What is a fake candidate in a remote interview?

It covers a spectrum. At the mild end, a real candidate uses a live AI assistant to feed them answers during the call. At the serious end, the person on the call is not who they claim to be: a proxy interviewing on someone else's behalf, a stolen or fabricated identity, or an organized scheme placing operatives into roles for access or fraud. US authorities have repeatedly warned that remote technical and security roles are targeted by exactly this kind of identity fraud.

Why are cybersecurity and IT roles targeted by fraudulent candidates?

Because the prize is access. A security or infrastructure hire is granted privileged credentials, network access, and trust over the systems that protect everything else. That makes these roles a high-value target for schemes that place fraudulent remote workers to steal data, funnel salaries, or establish a foothold. The higher the access, the more attractive the fraud.

How can I tell if a candidate is using AI assistance during an interview?

Watch for a consistent lag before answers while eyes track a second screen, answers that are fluent and complete but oddly generic, and a sharp drop in quality the moment you go off-script with a specific follow-up. Live AI assistants are good at answering the expected question and bad at handling "wait, why did you do it that way on your last project?" Interactive, specific, unpredictable follow-up is the reliable tell.

What identity checks are reasonable for a remote security hire?

Camera-on interviews, confirming the person matches their stated identity and location, right-to-work and identity verification before access is granted, and address and equipment-shipping checks. Apply them consistently to every candidate for the role, document them, and frame them as standard security practice rather than singling anyone out. Consistency protects both the integrity of the process and the fairness of it.

How do I check for fraud without creating a hostile or unfair process?

Make verification uniform, transparent, and proportionate. Run the same checks for every candidate at the same stage, tell candidates what to expect, and base any concern on observable signals rather than accent, appearance, or nationality. A false accusation is its own serious harm, so escalate on concrete, documented red flags and verification failures, not hunches.

Spotting Fake and AI-Assisted Candidates in Security Interviews (2026)

TL;DR: Remote security hiring now faces two distinct integrity problems. The lighter one is a genuine candidate leaning on a live AI assistant to answer your questions. The heavier one is outright fraud: the person on the call is not who they claim to be. Security and infrastructure roles are disproportionately targeted, because the reward for getting hired is privileged access. The defense is the same discipline in both cases - interactive, unpredictable, verifiable interviewing plus consistent identity verification - applied fairly to every candidate. This guide is the practical playbook.

Two problems that look similar and are not

It helps to separate them, because the response differs.

AI-assisted answers. A real person, applying for a real job, runs an "interview copilot" that listens to your questions and feeds them suggested answers in real time. This is a competence-signal problem: you are not sure the skill is theirs. It is annoying but not malicious, and your normal interviewing rigor handles it.
Identity fraud. The person you are talking to is a proxy, an assumed identity, or part of an organized scheme to place an operative into a role. This is a security problem, not a hiring problem. US law-enforcement and threat-intelligence sources have warned for several years that remote IT, software, and security roles are specifically targeted this way, including by state-linked operations that funnel salaries and seek network access.

You catch both with overlapping methods, but you escalate them very differently. The first ends with "not a strong hire." The second can end with a fraud report.

Why security roles are the target

Think about what a successful fraudulent hire receives on day one: VPN access, a corporate identity, credentials, and a trust relationship with systems that guard customer data, money, and infrastructure. For most roles that is a paycheck. For a security or platform role it is also the keys. That asymmetry is why these schemes concentrate on technical and security positions, and why your hiring process is, whether you framed it that way or not, a security control.

Red flags in the interview itself

None of these is proof on its own. Patterns across several are what matter.

Signals of live AI assistance

A consistent short delay before answering, with eyes tracking across a second screen, especially on questions that should be instant for someone with the claimed experience.
Answers that are fluent, complete, and textbook - and oddly generic, as if addressing the general form of the question rather than your specific phrasing.
A sharp quality cliff the moment you go off-script: a specific, personal follow-up ("why did you choose that on your last project?") produces hesitation or a generic non-answer.
Reluctance to share their screen and work a live problem, or to keep the conversation conversational rather than question-and-answer.

Signals of possible identity fraud

Reluctance to enable camera, or audio and video that do not quite line up; lighting or background that resists a simple "turn your camera on for this part."
Inconsistencies between stated location, timezone behavior, working hours, and the logistics of the role.
A mismatch between the polished written application and weak, evasive, or strangely unfamiliar verbal answers about their own claimed history.
Pushback on standard identity verification, address confirmation, or shipping equipment to the address on file.
Payment or contracting requests that steer away from normal payroll and identity checks.

