The Hiring Pipeline Has a Security Problem

Chris Hoyt: Welcome to the Recruiting Community Podcast. I’m Chris Hoyt, President of CXR and your host, joined as always by Gerry Crispin, co-founder of CareerXroads. Gerry, how are you on this glorious day?
Gerry Crispin: Just wonderful — and it is a beautiful day, even here.
Chris Hoyt: Even there. “On the right side of the dirt” might be my favorite thing you’ve ever said.
Gerry Crispin: You betcha.
Chris Hoyt: For those joining us for the first time, we like to bring you industry insights and updates in the form of a fun conversation — kind of like water cooler chat you won’t get in trouble for. It’s all brought to you by CXR, the CareerXroads Community.
Today’s topic: generative AI. We’ve been talking about AI for a while now, but it didn’t just change how candidates apply to jobs — it’s also changed who, or what, might be applying. Today we’re joined by Matt Moynahan from Get Real Security to explore one of the most disruptive shifts hitting talent acquisition right now: AI-powered identity fraud in the hiring process. We’ll cover why verifying identity has become far more complex than a background check, how deepfake attacks are targeting recruiting pipelines, and what it means for enterprise organizations when this threat moves from novelty to new norm.
Whether you’re a TA leader, an HR executive, or a recruiter at any level, this is one you don’t want to miss.
A quick note before we jump in — we’re streaming on YouTube, Facebook, and LinkedIn. You can find previous episodes and upcoming guests at cxr.works/podcast. There are hundreds of interviews with TA leaders, practitioners, and people doing meaningful work across the full spectrum of attracting, recruiting, and leading global talent teams. Gerry and I have been doing a lot of talking.
Gerry Crispin: Without a doubt.
Chris Hoyt: We get paid to talk. On the site, you’ll also find an easy way to like, subscribe, and reach out if you want to join the conversation — whether you have a topic, a guest suggestion, or something to say. And a reminder: this is an ad-free labor of love. Nobody paid to be here, and we don’t pay our guests either. With that, let’s jump in.

Chris Hoyt: All right, Matt — let’s start with introductions. For those who haven’t had the pleasure of meeting you, can you give us the escalator pitch on who you are and what you do?
Matthew Moynahan: Sure, thank you for having me. And you’re assuming meeting me is a pleasure — we’ll see how you feel after this call.
Chris Hoyt: It’s early. It’s early.
Matthew Moynahan: I’m Matt Moynahan. I’ve been in cybersecurity for almost my entire career — over 30 years, which is just me dating myself at this point. If you look at the arc of my career, I started in network and infrastructure and kind of followed the threat over time. I was CEO of Forcepoint, where we dealt heavily with insider threat — the Edward Snowden type of scenario, where you hire someone and they turn against you. What I’m doing now at Get Real Security is really a continuation of that work.
You might think of us as a deepfake company, but the broader mission is addressing a new class of threat: the ability to replicate and impersonate anyone — whether through a fake identity or a fake human presence in pixels and sound waves. We’re pushing cybersecurity into new territory, making sure that the pixels and sound waves representing a person in a digital medium are actually accurate and trustworthy. Fake candidates are a big part of that. It’s a fascinating space.
Chris Hoyt: Every time we think we’ve seen it all in TA, something new hits. It’s great to have experts like you come in from outside our world to really educate us. I appreciate you making the time.
Matthew Moynahan: Happy to do it.
Chris Hoyt: I’ll say upfront — and Gerry, keep me honest here since you’ve been in this longer than I have — I don’t think most TA leaders signed up to be cybersecurity experts.
Gerry Crispin: That’s for sure. Most recruiters tend to take people at face value and keep things moving because they want to make the hire. It used to be genuinely unusual when you discovered that someone who claimed to be a professional engineer didn’t actually have a license. But this is something different entirely.
Chris Hoyt: Right. And I guess my question is: at what point does identity fraud in hiring become a problem that recruiting simply can’t solve on its own? Who else needs to be at the table — IT, security, legal? Matt, what does that look like?
Matthew Moynahan: I think we have to take some pressure off talent and HR here, because no one is fully equipped to be a cyber expert. It’s like asking a financier to bake a cake. And honestly, the cyber industry has been forcing that on companies for years.
Banks are a good example — they’ve essentially become more sophisticated cybersecurity operations than many dedicated cybersecurity firms, because they had no choice. We’ve all been conditioned to spot phishing emails, and that took years. The challenge now is that these aren’t crude fake attacks. These are highly sophisticated social engineering attacks that prey specifically on human trust.
Studies consistently show that trust increases exponentially as you move from the written word, to the spoken word, to spoken word plus visual confirmation on video. That’s why TikTok, podcasts, and video content are so much more engaging than reading. And that’s exactly the medium being exploited.
