How Identity Fraud Hits TA

Chris Hoyt: All right, we’re at it again. Welcome to the Recruiting Community Podcast. I’m Chris Hoyt, president of CareerXroads, CXR. I’m with Gerry Crispin, our co-founder. Gerry, how are you on this glorious day? It is a beautiful day — time to start planting. Gerry, I’m pretty sure you could be in the middle of a tornado or a typhoon or a cyclone, and someone would say, “How are you?” and you would say, “It’s a beautiful day. It’s a glorious day.”
Gerry Crispin: It’s a choice. Every day is a choice, and I only want one more bad day — that’s it. So every morning I wake up and go, “Oh, I’m here? It’s gonna be a great day.”
Chris Hoyt: We used to talk to someone all the time, and when you’d ask how he was, his response was always the same: he’s on the right side of the dirt.
Gerry Crispin: Yeah. Exactly.
Chris Hoyt: So we’re on the right side of the dirt — can’t complain.
Gerry Crispin: Can’t complain.
Chris Hoyt: For those who haven’t figured it out yet, we are the hosts of the podcast. We’ve been doing this for a couple of years, bringing you industry insights in the form of a fun conversation. This is brought to you by the CXR CareerXroads community. You can learn more at cxr.works.
Today I’m excited to welcome Taylor Liggett, Chief Growth Officer at ID.me. He’s going to unpack why the unverified hiring journey we’re all on is being exploited in all kinds of ways — from synthetic identities to nation-state bad actors — and why your background check may have a bigger blind spot than you think. He also has some thoughts on shifting from one-time verification to a persistent identity strategy that ideally follows employees from application all the way through separation. Pretty provocative stuff, and we’ve got a great conversation lined up.
A few things before we jump in. We’re streaming on YouTube, Facebook, and LinkedIn. Check us out at cxr.works/podcast for past and upcoming episodes — we have a new design up, and we’re approaching 600 interviews with leaders and influencers doing interesting work. You’ll also find easy ways to like, subscribe, and let us know if you’d like to be part of the conversation. And as always, this is an ad-free labor of love. Nobody paid to be here. Gerry, did I miss anything? Okay, let’s get started.

Announcer: Welcome to the Recruiting Community Podcast, the go-to channel for talent acquisition leaders and practitioners. This show is brought to you by CXR, a trusted community of thousands connecting the best minds in the industry to explore topics like attracting, engaging, and retaining top talent. Hosted by Chris Hoyt and Gerry Crispin, we’re thrilled to have you join the conversation.

Chris Hoyt: All right, Taylor, welcome. Thanks for joining us today.
Taylor Liggett: Thanks, Chris. Thanks, Gerry. I’m with you, brother Gerry — it’s a beautiful day, and I’m loving life. Let’s start there.
Chris Hoyt: Taylor’s on the right side of the dirt.
Taylor Liggett: I’m trying to be, yes.
Chris Hoyt: I love it. Taylor, for those who haven’t had a chance to meet you yet, give us a quick elevator pitch — what you do now, how long you’ve been at ID.me, and a little background on how you got here.
Taylor Liggett: As you mentioned, I’m the Chief Growth Officer at ID.me. I’ve been there for a number of years, but more interestingly, I’ve been in the identity space for well over a decade. And more relevant to this conversation, I’ve been at the intersection of identity and employment for almost 20 years.
My first foray into this space was with ADP. I oversaw account management within their background screening division after they acquired a background screening company and created their Screening Selection Services division. What really kicked off this journey was learning that background screens are essentially entirely predicated on self-asserted information. You’re being hired by a company, and you say, “Here’s my name, date of birth, SSN, and address” — and that’s what gets run. I found that crazy. How do we know that’s actually the right person? How do we know that information is accurate?
That started a bit of a journey for me. Long story short, I later became head of identity at Sterling, at the time the world’s largest background screening company, where I was tasked with fixing this problem — about seven years ago now. I took those learnings into ID.me, and I’m sure we’ll get into how that’s all evolved. But that’s a little bit about me.
Chris Hoyt: I love it. You’ve got the chops. You’ve done the work. You’ve got the receipts.
