Amazon is warning organizations that a North Korean effort to impersonate IT workers is more extensive than many cybersecurity teams may realize after discovering the cloud service provider was also victimized.

A North Korean imposter was uncovered working as a remote systems administrator in the U.S. after their keystroke input lag raised suspicions. Normally, keystroke data required less than tens of milliseconds, while the keyboard lag for the fake employee was in excess of 110 milliseconds.

Steve Schmidt, senior vice president and chief security officer at Amazon, said in addition to now requiring in-person interviews for job applicants, organizations should make sure their cybersecurity teams review new hires because human resources departments are not going to uncover fake job applications in the absence of any ability to identify carefully crafted fake identities.

Fake resumes are also becoming more challenging to detect in the age of artificial intelligence (AI). North Korean job applicants are also listing actual companies that have been registered in the U.S. as places they have previously been employed, which are staffed by accomplices that vouch for them when inquiries are made, noted Schmidt. Fake job applicants also appear to be sharing a listing of the same 200 schools as institutions from which they have received a degree, he added.

Additionally, some U.S. individuals have sold identities that North Koreans are assuming, while others are setting up laptop farms in the U.S. to make it appear that fake workers are in the U.S. rather than in North Korea, noted Schmidt.

Even after a new employee is hired, organizations should also carefully monitor anomalous behavior indicative of insider threat activity, said Schmidt. Those signals include everything from keystrokes to emails that contain misuse of native language idioms, he added.

It’s not clear how many fake employees there are that are working on behalf of the North Korean government. In addition to gaining access to sensitive data, these fake employees are providing their government with access to additional hard currency that is used to fund, for example, military projects. The one thing that is certain is that many organizations are becoming wary of hiring remote workers unless they can absolutely confirm their identities. In fact, Amazon has now gone so far as to ban online job interviews, noted Schmidt.

Exactly how cybersecurity and HR teams will collaborate to verify the identities of new hires is largely a work in progress, but much of the focus is likely to be on IT staff that often have unfettered access to multiple systems. They also tend to be among the highest paid jobs within an organization, which is naturally going to attract the attention of a government trying to funnel hard currency back to its coffers.

Of course, most cybersecurity teams are already hard-pressed to fulfill their current responsibilities but given how pernicious an insider threat can be there is little doubt that reviewing job applicants is going to rapidly move up the priority list.