But here’s the thing — I think this is also a genuine opportunity for HR and talent professionals. The role TA and HR plays in organizations varies widely; sometimes it’s truly strategic, sometimes less so. But this is a secular threat that’s going to bring the front door of human capital into the mainstream conversation. Every organization needs to be paying attention.
Gerry Crispin: It’s not just about awareness, though. I’ve been in conversations recently with TA leaders who’ve read about this and maybe had a few incidents, but most are still questioning whether there’s sufficient data to tell them just how serious the exposure inside their own companies actually is. Is there good data on the scale of this problem?
Matthew Moynahan: I’d say there are three things happening simultaneously. First, there’s the widespread use of AI as a tool — plenty of research shows AI being used to generate or enhance resumes and candidate profiles. Whether that’s cosmetic augmentation of skills or something more adversarial is a separate question. That’s your top-of-funnel problem.
The harder question is what’s happening in the middle and end of funnel — are adversaries actually infiltrating companies, and in what form? That’s much harder to quantify. But I think it’s fair to say that if you’re in the Global 1000 or 2000, you’ve been hit at least once, and many organizations don’t know it. That’s the nature of insider threat — once they’re in, they become insiders.
In many cases, these are talented, likable employees. I recently spoke with a client who surfaced a North Korean operative inside their company, and one of their colleagues was in tears as they walked the person out the door because this individual had been such a trusted friend. It gets complicated. As for precise data on the internal prevalence of the threat — it doesn’t really exist yet. What’s clear is that the recruiting process itself is overwhelmed, and the adversaries keep evolving. It’s not just North Korea. Many nation-states are playing this game.
Chris Hoyt: Let’s talk about background checks — the gold standard for identity verification in our space for decades. Should TA leaders be rethinking that now? Are background checks essentially obsolete, or just insufficient? What does identity verification actually need to look like in a world of convincing deepfakes?
Matthew Moynahan: Honestly, I think they’re going the way of the dodo bird. Background checks are still an important compliance box to check — I’m not dismissing them entirely. But consider the shelf life of a background check. It verifies historical data and documents at a point in time: you seem to be who you say you are, and you seem to be telling the truth about your employment history. That’s one hurdle, and it’s typically regulatory in nature.
It doesn’t tell you whether that person will remain trustworthy over time. That’s the classic insider threat problem — you hire someone, you trust them, and they turn on you. What makes the current threat far more complicated is that people are morphing their identities continuously to suit their purpose — not just to get through the funnel, but to operate inside the company and infiltrate supply chains.
We used to call them polymorphic viruses. Imagine a fishing net in the ocean, and the fish just keeps changing its size as you change the holes. That’s what’s happening now. People are subtly modifying their identity and their physical presence using AI, and they can keep evading detection because it’s a social engineering attack on a human being. It’s much harder to catch than a technical exploit.
Background checks still matter, but everything needs to move toward continuous verification and authentication. That’s exactly why the U.S. government was trying to shift top secret clearances from five-year review cycles to something approaching daily verification.
Chris Hoyt: I feel like I’m in a Netflix spy thriller. These are not terms we normally hear in TA. About six months ago, when this topic really started hitting the radar, a lot of TA leaders I talked to were saying, “We’re not a federal contractor” or “We don’t have any big secrets.” Now those same leaders are paying much closer attention, and the C-suite is telling them to dig in. It shifted pretty quickly.
Matthew Moynahan: It has, and I think the gap Gerry alluded to is the biggest problem right now: the gap between how serious this problem actually is and how seriously it’s being taken. The adversarial techniques are advancing far faster than the defenses being deployed.
And to be clear — not everyone coming through your interview process is from North Korea. Not everyone coming through is a bad actor. So you have to be careful not to introduce bias. You can’t hear an accent and let that trigger suspicion. It’s a genuinely difficult problem, and it’s moving fast.
Gerry Crispin: And think about the accessibility of the tools. For something like twenty dollars, someone in their forties or fifties concerned about age discrimination can morph their appearance on a Zoom call to look thirty years younger — younger voice, different presentation. The intent may not even be malicious; it’s just about putting your best foot forward. But it crosses a line.
Matthew Moynahan: There is a continuum here. There’s a difference between a white lie and an outright deception intended to cause harm, and I think you’re going to see that played out with these tools. I’m 55 — I know ageism is real. You feel it. So I understand the impulse. But there’s a line, and it keeps moving.
There’s a new tool out of China that allows someone to change their apparent identity in real time on a video call based on who they’re speaking to — different ethnicity, different age, all of it. It’s extraordinarily accurate. So you go from cosmetic touch-ups at one end of the spectrum to something that’s deeply adversarial at the other. And there are real-world complications downstream: if you have an HR emergency and you think someone is in New York but they’re not, what happens? These things will unfold in ways we haven’t fully anticipated yet.