Taylor Liggett: I do, yes, sir.
Chris Hoyt: Let’s jump in. There’s a fraud landscape report that opened with a pretty aggressive claim — that the US hiring process, the TA function, has essentially become an attack surface, a frontline from a national security standpoint. The FBI has claimed that more than 300 companies have knowingly hired operatives or bad actors. For a TA leader or practitioner who has never thought of themselves as a first line of defense for an organization, how would you explain what workforce identity actually means, and why it’s now sitting on the desks of recruiters?
Taylor Liggett: Great framing. Let me give a little foundational context we can build off of. First, how did this even happen? A couple of things everyone needs to understand. The workforce was never built with strong identity controls — everything was in person, the world was massively different ten-plus years ago. Then COVID happened and shifted a lot to remote work. Then the rise of AI happened, and suddenly we have these powerful tools available to everyone.
The real catalyst, though — I don’t know if you remember the MGM incident a couple of years ago. MGM Resorts was brought to its knees. People were locked out of their rooms, the casino floor went dark — it was a very public ransomware attack. The way it happened: a 19-year-old found a senior IT role at MGM on LinkedIn, called the help desk pretending to be that person, knew their PII, and got the account reset. Five minutes later, all of MGM was down.
What bad actors took away from that was, “These companies are cybersecurity fortresses on the consumer side but weak on the employment side.” After that, we saw a wave of similar attacks across healthcare and other industries. Clorox had hundreds of millions in damages — it was a big mess.
That eventually evolved into North Korea saying, “How about we take this a step further and actually infiltrate these organizations by exploiting the weak US hiring process?” They started doing that at scale, and that brings us to where we are today. The FBI stat you quoted — 320 companies known to have been infiltrated by DPRK — is from over a year ago and dramatically understates the current situation. And this isn’t just about North Korea. They’ve gotten most of the headlines, appropriately so, because they’re sophisticated, coordinated, and well-funded. But they’re just one of many attack groups doing this, and it’s moving faster than anyone projected.
Gartner raised a lot of eyebrows six to eight months ago when they said that by 2028, one in four job candidates will be fake. Most employers we’re talking to say it’s already that bad right now. So hopefully that helps frame how we got here.
The other thing I’d add is that the landscape is particularly tough for TA teams because you’re dealing with a number of disconnected systems — an applicant tracking system, then interviews, then maybe a reference check, a background check, a skills assessment. None of these platforms are talking to each other, and almost none have any concept of identity controls baked in. You’re also dealing not just with identity fraud, but with collusion, proxies, and social engineering. It could be one person who applies, another who goes through the background check, and another who shows up to do the job. The whole process is easily exploited.
TA teams find themselves at the center of this because CISOs and security typically take over once someone is hired. Traditionally, HR and talent acquisition managed everything before that point — and now they’re having to own some of the security controls, in partnership with security teams. It’s a new space we’re in.
Chris Hoyt: I find it fascinating. Gerry and I have been having these conversations with our roughly 120 member companies. One shared in a recent leadership roundtable that they estimated about 4% of their entire candidate funnel was fraudulent. And we’ve already had another organization come forward and say they were two days away from shipping a laptop to someone who turned out to be a North Korean bad actor.
Gerry Crispin: And at the same time, most of our employer members really don’t have any new layer to authenticate. You’d think companies would jump on this, and the only way I can put it is an authentication layer that sets expectations: “We love you, the fact that you’re expressing interest is wonderful, but you’re going to have to get through this hoop before we talk to you again.”
Taylor Liggett: Gerry, very impressive — you’re using exactly the right terminology. An authentication layer is precisely how we should be talking about this. Five years ago when I first started raising this issue, I felt like the crazy person on the mountain. Employers were saying, “Come on, our background checks handle that,” or “There’s no way this is actually happening.” Now the landscape has changed and people get it. But sadly, most employers are waiting until they get hit — and then they’re acting. Don’t wait until it’s a house on fire with the board yelling at you and who knows what damage has already been done.
