How The Company That Teaches Deception Detection Got Deceived

In July 2024, KnowBe4 published a blog post that became one of the most-read things in the security industry that year. The company, whose entire product line is built around teaching people to recognise social engineering, had just discovered it had hired a North Korean IT operative as a remote software engineer.

The candidate had passed four video interviews. Background checks cleared. References verified. He was onboarded, provisioned with a corporate workstation, and given network access. No alarm went off during any of it.

The fraud was eventually caught, not by any hiring process or verification system, but because the workstation began behaving oddly after provisioning. Anomalous processes. Suspicious file activity. The EDR software flagged it. The InfoSec team investigated. And only then did it become clear: the person they had hired did not exist. The identity was stolen from a U.S. national. The photo had been AI-augmented to match the ID. The entire professional history, every verified data point the hiring process relied on, had been manufactured.

No data was exfiltrated. KnowBe4 moved fast. But that's not the story. The story is what had to happen for the fraud to be caught at all.

This Isn't Really About KnowBe4.

It would be easy to treat this as a cautionary tale about one company, one hiring process, one unusually sophisticated attacker. That framing misses the point entirely.

KnowBe4 is not naive. It employs security professionals. It runs background checks that most companies don't. It conducted four rounds of video interviews. It did everything the industry considers thorough due diligence, and still couldn't tell a fabricated person from a real one. Because the architecture of hiring was never designed to answer that question. It was designed to surface confident presentation. And confident presentation, it turns out, is something you can manufacture.

Four Interviews. Zero Evidence of Real Work.

The KnowBe4 operative passed a process that tested recall, communication, and the ability to perform under questioning. These are not useless signals. But they are signals about a performance, not about a body of work. The distinction matters enormously.

HireRight's 2025 Global Benchmark Report ( drawn from over 1,000 HR and talent acquisition professionals worldwide) found that more than three-quarters of employers discovered candidate discrepancies in the past 12 months. The most common area: employment verification. The very thing that CVs claim to document. Nearly two in five employers found at least one discrepancy for every 20 candidates screened. And despite this, 40% of companies still do not conduct identity checks as part of pre-employment screening.

Resume fraud is estimated to cost U.S. businesses $600 billion annually in bad hires, lost productivity, and the cascading costs of rehiring. A January 2025 survey found that 44% of candidates admitted to lying during the hiring process. 85% of hiring managers said they catch these lies, but the critical qualifier is when. They catch them after the hire. After access is granted. After onboarding is complete. After the damage is already possible.

Two Signals. Only One of Them Real.

The interview process produces two kinds of signals: how someone presents, and what someone has built. For most of hiring history, these were assumed to correlate. A person who articulates their experience well probably has that experience. A person who passes a technical screen can probably do the work.

The AI tools now available to anyone with an internet connection have systematically broken this correlation. Generative AI writes hyper-tailored CVs. Deepfake video tools allow a person sitting in Pyongyang to conduct a video interview that looks and sounds like a professional in New York. The Pragmatic Engineer documented a case in March 2025 where a candidate, allegedly from Poland, performed exceptionally in technical screening, then could not speak a single word of Polish on a follow-up call. The team almost made an offer.

Gartner projects that by 2028, one in four candidate profiles globally will be fake. The arms race is already underway. And the defenders are losing it on current terms.

The Counterargument Is Already Being Tried. It's Not Working.

The industry's response to deepfake candidates has been predictable: more interviews, more in-person requirements, and deepfake detection software. Google and McKinsey reintroduced mandatory in-person interviews for sensitive roles in 2025. InCruiter launched deepfake detection technology and found fraudulent activity in 25 to 30% of flagged sessions; nearly double what human interviewers had been catching before the software existed.

These are defensive upgrades in an arms race. They address the symptom (the candidate who performs in a controlled session) without addressing the structural absence of verified evidence from the candidate's actual work history. Deepfake detection catches a better-executed version of the same deception. It does not create a verification layer that extends backward into what a candidate has actually done.

The hard truth is that the problem isn't detection. Detection has always been the wrong frame. The problem is that the system relies on claims, formatted attractively and delivered confidently, as a proxy for capability. When claims become trivially cheap to manufacture, the entire epistemic foundation of hiring collapses.

The Cost Falls on Everyone Except the Architecture That Failed Them.

There are two groups of people harmed by a hiring system that cannot verify what it claims to verify. The first is obvious: employers who make expensive mistakes, onboard security liabilities, or simply hire the wrong person for the job. The second is less visible: the honest candidate who has genuinely done the work, built the skills, and earned the experience, but has no way to prove it beyond their own word.

In a market where 44% of candidates admit to lying, honest candidates are competing against a version of themselves that has been artificially inflated. The market-clearing signal on who gets the interview and who gets the offer rewards confident fabrication at the expense of honest competence. This isn't a minor inefficiency. It's a structural injustice built into the foundation of how capability is communicated.

What Verification Actually Looks Like.

VERYFY's Capability Passport does not attempt to build a better interview. It rebuilds what comes before the interview: the evidence layer. Specifically, it replaces the self-reported CV with a verified record of work experience, not a company name and a job title, but actual artifacts tied to specific deliverables from specific engagements.

The artifacts are not self-uploaded claims. They are tied to manager stamps, which are direct endorsements from the supervisors who assigned and evaluated the work. A hiring manager reviewing a Capability Passport is not reading a person's version of their experience. They are reading a record corroborated by the people who were there.

Peer verifications extend this further. Colleagues who worked alongside a candidate, who saw the quality of the work in real time, not just the polished retrospective version, contribute attestations that form part of the permanent record. The result is a candidate profile that cannot be manufactured from scratch, because it is anchored to real relationships with real people at real organisations. A North Korean operative cannot fake a manager stamp from a manager who verifies their identity. A deepfake cannot generate authentic peer verifications from colleagues who know what the work actually looked like.

Back to That Blog Post.

KnowBe4's CEO, Stu Sjouwerman, ended the company's public disclosure with a call to action: enhance hiring processes, validate identities more thoroughly, and train hiring staff to spot red flags. All reasonable. All necessary. All are operating at the symptom level.

The operative got through because the hiring system was designed to answer a specific question: "Does this person present credibly?" Rather than the question that actually matters: "Can this person demonstrate verified evidence of the work they claim to have done?"

When the world's leading security awareness training company cannot distinguish a real candidate from a fabricated one using every conventional tool available, the lesson is not that we need better tools within the same architecture. The lesson is that the architecture is wrong.

Proof is not a feature of hiring. It should be the infrastructure. Stop claiming. Start proving