Gerry Crispin: So where do you insert the authentication step in the hiring process? And if you do it upfront — which I think most organizations want — you need to be transparent about why and set expectations clearly so candidates understand that identity verification is a standard part of the process.
Matthew Moynahan: I think it’s going to go mainstream. Americans value privacy, and most privacy laws were designed to protect individuals from the surveillance economy — companies de-anonymizing private moments and monetizing them. That’s where a lot of the regulatory backlash has come from. But generative AI is already abusing these norms in new ways.
Taylor Swift recently applied for and received a trademark on her voice — a sound mark. The reason she did that is that copyright protects a specific work, but a sound mark protects the voice itself. Enforcing it requires biometric pattern matching any time her voice appears anywhere. The technology is already moving in that direction.
The analog in the physical world already exists: Global Entry, TSA PreCheck, visitor management systems. When you walk into a Global 2000 company, they’re capturing your face, your email, your phone number. You consent to things you didn’t fully read. Think of it this way: if someone is entering your digital infrastructure, why wouldn’t you apply the same verification you’d apply at the physical front door? The logic is the same.
I have CrowdStrike running on my laptop right now, and it has no visibility into who I am as a person — what I look like, what I sound like. And it should. That’s where this is heading.
Chris Hoyt: How long before we get this right at scale? You mentioned the Taylor Swift situation, and separately there was an artist just a couple of months ago whose music was replicated by AI — the platform sided with the company that made the replica, and now she’s paying out of pocket to prove ownership of her own work. And these surveillance concerns bleed into the real world too. Flock cameras are everywhere. FOIA requests aren’t being granted. It feels like we’re so far from getting any of this right, and it extends well beyond TA.
Matthew Moynahan: We’ll be talking about this twenty or thirty years from now. Everything is digital. Self-driving cars are making decisions based on digital representations of stop signs. The stakes are real across every domain.
The reason Get Real Security exists is that we believe the pixels and sound waves that represent a human being will need security and legal protection — whether it’s copyright enforcement or deepfake detection. And here’s what’s interesting: some companies are responding to this by saying they’ll bring everyone back to a physical office for in-person interviews. I actually think that’s the wrong move. I’d say do the exact opposite.
Digital is a powerful medium. Get candidates in front of a camera. How many HR teams have been cross-referencing FBI threat bulletins? None. Background checks might catch a criminal record or employment discrepancy, but it’s actually easier to run robust checks in a digital environment than a physical one. Put people on camera, and you can catch physical adversaries and deepfakes at the same time. When the technology matures — and I think we’re probably a couple of years from mass adoption — it’s actually going to simplify the process.
Chris Hoyt: If we had to draw a practical line for TA leaders, there’s a meaningful difference between a candidate using AI to polish a resume and a sophisticated bad actor creating an entirely false identity to infiltrate a company. How should TA leaders be thinking about that spectrum? And where does their responsibility actually begin and end?
Matthew Moynahan: It’s not just TA — it’s TA plus security working together. Here’s a real example. I was talking to the CISO of a Fortune 100 defense company. He showed me a photo of the person they hired and a photo of the person they actually sent the laptop to. Completely different people. Not even a close resemblance. They had simply hidden in the seams of a large, global, matrixed organization.
The CEO called the CISO and said, “We have a spy inside our company.” The CISO’s response: “Why are you calling me? I didn’t let them in the front door.” And that’s exactly the problem. Security and identity teams need to move controls into a place they’ve never had to operate before. It’s not just the I-9 process. It extends to non-employees, contractors, and vendors — anyone entering your ecosystem.
If someone declines to consent to identity verification and walks away, that might be a self-selection mechanism. But you have to protect yourself regardless. And I genuinely feel for the legitimate candidate trying to navigate all of this. A large company told me recently they’d seen a 40% spike in resumes. I asked if they’d done anything differently to justify that kind of increase. They hadn’t. And they said a lot of the resumes were fake. I told them this is what criminal organizations and nation-states do — for every 10,000 resumes, there may be only around 300 actual people behind them. One actor submitting 30 or 50 applications across companies until something gets through.
That top-of-funnel problem has to be addressed before you’re willing to invest in deeper checks on the candidates you actually care about. One TA professional I spoke with recently disqualified a candidate for having a perfect skills score. A few years ago that would have been exactly what you wanted. Now it’s a red flag.
Chris Hoyt: The pain is real, but it looks different at the top of funnel versus the end of funnel. What’s interesting is we had a leadership roundtable this morning, and one of the comments was about how candidates are starting to notice when something in the process feels AI-driven and opting out entirely. As our tools get more sophisticated on the recruiting side, what does that do to the talent supply and demand equation?