I view this as nothing short of a national security crisis, and that is not hyperbolic. We stopped over 150 North Koreans from infiltrating US organizations in the last 12 months alone — and we’re serving a sliver of employers in the US right now. We spoke with one major company recently that said they’re fighting off 20 to 50 infiltration attempts a day. A day. The implications are enormous.
I often think about a story from my background screening days. Today, background screening is ubiquitous — every company checks their hires, it’s just what we do. It didn’t always used to be that way. The catalyst that changed it was 9/11. After that, there was a moment where everyone said, “Okay, this actually matters,” and over the following years it rose to what it is today. I think we’re in a similar moment now for companies needing to look in the mirror and realize they need an identity strategy — an authentication protocol across the hiring stack.
The last thing I’d say is that I understand the inclination from TA leaders not to insert too much friction. You want to walk that line carefully. But two things: first, there are ways to solve the friction problem, and I think the approach we’ve developed is very good there. Second, I think we’re failing to appreciate how much candidates want this too. They’re stuck in a mess of fraudulent resumes and bots, trying to compete in a totally unfair landscape.
Gerry Crispin: They would love to have that noise go away — so at least they’d be on a smaller, cleaner platform without all of that. But I’m surprised we don’t see a more aggressive federal or statewide requirement to address this. Is there any possibility of that?
Taylor Liggett: I’m certainly working to influence that, and our company is working to bring awareness to it. My hope is that we don’t wait for some national security incident to force the issue. The US is also uniquely behind in this space. In Canada, you have to do an identity check before a background check. The UK and Australia have similar requirements. Other countries have a better concept of identity prior to employment — not perfect, but better.
The US was built around the I-9 process, and I-9 isn’t really identity verification. It’s more about whether you have the right to work in the country. It’s become a checkbox activity that an HR or hiring manager completes within three days of employment, reviewing some documents — with no training on document fraud or authentication, and no connection to who was already in the hiring funnel. That’s really the only federal regulation even adjacent to identity in this space.
I think we’ll get there eventually, but employers shouldn’t wait for the federal government to mandate it.
Chris Hoyt: And that’s a whole other podcast — how historically reactive we are in legislation rather than proactive. Someone has to get bitten before we do something productive about it. But let’s talk about how the fraud actually works, Taylor. You’ve described it almost like an inherited identity problem — each step of the hiring process inherits trust from the step before, with no independent verification along the way. And there’s evidence that a single person with no image editing experience can build a convincing digital twin, a synthetic identity. We showed one on a previous podcast — it took about $40 and less than an hour. So what fraud tactics are TA teams actually seeing right now? Deepfakes in interviews, digital twins, synthetic IDs, human proxies — and where in the funnel are these attacks succeeding most often?
Taylor Liggett: Great framing, and I speak often about the inherited identity problem because it’s led to a situation where no one really takes accountability — including, by the way, when someone actually joins an organization. We think about systems like Okta, Entra, and Ping as cybersecurity tools, but they’re all built on a foundation of unverified identity. They simply assume the employer verified the identity before onboarding. There’s no identity proofing when someone joins.
And sadly, the answer to your question is all of the above. TA leaders are seeing synthetics, proxies, and deepfakes. It correlates somewhat to the level of sophistication. Broadly, I break it into two camps. The first is what we’ve always seen — someone doesn’t have the skills for a job, or they’re trying to hide a criminal conviction. That’s been around since the dawn of time. The second category is the scary one: people working to infiltrate organizations, access proprietary information, execute ransomware. That’s where you see sophistication ramp up fast.
In 2023, we started seeing meaningful deepfakes, but they were relatively easy to catch. By 2024, it was like, “Ooh, these have gotten a lot better.” By 2025, we reached a point where we couldn’t reliably tell the difference anymore, and it’s only going to improve. Not all forms of identity verification are equal, and these bad actors are good at working past the more basic approaches. You have to throw a Brinks truck at this to defeat the sophisticated attacks — that’s really where we specialize.
