Preventing employee onboarding fraud with identity verification

Nation-state actors are targeting the recruitment process, directing the focus of CISOs and HR leaders toward identity verification to stop fraudulent hires before they reach the network. Teaming up to secure onboarding raises a placement question: where in the hiring funnel does verification actually belong?

Deploy it too early, and you risk a disjointed experience that deters legitimate candidates. Deploy it too late, and a sophisticated attacker already has credentials and access to your network.

This article walks through that placement question phase by phase, using 1Kosmos's deployment experience and verbatim insights from the February 2026 Gartner® CISO Edge report: Employee Onboarding Is Now Part of the Attack Surface.

The recruitment process, in five phases

The report defines the recruitment process as follows:

“Phases of Recruitment Process: Attract (Pre-candidate), Engage (Candidate), Assess (Applicant), Select (Target), Hire (Employee)”

Each stage represents a different level of candidate commitment and organizational investment. Gartner provides the structure; the question is where identity verification delivers the most value within it.

Attract and Engage: where 1Kosmos sees verification underperform

These are the high-volume top-of-funnel phases, as most enterprise roles attract far more applicants than will ever be interviewed.

Running identity verification here means burning budget on candidates the company will never engage with, adding friction that pushes qualified applicants away, and generating noise that obscures the signal you actually care about.

From the Gartner report:

"CISOs should resist becoming involved in earlier phases such as Attract, where candidates are submitting resumes/CVs which could contain false information or be AI-written. Detecting AI-generated content is inconsistent and not exclusive to bad actors."

Assess: where contextual signals start to matter

The Assess phase brings the first direct interactions with candidates. Video interviews happen. Technical assessments are conducted. The candidate pool has narrowed enough that lightweight, indirect risk signals start producing useful data without adding meaningful friction. This is the right moment to layer in passive checks that surface anomalies without slowing the candidate down.

From the Gartner report:

"Device signals: Vendors offer capabilities so that during video interviews on platforms such as Microsoft Teams or Cisco Webex, candidates must click on a prompt which appears on their screen. By doing so, the vendor captures information about the candidate's IP address (and derived geolocation), network connectivity (such as whether a VPN is being used), and device details. Alternatively, links can be sent to clients via SMS or WhatsApp messages to trigger the device interaction and data gathering. HR Admins can then be alerted to signs of potential risk such as location mismatches or use of known risky VPNs."

"Phone signals: Vendors can check for possession of the phone number via interaction with an SMS message during the video call, confirm that the SIM has not been ported, check the tenure of the phone number, and the identity associated with the phone number. This can be correlated with the expected candidate identity."

"Deepfake signals: Attackers have been known to use deepfakes during video interviews as part of their fabricated or stolen identity. Deepfake detection is probabilistic rather than deterministic. Checking for use of deepfakes in a video call or audio calls is another useful signal."

Select and Hire: where 1Kosmos recommends identity verification

This is the part of the process where 1Kosmos sees the strongest case for full automated identity verification.

By Select, the candidate has committed. An offer has been extended or accepted. The organization has invested significant time. Verifying at this point confirms the person accepting the offer is the same person who interviewed, and it keeps fraudulent identities out of the onboarding pipeline entirely.

By Hire, credentials and system access are being provisioned. Verification here is the final checkpoint before an unverified person is inside the perimeter.

From the Gartner report:

"At an absolute minimum, from a cybersecurity perspective, identity verification should be carried out in the Hire phases at the point of bestowing credentials and access, to ensure that the person now receiving credentials to access systems is the correct person. However, it could also be carried out at the point of offer acceptance in the Select phase, and also further upstream during hiring manager interviews in the Assess phase, subject to local regulatory constraints.”

1Kosmos's view: Select if you can, Hire at minimum

Based on deployments across financial services, healthcare, and technology customers, 1Kosmos recommends running identity verification at Select when operational capacity allows. Verifying at offer acceptance prevents the downstream cost of revoking credentials and unwinding access after a fraudulent hire is discovered.

When Select-stage verification is not feasible due to compressed timelines or regional regulatory considerations, Hire is the workable fallback. The verification still happens before system access is granted, which is the security-critical moment.

This is 1Kosmos's product-based recommendation.

Two protective layers: deterrence and detection

The strongest programs 1Kosmos sees in the field use both layers together. Deterrence reduces the volume of bad actors who attempt to enter the pipeline. Detection catches the determined ones who proceed regardless. Either layer alone leaves a gap. Deterrence without detection misses sophisticated actors who absorb the signaling. Detection without deterrence wastes resources on attackers who could have been turned away earlier.

On deterrence, from the Gartner report:

"To protect their investment and maximize the impact of cybersecurity technology, CISOs should encourage their HR counterparts to deter attackers through clear communication to candidates across all phases of the recruitment process."

"The goal here is to have attackers self-select out, go elsewhere, and not waste their time in applying for a role with you."

On detection, from the Gartner report:

"Deploy detection and prevention capabilities, such as automated identity verification and assessment of contextual risk signals, at different stages in the recruitment process such as at the interview or offer stage.”

Correlating signals across vendors

In practice, organizations end up with multiple vendors across separate platforms. Video interviews happen in one system. Identity verification happens in another. Background checks happen in a third. Each vendor produces its own output, and those outputs do not correlate to each other automatically.

This matters because sophisticated fraud is often only visible across signals. A candidate's IP geolocation in the first interview might differ from their stated address. Their phone number might show signs of SIM porting. Their document upload might flag a subtle anomaly. Any one of those signals in isolation looks like noise. Together they form a pattern. The organizations that catch state-backed actors are the ones that can see all three signals at once.

From the Gartner report:

"The key challenge that CISOs will need to address is how these signals, both indirect and direct, are correlated across the recruitment process.”

And on the path forward:

"CISOs and CHROs may need to invest in building custom tools to manage this or possibly rely on monitoring within the SOC.”

Organizations that deploy identity verification without addressing correlation will catch the obvious fraud cases and miss the sophisticated ones that span touchpoints.

Download the Gartner CISO Edge report for the complete framework on mitigating risk in the recruitment process, including detailed insights on deterrence communications, detection capabilities, and signal correlation across platforms.

Sources

Gartner. CISO Edge: Employee Onboarding Is Now Part of the Attack Surface. Akif Khan, Emi Chiba.(2026, February 2).

Gartner is a trademark of Gartner, Inc. and/or its affiliates. Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

FAQs

When is the best time to verify a candidate's identity during hiring?

Identity verification delivers the most value at the Select stage, when an offer has been accepted, or at the Hire stage, when credentials are being provisioned. Earlier placement creates unnecessary friction across a candidate pool that has not been narrowed yet. Later placement leaves a window where an unverified person could already be inside the network.

Why are traditional background checks no longer enough?

Traditional background checks were built to catch resume inflation and surface criminal history. They were not built to catch state-backed actors using stolen identities and AI-generated documents. A clean criminal record search on a real stolen identity returns clean results. Biometric verification against a government-issued ID is what closes that gap.

What capabilities define a strong identity verification solution?

A strong solution integrates into existing HR workflows at offer or onboarding, combines document authentication with biometric liveness detection, and produces results that can be correlated with signals from other vendors in the recruitment stack without requiring manual reconciliation.