Figuring out that you hired the wrong person is always jarring. But what if the “wrong person” was never who they said they were at all? When an employer discovers that a current employee has misrepresented their identity—whether by applying using a stolen name and Social Security number, misrepresenting their identity using artificial intelligence (AI), or other techniques during the interview process—the stakes rise significantly.

In this article, we address how employers can respond in the immediate aftermath of discovering a fraudulent employee and their considerations moving forward.

Quick Hits

• Employers may want to take immediate action to terminate an individual’s access and privileges as soon as they determine the individual is a fraudulent employee.
• Employers may also want to promptly involve trusted IT and legal personnel to conduct a forensic evaluation of the employee’s activity on the company’s systems.
• If the evaluation identifies unauthorized access to company files, or exfiltration of files from the company’s environment, consider treating the issue as a potential data security incident and proceed accordingly.

1. Taking Immediate Action

Employers discover fraudulent employees in various ways. Frequently, an employer will identify an employee as fraudulent after seeing the individual in an on-camera meeting and realizing the employee on camera is not the individual who interviewed for and was hired for the job. Or sometimes employers learn they have hired a fraudulent employee after they are contacted by law enforcement, a government agency, or even the individual whose identity is being fraudulently used to alert them of the issue.

In all instances, however, once an employer has investigated and determined that an employee is fraudulent, employers can mitigate the situation by taking quick action, such as:

• suspending the fraudulent employee’s system access, email, and other application credentials, network logins, and physical access to the workplace (if relevant);
• preserving evidence, including logs, system snapshots, audit trails, and HR files, and, where possible, creating a forensic image of the employee’s company-owned devices to preserve their state;
• launching a forensic investigation with internal risk-owners, such as IT and legal, including to review endpoint activity or similar logs, locate any evidence that malicious software was installed, and identify any unusual behavior associated with the employee’s account, including unexpected files accessed or removed by the fraudulent employee; and
• retrieving any company-issued devices, badges, keys, and credentials. Note, employers may even want to ask remote employees to return company-owned devices. Often, fraudulent employees will return company devices.

Employers may wish to document all immediate responsive activity, including steps taken, with timestamps and a record of the decision-making chain.

2. Assessing Data Security Implications

A fraudulent employee on an employer’s payroll isn’t just a human-resources embarrassment: depending on the actions the individual took on the employer’s system, the business may need to consider whether additional data security considerations are implicated. If the forensic review uncovers evidence that the employee accessed repositories containing sensitive or regulated data, exfiltrated files, or otherwise engaged in unusual or malicious behavior, it would be appropriate to evaluate the incident from a data breach perspective.

To do this, the business may wish to (and, depending upon the jurisdiction, may have a legal obligation to):

• inventory the folders and files accessed by the individual and, for each system, determine whether any sensitive or regulated data (including, but not limited to, Social Security numbers, government ID numbers, financial information) was accessed or removed;
• evaluate whether the business has a legal obligation to notify individuals, state or federal regulators, or even credit reporting agencies of the incident, if the business’s review indicates that the fraudulent employee accessed sensitive or regulated data; and
• document the decision-making process and retain supporting evidence regardless of notification obligation.

3. Auditing Hiring Processes and Data Security Practices

Hiring processes are a critical control point. A fraudulent hire is often a symptom of breakdowns in screening, verification, or oversight. Responding to the symptoms is only half the battle—employers need to plug the holes.

Employers can treat the discovery of a fraudulent employee as an opportunity to audit and refine their hiring processes and IT oversight practices. For a list of practical steps businesses can take in their hiring activities to avoid mistakenly hiring fraudulent employees, please review our earlier article.

From an IT perspective, businesses can revisit their data-access governance approaches. For example, in addition to requiring “least-privilege” access by default, businesses may choose to stagger the level of access they provide to new hires to prevent access to sensitive personal information during those critical early days. Businesses can also mandate regular audits of privileged users to identify and remove unnecessary accounts, and implement monitoring, logging, and active alerting to detect anomalous data access or export activities.

In addition, the tools that employers use to vet job applicants—such as background-screening services, identity-verification platforms, video-interviewing technology, and AI- or automated decisionmaking tool (ADMT)-based assessment tools—may themselves trigger a range of legal obligations. Depending on the technology and the jurisdiction, employers may be subject to requirements under the Fair Credit Reporting Act (FCRA), state and local background check laws, biometric privacy statutes, comprehensive privacy laws, and emerging AI/automated decision-making regulations. Employers evaluating or implementing these tools may want to review the various compliance requirements regarding employment-based AI and ADMT.

Listen to this post here.