Matthew Moynahan: I feel for candidates. I would never personally do an interview with an AI avatar or an automated pre-screener. If it doesn’t feel like it’s worth my time, I wouldn’t engage. And I’d extend that to almost any level, not just executive roles. There’s something about that kind of experience that reflects the culture of a company. So I do think the tension between automation and machine-speed efficiency is going to run up against the authenticity that candidates — and frankly, most people — expect from the process.
Gerry Crispin: There’s also a failure of expectation-setting. When a company is receiving five or six hundred resumes for a single role, there’s no way a human is going to conduct meaningful screening at that volume. So the question isn’t really “avatar or human” — it’s “avatar or nothing.” If companies can set clear expectations upfront that an AI is handling top-of-funnel screening, and that it’s the path to a human conversation, candidates have a real choice to make about whether they want to engage with that.
Chris Hoyt: But Gerry, that’s exactly what Matt was describing earlier — a perfectly good candidate might still say, “No thanks,” and walk away.
Gerry Crispin: Sure. But there’s rarely only one perfect candidate for a role. There are usually dozens of qualified people. And once you’ve confirmed someone is a legitimate candidate, the way employers treat them from that point forward needs to be reimagined entirely.
Matthew Moynahan: And keep some perspective: there are only about 167 million working adults in the U.S. It’s not an infinite pool. When you strip out the AI-generated slop at the top of funnel, the real question becomes — how do you treat every verified human being like gold from that point on, knowing that adversaries are actively trying to mix in?
Chris Hoyt: I don’t want to end on doom and gloom, but I do want to draw this connection clearly. If a deepfake candidate makes it through your process and gets hired, what is the actual downstream risk to an enterprise? We’ve mentioned data theft and reputational damage — does it get darker than that?
Matthew Moynahan: First, I’ll say it would be very difficult for a deepfake to survive an entire interview process when you have robust detection in place. What we do is look for biometric consistency across the person showing up on screen and match that against their digital identity attributes. A sophisticated adversary would struggle to maintain that across multiple touchpoints.
But if someone did get through, the consequences vary by industry — and they can be severe. You’re looking at potential violations of employment law, funding of sanctioned nation-states, and IP theft, among other things. And these aren’t hypothetical threats. When I worked on insider threat issues at banks, I encountered ISIS operatives and Chinese intelligence assets who had made it through standard hiring processes. Some would simply walk in at the end of the day, sit down at an unattended terminal, and download what they needed.
The threat has always existed. China has been running long-game operations for decades — getting operatives into PhD programs at elite universities, then into leading companies. What North Korea did was mass-market that playbook. They trained people well, deployed them at scale, and for a while no one suspected it. The thefts are real. The damage is real. In the defense industrial base, a stolen blueprint could accelerate adversary capabilities by a decade.
And it’s not just large companies. Small companies with valuable AI algorithms are targeted too. Every company has something worth stealing to someone.
The analogy I keep coming back to is the software supply chain. We’ve spent years building accountability and lineage tracking for software. We’re going to need to do the same thing for the human capital supply chain — understanding the trust and lineage of the people flowing through and inside our organizations over time. It sounds a bit heavy, but I think that accountability is coming given what’s now at stake.
Chris Hoyt: This is exactly why I love having people from outside our space come in and offer a different lens. We’ve been dealing with versions of these challenges for decades, but we haven’t had the vocabulary or the framework to think about them at this level. I love it.
Matthew Moynahan: There’s always been a physical security layer — badges, access control — and there was no reason to expect HR to think beyond that. AI is catching every function off guard right now, and HR just happens to be in the front row for this one.
Chris Hoyt: Well, Matt, we ask everyone before we let them go: if you were writing a book on everything we’ve talked about today, what would you call it?
Matthew Moynahan: Something like Verify What’s Real, Act on What’s Not. Or maybe The Trust Strikes Back — I’ve got Star Wars on the brain. I don’t know.
Chris Hoyt: I love both of those. And present company excluded — who gets the first signed copy?
Matthew Moynahan: Probably my son, to proofread before I publish it. He’s a better writer than I am. But thank you both — I really enjoyed this.
Chris Hoyt: We know you’re busy, and we genuinely appreciate you taking the time to share what’s happening in your world with ours. Much gratitude, Matt.
Matthew Moynahan: Thank you.
Chris Hoyt: All right, everybody — cxr.works/podcast. Hundreds of interviews with TA leaders and practitioners, and more coming all the time. If you want to be on the show or know someone we should talk to, that’s the place to let us know. Until next time, we’ll see you later.