The use of proxies is also very significant, especially with North Korea. They’ll pay someone — “You’re the face of this, you go through the hiring steps, we get the laptop.” I heard a remarkable story recently. A company said they caught an incredibly lucky break during a training session where they were handing out laptops. One young man suddenly had a crisis of conscience, broke down, and said, “I can’t do this. North Korea is paying me. I can’t take this laptop.” And the company said, “If this guy hadn’t had that moment, we’d have been infiltrated.” Those situations are very hard to stop without persistent identity verification across the process.
Chris Hoyt: I’m stunned by that — and the fact that the discovery came that late in the game. We mentioned someone was two days away from shipping a laptop. What broke this person?
Taylor Liggett: I know… One point I want to make while we’re on this: there’s a common misunderstanding that these attacks only target IT roles or certain sectors. That is absolutely not what we’re seeing. We went back and looked at the last 12 months of DPRK attacks we identified — those 150-plus we stopped — and analyzed which industries were targeted. IT services and consulting was number one, financial services and fintech was number two, healthcare and life sciences was number three, and staffing and recruiting was number four. But there are ten more industries on top of that, spanning every sector you can think of — insurance, legal services, automotive and industrial, BPO and call centers. It’s everywhere. I just want people to understand how broad this is.
Chris Hoyt: That’s exactly what I wanted to ask about. You’d expect software engineers, full-stack developers, AI and machine learning roles — but staffing, healthcare, financial services are also really feeling it. Is the real risk defined by industry, or is there something else — hiring patterns, remote-first culture, higher volume, contract-heavy work? Is there a common denominator?
Taylor Liggett: The denominator is the prize — and the prize is incredibly variable. A staffing firm is enormously lucrative because it’s a backdoor to all the different industries they serve. Get into a staffing firm, get deployed across various companies, and repeat the scheme over and over. In financial services and healthcare, access to data is incredible. Even a call center role gives you access to PII, payment information, and sensitive data. In industrials and automotive, it’s proprietary trade secrets. We even caught someone working their way into a court reporter firm — they wanted access to US court records.
And then there’s the catch-all that applies everywhere: ransomware. They can hold any company hostage by crippling your systems and demanding payment. So yes, IT roles are absolutely the top target — it’s the keys-to-the-kingdom scenario. But they’re everywhere now.
Gerry Crispin: I just can’t understand why we don’t see a much more aggressive approach from employers to add an authentication layer right at the front — at the point where someone expresses interest in a job.
Taylor Liggett: Gerry, I honestly think it’s an awareness problem. We’re all overwhelmed with news and not always sure what’s real versus hyperbole. The more employers can understand that this is very real — and that what they’re reading is actually understating it, not overstating it — the faster we move. Podcasts like this are critical to shifting that. I was at a cybersecurity conference recently where someone on stage said, “In a couple of years, we’re going to look back and say, ‘Do you remember how insane it was that we didn’t verify the people we were hiring?'” I think this will move quickly. My hope is that this year in particular, companies start developing their identity strategy and realize there are tools out there where you can verify once and then easily authenticate at every subsequent step — without a bunch of friction.
Gerry Crispin: That raises the importance of our June meeting, Chris — where we’re bringing in some of those cybersecurity vendors and suppliers to help our members think through what they should be focusing on.
Taylor Liggett: I’ll be there. Looking forward to it.
Chris Hoyt: And a callout, Gerry — the Marketplace Live event in June isn’t just for our members. These issues are so important that we’re opening it up so non-member TA leaders can attend and hear from Taylor and his colleagues about what’s happening in this space and how organizations are responding.
Gerry Crispin: There are obviously new models being developed to address this, Taylor, because some of these problems are brand new and you’re evolving as fast as you can. This isn’t an established discipline with a settled methodology — you’re building it in real time.
Taylor Liggett: That’s right. One of the things worth noting is how identity verification has historically been done in a very transactional way — you verify your identity to open a bank account, and that’s that. The model ID.me has really leaned into is reusable identity, where the consumer controls their own digital wallet. That model has to be applied to employment. You don’t want someone verifying their identity ten times throughout a hiring process — it should be a one-time thing that you own and carry from employer to employer.
