How easily can deepfakes fool employers? One cybersecurity expert decided to find out
Main image: Jackie Morris, a deepfake job candidate created by Jake Moore (courtesy of Jake Moore)
Jackie Morris had a LinkedIn, a resume, a passport, and an Instagram account showing her on a beach with her husband and dog. She applied for a marketing job, charmed her way through three rounds of interviews, and beat out 261 other candidates to land the role. The only problem: Jackie Morris doesn't exist.
She was the creation of Jake Moore, a global cybersecurity advisor at ESET who has spent 22 years working in crime prevention and research. Using off-the-shelf software costing $50, Moore had transformed his face, his voice, and his entire professional identity into a fictional Asian woman, and two companies hired him without ever suspecting a thing.
“I’ve always been fascinated with deep fakes and any AI technology,” Moore said. “And I thought the best experiment for this would be to actually apply for jobs as someone else and see how far I could go.”
Building a fake identity from scratch
His first persona, Jack Morris, was a version of himself with an AI-swapped face, a fabricated resume, a fake LinkedIn profile, and a counterfeit passport. He built it in a matter of hours, using ChatGPT for the CV and a free face-swapping tool called Swapface.org for the visuals. With the CEO’s permission, he applied for a sales executive role at a large IT firm with a salary of 38,000 pounds and sailed through two interview rounds without raising a single red flag.
“We just chatted very easily, and I believe they clearly believed it, because we got on so well,” he said.
Jack Morris, the first fake persona Moore created (courtesy of Jake Moore)
His chief product officer was less impressed.
“He said, ‘All you’ve done is swapped your face. Anyone could do that,’” Moore recalled. “‘What would impress me is if you did this as a woman.’”
That challenge sent Moore back to the drawing board for four months. His second persona, Jackie Morris, required more sophisticated software to alter both his face and his voice in real time, a new LinkedIn, a new resume, a new passport, and an Instagram account complete with photos of Jackie on a beach with her husband and dog. He even married Jackie off to Jack Morris, his first fake identity, just for continuity.
“By now I was having fun,” he said.
Fooling the filters
Moore applied as Jackie for a fixed-term marketing role paying 30,000 pounds. Out of 262 applicants, four were invited to interview. He was one of them.
The first round was, somewhat ironically, an AI screening, requiring his AI persona to converse with the company’s own AI chatbot. He passed. In the live video interview that followed, Moore ran a separate program in the background that listened to the conversation and fed him suggested answers whenever a question came up he wasn’t sure how to handle.
READ MORE: Candidate fraud: The warning signs HR should watch out for
“Every time she came up with a question that I might not have known, I had another program running that would come up with a suitable answer that I should deliver in bullet points,” he said. “If there was anything I didn’t know, I was able to say something that would have passed what she was wanting to hear.”
When the interviewer signed off, she told him she was impressed with how well he knew his stuff. The job offer came shortly after.
“I just couldn’t believe that I’d done it a second time,” he said.
It’s not just about getting hired
Moore turned down both roles, citing other opportunities, and neither firm was ever told they'd been duped. He felt too guilty to let them know.
But the real-world implications of someone doing this with bad intentions are unsettling. Moore believes a fraudster could hold down a remote role for at least a month before anyone noticed, collecting a salary the whole time. And that's before considering what happens when the company ships out a laptop.
READ MORE: Hiring professionals back ‘live-only’ interviews to prevent AI-aided candidates
“With that, you could easily hack into a company,” he said. “It’s much, much easier if you’ve got access through the company on the inside.”
The real Jake Moore, a global cybersecurity advisor at ESET (courtesy of Jake Moore)
He also raises a threat that goes beyond hiring entirely: the same technology could be used to impersonate a known executive on a video call.
“If I turn up as the CEO of a company, have a Zoom call with them, sound like them, and look like them, there’s a good chance that person on the other end of the line will do as I say,” he said. “That’s a major threat that I don’t think many people even know yet.”
So, what can HR actually do?
When it comes to solutions, Moore doesn’t put much stock in detection software. Every tool he tested during his research he was eventually able to fool, and he doesn’t think companies should build their defenses around technology that’s already being outpaced. His advice is simpler, and harder to game: meet candidates in person at some point in the process.
“It comes back to verification in other ways, and always at the end having some sort of physical meet, because those in-real-life situations are much more trusted,” he said.
For global organizations where in-person meetings aren’t practical, Moore points to an emerging solution he heard about from a large retail company: third-party verification firms that will meet a candidate in their own country and confirm their identity with documentation. It adds a small cost to the process, but Moore says it’s worth it.
“Otherwise, we’re just going to see every remote job targeted in this way,” he said. “That small extra cost is potentially going to save you from this next-level threat.”
Moore presented his findings at Infosecurity Europe in London on June 3. The software he used was widely available and cheap: the voice-altering tool cost $50 and the face-swapping site was free, a reminder that the barrier to pulling this off is lower than most hiring teams realize.
“We can’t just trust things at face value,” he said. “That’s partly what I do this for, to make people realize that.”
