The Coworker With Full Access to Your Data May Not Be a Real Person
The Coworker With Full Access to Your Data May Not Be a Real Person
This episode is based on our article:
Read the full article →The Coworker With Full Access to Your Data May Not Be a Real Person
Full Episode Transcript
There might be someone at a company right now with access to the payroll system, the source code, the customer database — and that someone was never a real person to begin with. Not a hacker who stole a login. An entire employee. Fabricated from nothing. Complete with a resume, a face, and a work history that passed every check on the way in.
If you've ever filled out onboarding paperwork for
If you've ever filled out onboarding paperwork for a job, this is about the exact process that let you in. And it's the same process a fake person can walk through. A new paper covered by Homeland Security Today looked at how companies verify who they're hiring — and found a gap wide enough to drive a synthetic identity through. If that unsettles you, good. That feeling is the start of understanding it. So how does a company end up trusting someone who doesn't exist?
Start with something surprising about who gets the toughest identity checks. According to that Homeland Security Today report, the people with government clearances get vetted hard — deep background checks, ongoing review. But the folks in IT, finance, and administration? Often they don't. And those are exactly the roles that touch sensitive systems every single day. So the person who can export your whole customer list may have faced a weaker identity check than someone with no access at all. That's the backwards part.
Now, why is that suddenly so dangerous? Because A.I. got good at manufacturing people. Not just stolen passwords — full identities. A face, a name, a social security number, a profile history that all hang together. The report from Recorded Future found synthetic identity document fraud jumped three hundred percent in just the first quarter of 2025. And deepfake-enabled fraud? Up more than tenfold since the start of 2024. That's not slow drift. That's a specific attack vector going vertical.
Here's the mechanism that makes it slip through. Older fakes worked like holding a doctored photo up to a webcam — the system could sometimes spot the screen. The newer trick is called an injection attack. Instead of showing fake media to the camera, it feeds the fake image straight into the verification pipeline. Those injection attacks spiked seven hundred and eighty-three percent from 2023 to 2024. And the reason they succeed is the hard part to wrap your head around. The system checks whether the face matches the document. And it does match. A synthetic face lines up perfectly with a synthetic ID. The system is internally consistent — everything agrees — while being completely fake. Neither piece is real, but they match each other, so the check passes.
For a security team, that means their front door
For a security team, that means their front door lock is confirming a lie. For the rest of us, it means the coworker on the video call might be an image with no human behind it.
And that's what makes a fake insider scarier than a bad one. A real employee who goes rogue has a trail — old managers, references, an actual life you can investigate. A synthetic insider has none of that. There's no one to fire. No one to prosecute. Nothing to trace when things go wrong.
So why do companies keep treating identity as a one-time gate? Because hiring runs on speed. Fill the role, move on. Re-checking someone's identity every time their access grows feels like red tape, not safety. The mental model says: pass onboarding once, and you're trusted forever.
That model is the whole problem.
The Bottom Line
The report's real insight is that identity isn't a wall you cross once — it's a living thing that has to be re-checked as your access grows. Verifying someone at a border and never looking again lets them cross freely for years. The check takes seconds. The damage takes decades.
So here's the whole thing in three sentences. A.I. can now build a fake person good enough to get hired — with a matching face and matching documents that fool the check. The people in support roles who touch sensitive data often get the weakest verification, and most companies only check once, at the start. The fix isn't checking harder on day one — it's checking again as someone's access grows. Whether you're running a security team or just clicking through your own new-hire paperwork, the question worth asking is simple. When does anyone ever confirm you're still you? The full breakdown's in the show notes if you want the deep dive.
Ready for forensic-grade facial comparison?
Full forensic reports with detailed similarity scoring. Results in seconds.
Run My First SearchMore Episodes
You Only Have One Face. A Court Just Ruled You Get to Control It.
You have exactly one face. No spare. No backup. And if someone copies the pattern of it — the distance between your eyes, the shape of your jaw — you can't reset it like a password. A court just said
PodcastYour Face Just Approved 611 Million Payments — And Fraudsters Are Practicing
Last month, six hundred and eleven million payments in India got approved by someone's face or fingerprint. No PIN. No password. Just a glance or a touch. And here's the part that should make you sit
PodcastThat "Insurance Rep" on Video Might Be a Deepfake — and Your Medical File Is the Prize
Only about a third of people can spot a deepfake — even after someone warns them one's coming. When nobody warns them at all, most still get fooled. Those aren't numbers from some distant lab. Researc