On the fraud side, we often say it takes a network to defeat a network. Collaboration and shared intelligence are critical here. We support over 900 employers today. When we catch a DPRK bad actor attempting to infiltrate one of them, when that actor moves to the next one, we already have their fake identities and know their tactics. We’re learning and evolving continuously, and we’re also bringing together companies to share what we may not be seeing on our own. That shared intelligence piece is really important.
Chris Hoyt: Gerry, I’ll ask you — you’ve been in this space longer than both of us. Name one other area within talent acquisition where organizations have openly shared insights or intelligence across the board.
Gerry Crispin: It’s so hard, because what Taylor is really describing is doing that within his own client base. But fundamentally, there should be a legitimate organization where even competitors agree to identify and share information about bad actors with each other.
Chris Hoyt: Never going to happen.
Gerry Crispin: I know. But that’s the right path if you believe in a truly collaborative approach.
Taylor Liggett: Look, there are things happening in that direction. We collaborate with government agencies who have a vested interest here. Large employers are doing it. There are CISO channels where a lot of this information is being shared. But I’d be remiss not to highlight a big part of the problem: employers don’t like to raise their hand and say, “We just hired a DPRK operative” or “Our systems completely broke down.” It’s embarrassing. So a lot of information doesn’t spread, and that has to change. We have to start having this as an open conversation.
Chris Hoyt: Taylor, you’re asking Fortune companies to be vulnerable.
Gerry Crispin: Yeah, I know.
Chris Hoyt: Your through line, as I understand it, is that identity verification can no longer be a one-time checkpoint — it has to be continuous across the entire employee lifecycle. For a TA leader who’s dialed in right now, maybe on a treadmill, hearing all of this and realizing they’re exposed — what does step one look like? How do they start building an identity strategy that works with their existing background check, their ATS, their tech stack, without adding the friction we’re all afraid of losing candidates over?
Taylor Liggett: So, language is important first. Identity verification should happen one time at the earliest step in the process — and from there, it’s really about authentication. Is the person who verified their identity the same person I’m seeing at each subsequent step? That’s the framing employers should be working with.
Step one is inventorying your vendors. Some vendors are far ahead of this, and some are still in the dark ages. That matters — if your vendor is sleeping on this, you may want to reevaluate that relationship. I’d ask every vendor you work with what their identity strategy is and what they’re currently offering. That’s step one.
From there, reach out to companies like ID.me, but also others in the space, and start to understand what solutions and approaches are available. One of the things we’ve tried hard to do is not just sell our product, but come with best practices and insights — because whether you choose us or not, here’s how we think you should be approaching this in 2026.
And don’t let perfect be the enemy of good. You don’t have to build a multi-point persistent identity strategy across your entire stack overnight. Start with connecting identity verification at background checks to onboarding. That alone means the person you hired is the person who showed up to work — you’ve minimized the biggest insider threat risk right there. Then build out from that: add it at the application stage to stop wasting TA time on fraudulent candidates, or add it to account recovery processes. You can branch out from there. Start with the basics and build.
Chris Hoyt: What I like about what you’re saying is that you’re not just bringing a product — you’re looking for a partnership. Even if someone doesn’t choose ID.me, the goal is to help organizations be safer, and by extension make the country’s infrastructure more secure.
Taylor Liggett: Exactly. And the other thing that’s just a fact: most companies that build identity verification tools do it for financial services, gig economy, or healthcare — which is very different from employment. Employers don’t have big fraud teams. They don’t know what to do when 5%, 10%, or 20% of applicants can’t get through verification. There are unique considerations like the Fair Credit Reporting Act in background screening and how to navigate those. We’ve had a front-row seat to this for five years, and I feel a responsibility to bring those insights to people regardless of whether they ultimately choose ID.me.
Chris Hoyt: Gerry and I were just talking about this — a few years ago we saw assessment companies come into our space with their expertise on how we should be evaluating talent. Now we’re seeing the security element being pushed into TA, and there’s this huge opportunity for growth and new partnerships. I love talking to experts who weren’t originally in our space who say, “I get that you’ve always done it this way, but it’s time to break a few things and think differently.”
