheap contingent labour and weak hiring controls, creating what he called a "tragedy of the commons" situation where sensitive personal data is exposed without any single organisation recognising the risk.

Another target sector is civil engineering, with technical plans and documents being passed to remote contractors, which in turn represented a significant intelligence collection opportunity for adversaries, beyond the regular financial gain motive.

Four faces, one applicant

Tilley outlined a taxonomy of identity fraud techniques that goes well beyond the deepfake framing that has been reported.

The hardest variant to catch is the copied LinkedIn profile, where a threat actor generates a curriculum vitae from a real person's public profile, and changes only the contact details.

"Everything on that CV will come back ticked because it's all real, except for the person you're talking to," Tilley said.

Background checks and reference calls confirm the real person's employment history while providing no signal about who actually applied.

A third technique involves paying financially vulnerable persons a small fee to front interviews and even in-person screening, while the actual threat actor works remotely.

Tilley cited US$500 as a typical inducement for such identity handovers.

In one case found in the dataset, the same underlying identity applied for a position 46 times and succeeded on 45 of those attempts.

GitLab's threat intelligence team documented the tooling used by "IT workers" in a February 2026 research paper, identifying a North Korean development team that built a large-scale synthetic identity creation capability.

This included fake passport generation and automated professional networking account creation.

Identity verification using the fake passports succeeded in just over 40 percent of attempts across major platforms.

Threat actors are also using the same artificial intelligence (AI) assisted tools that employers use to evaluate candidates.

This enables them to test their own applications against deepfake detection tools, and to iterate on rejected CVs to improve subsequent attempts.

"They use these tools that your human resources and talent acquisition teams are using to screen applicants to pre-screen themselves through your job hoops," Tilley said.

Tilley recommended security practitioners should engage more with HR functions, and look for details in CV metadata such as identical Canva document IDs that could reveal shared infrastructure behind seemingly separate applicants.

Other indicators include attempts to install remote access tools on the first day, repeated changes to laptop delivery addresses, and frequent bank account changes over pay cycles.

Hiring managers should also document why applicants are rejected, Tilley said as such notes could become crucial if a hire is found to be fraudulent at a later stage.