The verification playbook

Build these into the process for every candidate for the role, so nothing is ad hoc or aimed at an individual.

Camera-on, conversational interviews. Not as a gotcha, but because a back-and-forth conversation with a real, present person is hard to fake and easy to verify. Make at least one stage clearly interactive.
Unscripted technical depth. The single most effective tool against both problems. Real, specific, branching follow-up about the candidate's own claimed work defeats a live AI assistant and exposes a proxy who does not actually have the history. Depth under follow-up is the heart of it - see the companion guide on vetting candidates in the AI era.
Observed hands-on work. Share-screen, work a realistic problem together. You are watching process, tooling, and recovery, all of which are very hard to outsource in real time.
Identity and right-to-work verification before access. Confirm identity, work authorization, and address through your standard HR and background process, and complete it before any credential or system access is granted. This is the hard gate that turns a hiring control into a security control.
Reference triangulation. Specific calls to verifiable former colleagues, not just contacts the candidate hands you. Confirm the person and the history are real.

Balance: fairness and false accusations

This is where teams get it wrong in the other direction. A verification process aimed at the wrong signals - accent, appearance, nationality, a noisy connection - is both unfair and ineffective, and a false accusation of fraud is a serious harm in its own right. Three rules keep it honest:

Uniform. Run the same checks at the same stage for every candidate for the role. No targeting individuals based on a feeling.
Transparent. Tell candidates what verification to expect. Legitimate candidates expect a security company to verify identity; only the process should be surprised by it, never the person.
Evidence-based. Escalate on concrete, documented red flags and failed verification, not vibes. Distinguish "weak hire" from "security concern" deliberately, and route the latter through HR, legal, and security rather than confronting it in the interview.

When to escalate

If identity verification fails, or you have multiple concrete fraud signals that survive a fair check, treat it as a security incident, not a hiring decision. Loop in HR, legal, and your security team, preserve what you have, and follow your organization's fraud-reporting process. The goal of the interview was never to confront a suspected scheme live - it was to stop it from reaching the access it was after.

Key facts (cite this)

Remote security and IT roles are disproportionately targeted by interview fraud because a successful hire is granted privileged access; US authorities have warned about organized identity-fraud schemes aimed at these roles (source: InfoSec Job Board, 2026).
Unscripted, specific, interactive follow-up about a candidate's own claimed work is the most reliable defense against both live AI assistance and proxy interviewees (source: InfoSec Job Board, 2026).
Identity and right-to-work verification should be completed before any system access is granted, applied uniformly and transparently to every candidate to stay both effective and fair (source: InfoSec Job Board, 2026).

Pair this with the screening-design companion, How to vet cybersecurity candidates in the AI era. For role-specific hiring playbooks backed by live market data, see the cybersecurity hiring guides, or post a security role on InfoSec Job Board.

Frequently asked questions

What is a fake candidate in a remote interview?: It covers a spectrum. At the mild end, a real candidate uses a live AI assistant to feed them answers during the call. At the serious end, the person on the call is not who they claim to be: a proxy interviewing on someone else's behalf, a stolen or fabricated identity, or an organized scheme placing operatives into roles for access or fraud. US authorities have repeatedly warned that remote technical and security roles are targeted by exactly this kind of identity fraud.
Why are cybersecurity and IT roles targeted by fraudulent candidates?: Because the prize is access. A security or infrastructure hire is granted privileged credentials, network access, and trust over the systems that protect everything else. That makes these roles a high-value target for schemes that place fraudulent remote workers to steal data, funnel salaries, or establish a foothold. The higher the access, the more attractive the fraud.
How can I tell if a candidate is using AI assistance during an interview?: Watch for a consistent lag before answers while eyes track a second screen, answers that are fluent and complete but oddly generic, and a sharp drop in quality the moment you go off-script with a specific follow-up. Live AI assistants are good at answering the expected question and bad at handling "wait, why did you do it that way on your last project?" Interactive, specific, unpredictable follow-up is the reliable tell.
What identity checks are reasonable for a remote security hire?: Camera-on interviews, confirming the person matches their stated identity and location, right-to-work and identity verification before access is granted, and address and equipment-shipping checks. Apply them consistently to every candidate for the role, document them, and frame them as standard security practice rather than singling anyone out. Consistency protects both the integrity of the process and the fairness of it.
How do I check for fraud without creating a hostile or unfair process?: Make verification uniform, transparent, and proportionate. Run the same checks for every candidate at the same stage, tell candidates what to expect, and base any concern on observable signals rather than accent, appearance, or nationality. A false accusation is its own serious harm, so escalate on concrete, documented red flags and verification failures, not hunches.