This Is What Candidate Fraud Looks Like From the Inside

Most of what gets written about candidate fraud focuses on the employer's experience: the fraudulent hire who showed up on a video call and looked nothing like the person who interviewed, the background check that passed a stolen identity, the breach that traced back to someone who was never who they claimed to be.
What gets covered less is how these operations actually get built. Last week, a member of Proof's team received an email that answers that question directly.
Key takeaways
- Fraud operations actively recruit US-based frontmen through LinkedIn and GitHub, targeting developers with real, verifiable profiles and professional credibility.
- The arrangement is purpose-built to clear standard hiring checkpoints: the identity is real, the background check passes, and the person in the interview matches the identity on file.
- The email explicitly flags "legal considerations" — participants know exactly what they're agreeing to.
- The offshore team that handles assessments, does the actual work, and ultimately gets system access is never visible to the employer.
- Background checks and reference calls cannot catch this. A continuous identity thread that re-verifies across stages can.
The proposal for fraud
Hi [Proof team member],
How are you? I came across your profile through GitHub/LinkedIn and wanted to reach out regarding a potential long-term collaboration opportunity that could be mutually beneficial.
I am [scammer] from Singapore, and I have a small remote development team with strong experience in modern web and mobile technologies. Collectively, our team has over 10 years of experience working with international clients across full-stack development, mobile applications, AI integrations, cloud infrastructure, and project delivery.
Our team handles the complete development lifecycle, including: Job searching and proposal submissions, Client communication and technical discussions, Test projects and assessments, Full project development and delivery, Ongoing technical support and maintenance.
Currently, we are looking to expand our network and collaborate with professionals based in United States. From that hoping, I politely propose a collaboration which is beneficial for both sides. Here is the idea:
Please consider if you can represent an IT agency that includes our team, it will get easier for us to get hired for US and European companies. We will do the boring things of making a profile and placing application letters in hiring forms. The thing you will do is to take place in interviews only with a recruiter or CEO. This will enhance the possibility of getting hired because you are a US citizen and have nice English skills.
Once a full-time position or project is secured, our team would handle all the development work behind the scenes. In return, you would receive 50% of the monthly salary or project fee, we divide the money 1:1 rate. Essentially, you can earn a significant income by representing us in front of clients — without needing to do the actual development work.
I understand this kind of collaboration may raise questions initially, and we are happy to openly discuss workflows, responsibilities, legal considerations, communication processes, and any concerns you may have.
Best regards,
[scammer]
This is a formal business proposal for identity fraud, written in the register of a professional partnership inquiry.
What the email is actually proposing
Strip away the language of "mutual trust" and "long-term partnership" and the offer is precise: a remote team will search for jobs, submit applications, complete skills assessments, and handle all the actual work. The US-based recipient shows up for the interview, uses their real identity to satisfy the employer's verification of who they're speaking with, and splits the salary with the people who never appear on any call.
The writer explicitly identifies why the American identity is the valuable commodity: citizenship, English fluency, and the credibility those signals carry with US and European hiring teams. The person sending this email understands exactly where the verification gap is, and they are actively recruiting to fill it.
The email also acknowledges, in a single careful sentence, that this "may raise questions" around legal considerations. It does. Participating in this arrangement means submitting fraudulent employment applications, misrepresenting identity to employers, and potentially violating sanctions law if the remote team operates in a jurisdiction subject to US restrictions. The employer on the receiving end has no idea any of this is happening. The team that will actually have access to their systems, their data, and their networks is invisible.
What this looks like on the employer side
From the hiring team's perspective, everything about this candidate is real. The name is real. The LinkedIn profile is real. The GitHub history is real. The person in the interview is real, presents well, and genuinely has the communication skills the role requires. A background check runs on a real person with a real history. The offer is extended. The job starts.
The access credentials go to a real email address. What happens to them after that is the part the hiring team never finds out until something goes wrong.
This is what the Holland & Knight attorneys who spoke to HR Dive in May 2026 were describing when they noted that organizations which know what to look for tend to find more than one fraudulent actor: these are coordinated operations, not opportunistic individuals. The email Proof's team received was likely sent to hundreds of developers sourced from public GitHub profiles and LinkedIn searches. It is a recruitment pipeline for fraud infrastructure.
The gap this exposes
The arrangement in this email is specifically designed to clear the checks that most hiring teams rely on. A background check on the American identity passes because the identity is real and the history is real. The interview passes because the face in the interview matches the identity on file. The skills assessment passes because the offshore team handles it. Every checkpoint that exists in the standard hiring funnel is addressed.
What it cannot clear is a continuous identity thread that runs from application to Day One. If the identity confirmed at application is re-verified at the interview stage, the person on camera is matched against the same verified record. If the I-9 remote examination is conducted by a trained examiner with full context from every prior stage, a mismatch between the person who took the assessment and the person completing onboarding creates a record that is hard to explain.
The operation in this email is built to exploit gaps between stages. A hiring process designed without those gaps is the one it cannot get through. See how Proof builds that continuous thread.
























































.jpg)








































































.png)

.jpg)







