The first sign something was off: the moment KnowBe4′s new remote software engineer opened his company laptop, the device started downloading password-stealing malware.

The second sign: when the security team asked the new employee to get on camera and explain his predicament, he refused.

Later, the Clearwater cybersecurity firm learned the new employee was a scammer from North Korea collaborating with a laptop farm in the US.

In hindsight, the red flags started early, said Roger Grimes, KnowBe4′s “defence evangelist.” The candidate, whose false name the company is withholding until an FBI investigation concludes, agreed to four on-video interviews. But his references, who purportedly supervised him at major companies, all conveniently had boilerplate Gmail addresses. The candidate had the laptop shipped to an address in a different state than the one he claimed to live in.

Grimes still isn’t sure who the interviewee really was. He can count at least three “nefarious actors” in the plot.

The American citizen whose identity the scammers used was in on the scheme. He completed the in-person drug test that was part of the background check process. Once the background check was complete, an unknown person came to pick up a KnowBe4 laptop from a UPS facility. He offered an ID with the same name, but a different picture.

Grimes suspects the device was picked up by a member of the laptop farm - a data center allowing foreign actors to appear as if they’re working in the US while stealing data. That person was reporting back to a scammer in North Korea who may have had state ties, Grimes said.

KnowBe4 locked the fake employee out of the company laptop before reporting the case to the FBI. Neil Khatod, chief information security officer for Hays, a recruiting agency based in Tampa, said downloading such an obvious password-stealing software was a rookie mistake.

“He could have just played the long game and just slowly taken information and done the things they asked him to do, such that he’s trusted,” Khatod said. “But then you see this shift of, ‘I’m trying to do things fast now that I’m in.’”

The FBI confirmed that the scheme links back to a well-known North Korean data-stealing scam, Grimes said. In Tennessee, a 38-year-old man was charged last week for his alleged role in helping North Korean government officials get hired for IT roles at American and British companies.

At a national conference in Las Vegas, Grimes talked with five companies who had fallen victim to the same scam. One of them had encountered the exact same stolen identity. Some companies had data quietly siphoned away for months before they grew suspicious of their fake employee.

Grimes wonders if someone botched the scheme at KnowBe4.

“We don’t understand why they would take the huge risk of installing known malware,” he said.

KnowBe4′s rogue hire highlights the pitfalls of remote work for companies that hold valuable client data. KnowBe4 sells a phishing training interface that tracks which employees in client companies are most likely to fall for a phishing attempt.

Local cybersecurity experts offered recommendations for how companies can secure their remote hiring processes against rising foreign threats:

- Conduct in-person interviews: Danielle Kucera, chief product and risk officer for St Petersburg firm 360 Advanced, said her company always flies remote hires in for an in-person interview before sealing the deal. But the American collaborator in KnowBe4′s case may have found a way to dupe even an in-person interview process, according to Grimes: “Even if we said, ‘Show up in person,’ they’d hire somebody to be that person.”

- Ask around: Khatod said he searches for people from a prospective employee’s former companies who are not listed as references. It’s a protection against forged resumes.

- Keep employees visible, and hiring processes connected: Grimes said his company has learned to connect different pieces of the background check process, so inconsistencies - like different ID photos - get spotted. And KnowBe4 did the right thing, Khatod said, by having complete oversight on each click the employee made on the computer.

Fake hires aren’t the only scam threatening local companies. For a few local firms, said Jeremy Rasmussen, chief technology officer of Tampa cybersecurity firm Abacode, foreign phishers have stolen credentials of payroll administrators to steer dollars into international accounts. One construction client of Rasmussen’s lost US$250,000 that way, he said.

Across the country, losses are compounding from cyberattacks: in 2023, companies lost US$12.5bil , according to the FBI. A ransomware attack on the Florida Department of Health last month brought detailed doctors’ notes and immunisation testing records to the dark web. Hypervigilance, and a strong IT team, are the best shields, Rasmussen said.

For one company infiltrated by a North Korean IT worker, Grimes said, something strange happened - the laptop farm sent the stolen device back. Attached was a yellow sticky note with the firm’s name. Like the scammer had to remember where it came from. Like it was just one among a sea of pilfered devices, all stolen to feed data to the highest bidder.

 - TNS