Gerry Crispin: We really do need to reimagine a lot of areas, but this one is right up front. And language like “background check” creates a whole different set of images. I worked at Johnson & Johnson for 10 years, and our approach to background checks was to send a letter saying, “You can join us — conditional on us verifying your PE license, since you’ll be involved in construction of our buildings.” That process took six weeks. I remember one instance where we hired a construction engineer, and six weeks later it turned out he had no PE license. The hiring manager still wanted to keep him because he was so good at the work. A lot of those kinds of practices are still in existence.
Taylor Liggett: Let me add some real upside for TA folks to consider here. We’re talking about identity, but what I’m really describing is the concept of a digital wallet that can streamline a lot of the hiring process. One credential in that wallet is identity — and that solves the problem we’ve been discussing. But you can also have verified education, verified employment history, verified references, verified licenses. How crazy is it that we’re constantly re-verifying all of these things that don’t change?
Gerry Crispin: Taylor, I love this idea — but the reality is the digital wallet concept has been around for a long time, and getting it universally adopted is another matter. There are 23 million people who are US citizens but can’t easily prove it through standard digital identity mechanisms. Getting everyone to that point is a whole different challenge.
Taylor Liggett: You’re right, it’s tough. But we have 160 million Americans with ID.me accounts — that’s 60% of the US adult population today. We’ve also developed processes with real human, in-person locations for exactly the situations you’re describing: people who aren’t in credit records, people new to the country, people who fall outside traditional digital identity mechanisms. I’m not pretending this is easy, but I think we’re on a real path to that type of solution.
Gerry Crispin: I think we need to get there — I just recognize it’s going to take a while.
Chris Hoyt: I’ll bet more people have an ID.me account than they even realize. You partnered with the IRS a few years ago, and a lot of people went through that process and may have already verified their identity without really thinking about it. And Gerry, to your point — this isn’t the first time we’ve talked about closing this gap. We had conversations years ago about blockchain having an opportunity to make a real difference in our space. We kind of squandered that one.
Gerry Crispin: Chris, do you remember when we went to see Disney’s hiring process for hourly workers? It was almost like a game, and one of the stops was a booth where the doors closed on both sides and you placed your finger on a biometric reader. They said once a month, the doors don’t open — and the police come to take that person away. Because Disney cannot afford to have someone with certain backgrounds working with kids. That’s really the only other thing I can think of that’s even somewhat related to what we’re discussing.
Chris Hoyt: Yeah. Well, Taylor, before we give you your day back — we ask everyone this: if you were going to write a book about this topic, what do you think the title would be?
Taylor Liggett: I have to really think about that, because I’ve staked my career on this issue at this point. The thing I keep coming back to is that story I mentioned — someone at a conference standing up and saying, “In a couple of years, we’re going to look back and say, ‘How crazy was it that we just didn’t verify who we were hiring?'” Maybe the book title ends up being something like that.
Chris Hoyt: I wouldn’t blame you. Surprise follow-up — present company excluded, who gets the first signed copy?
Taylor Liggett: Probably the CEO of Sterling at the time I was there — Josh Perez. He was the first person who said, “You know what? You’re right. Let’s shake this up.” That marked a real shift and allowed us to get ahead of this problem in a meaningful way.
Chris Hoyt: Fantastic. Shout out to Josh. Taylor, thank you so much for your time. We know you’re busy, and we appreciate you carving out a little bit for us and our listeners and viewers. Really appreciate it.
Taylor Liggett: My pleasure. Thank you.
Chris Hoyt: For everyone still with us — cxr.works/podcast. If you’re interested in meeting Taylor and some of the other folks we’re bringing in, or you want to attend Marketplace Live, head to cxr.works/marketplacelive. Until then, smash all the likes and subscribes, forward these episodes to your friends, and make us famous. We’ll see everybody next time. Thanks.

Announcer: Welcome to the Recruiting Community Podcast, the go-to channel for talent acquisition leaders and practitioners. This show is brought to you by CXR, a trusted community of thousands connecting the best minds in the industry to explore topics like attracting, engaging, and retaining top talent. Hosted by Chris Hoyt and Gerry Crispin, we’re thrilled to have you join the conversation.