- Key insight: Fraudulent remote workers, from everyday double dippers to highly organized North Korean operatives, are actively infiltrating U.S. banks and compromising corporate networks.
- What's at stake: The danger of hiring these fraudulent remote workers extends beyond basic payroll losses to include severe risks of data theft, IT sabotage and massive regulatory violations.
- Expert quote: "In a world of remote work, you have a lot more fraudulent workers," said Capital One's chief technology risk officer Andy Ozment.
Overview bullets generated by AI with editorial review
San Francisco — For years, U.S. law enforcement officials have warned financial institutions that sophisticated employment fraud is enabling North Korean operatives to infiltrate corporate networks. At a cybersecurity conference this week, a major banking leader warned: The threat has not subsided.
Employment fraud risks include everyday double dippers working two full-time jobs, shadow subcontractors who unlawfully outsource their access and highly organized nation-state schemes in which impostors infiltrate companies to generate revenue for foreign regimes.
For U.S. banks, the danger of hiring these fraudulent remote workers extends far beyond payroll losses, creating severe risks of data theft, IT sabotage and massive regulatory violations.
Capital One's chief technology risk officer and executive vice president, Andy Ozment, outlined these growing vulnerabilities during a presentation Monday at the 2026 RSAC Conference, an annual gathering for the cybersecurity industry.
"Fraudulent workers are everywhere," Ozment told attendees. "There's been a fundamental change in the world," and "in a world of remote work, you have a lot more fraudulent workers."
The three faces of employment fraud
Ozment divides the fraudulent worker landscape into three distinct categories: malicious actors, corrupted employees and negligent workers.
Among the most common schemes is the so-called double dipper — an employee who (often secretly) holds two full-time positions simultaneously. As of February, 412,000 such Americans were working two full-time jobs, according to data from the U.S. Bureau of Labor Statistics.
The second threat involves "shadow subcontractors," where U.S.-based employees secretly farm out their daily tasks to unauthorized, lower-cost overseas laborers.
To evade detection, these workers often utilize remote-control features on teleconferencing software or deploy internet-connected keyboard, video and mouse (KVM) hardware devices to grant foreign nationals hidden access to corporate networks, Ozment said.
The third and most severe threat facing banks is the nation-state impostor, primarily orchestrated by the Democratic People's Republic of Korea.
Highly organized North Korean IT workers use the stolen or borrowed identities of U.S. citizens to secure remote employment. While their primary objective is generating hard currency to fund the heavily sanctioned North Korean regime's weapons programs, the operatives also steal sensitive corporate data and engage in IT sabotage, according to Ozment.
The scale of these nation-state operations is great enough to impact numerous Fortune 500 companies, financial service providers and technology firms, including Amazon.
"We've stopped more than 1,800 suspected DPRK operatives from joining since April 2024," Stephen Schmidt, Amazon's chief security officer, said in a December LinkedIn post.
How DPRK actors breach corporate defenses
To execute these schemes, overseas operatives frequently rely on domestic accomplices to run "laptop farms," according to a May 2024 press release from the U.S. Department of Justice.
U.S.-based facilitators receive corporate laptops from the victim companies and connect them to remote access applications, allowing the foreign operatives to log into corporate networks while appearing to work from domestic internet protocol addresses, according to the Justice Department.
Impostors commonly use internet-connected KVMs to manipulate the laptops from abroad, according to Ozment. These hardware tools often run on simple, low-cost Raspberry Pi computers.
Beyond technical workarounds, fraudsters also use "identity mules" to bypass physical security checks and in-person interviews, Ozment said.
In some cases, U.S. citizens provide their own identities to the foreign workers and then physically stand in for them during employer vetting procedures, according to an October 2024 Justice Department press release. For example, two U.S. facilitators appeared for drug testing on behalf of the overseas IT workers they were assisting, according to the release.
Detection strategies across the employment lifecycle
To weed out fraudulent workers, banks must implement rigorous checkpoints at every stage of the employment process, beginning with the initial interview.
Recruiters serve as the first line of defense, but they often view themselves merely as the friendly face of the institution rather than risk managers, according to Ozment.
Institutions must train hiring teams to spot suspicious behaviors, such as candidates who take strange pauses, look off-screen or struggle to answer basic questions about their own background, Ozment said.
Additionally, he encouraged banks to flag applicants who use Voice over IP phone numbers or who submit multiple profiles under different names but with the same contact information.
The vigilance must continue after extending a job offer. Fraudsters frequently invent excuses such as a family emergency or a sudden move to change the shipping address for their corporate laptop at the last minute, according to Ozment.
This tactic attempts to route the device to a domestic laptop farm instead of the employee's supposed residence. The sudden change in shipping information is meant to add urgency to the request to obscure the true motive.
Banks should also scrutinize candidates who dodge standard fingerprinting appointments or attempt to use unverified third parties for background checks, Ozment said.
Once a worker logs onto the corporate network, technology risk teams can leverage endpoint security tools to spot anomalous behavior. For example, security software can flag impossible travel, in which a user logs in from the U.S. and then appears to log in from an overseas location shortly thereafter.
Another critical indicator is keystroke latency. A typical remote worker might experience a 10-millisecond typing delay, but an operative routing their connection through a domestic laptop farm might show a 100-millisecond delay — a specific metric that recently helped Amazon catch a suspected DPRK contractor, Ozment said.
Internal teams can also identify impostors through payroll and human resources data. Red flags include new hires who frequently change their direct deposit accounts or quickly request emergency paid time off, according to Ozment.
No single indicator is typically enough to prove fraud, but by correlating these technical, financial and behavioral signals into a unified risk score, banks can accurately identify likely impostors and initiate a response, Ozment said.
Systems-level defense across the company and industry
Human resources and legal departments often inadvertently hinder efforts to catch impostors, according to Ozment. HR teams frequently do not view themselves as risk managers, and legal departments may fear discrimination lawsuits during the hiring process, he said.
However, security professionals at banks must advocate to these other teams a shift away from traditional employment fraud protections, Ozment said.
To bridge these internal divides, Ozment advised banks to form a dedicated committee of senior executives to review threat intelligence and establish concrete internal controls
If rolling out comprehensive measures across the entire bank is too daunting, institutions should start by heavily vetting high-risk positions, such as software engineering, artificial intelligence and machine learning roles.
When an impostor inevitably slips through the cracks, the ultimate goal is rapid detection, containment and removal. Ozment advised banks to establish an incident response playbook specifically tailored for insider threats and fraudulent remote workers.
The fight against nation-state impostors requires a united front across the entire financial sector, according to Ozment.
"I have talked to a number of CISOs who actually only caught North Koreans because of indicators that were shared either through industry sharing forums or law enforcement," Ozment said.
As a first step for organizations, he suggested, "Start with joining information sharing groups, of course. That can be a pretty quick win to find out what's happening in your industry or elsewhere."
