A red flag is a prompt to investigate, not a verdict. Real candidates sometimes trip these checks, especially people who are privacy-conscious, who recently moved, or who use unconventional contact infrastructure. The right posture is: one flag means "take a second look"; two independent flags mean "do not advance without review."
Email signals
1. Suspicious or high-risk email domain
Addresses on anonymizer or short-lived webmail providers are overwhelmingly associated with low-effort applications. A candidate using one of these for a mid-career professional role is nearly always fraudulent.
2. Email that has no public footprint
A brand-new address with no search results, no breach appearances (which paradoxically is a mild negative signal — real working professionals have had at least one email address leaked by this point), and no tie to any claimed employer.
3. Email local-part that doesn't match the stated name
"alex.johnson@gmail.com" for a candidate named Alexandra Johnson is fine. "x9z4q22@gmail.com" for the same candidate is a signal worth noting, especially combined with anything else.
Digital presence signals
4. LinkedIn profile created within the last 90 days
A mid-career professional should have a multi-year LinkedIn history. A profile that's a few months old, with a handful of connections and no endorsements from people who actually worked at the listed employers, is either a brand-new persona or a throwaway account stood up for a single job search.
5. Thin public footprint for a senior role
Fifteen-year veterans tend to leave traces — conference talks, GitHub commits, published articles, podcast appearances, even an old personal site. A candidate claiming senior experience with essentially no search results across their name is worth flagging, especially in fields like engineering where public work is common.
6. Cross-platform name inconsistencies
The name on the résumé, the name on LinkedIn, the handle on GitHub, and the local-part of the email address should at least loosely converge. When each source points to a meaningfully different identifier — and no clear reason explains it — you're likely looking at a persona stitched together from mismatched parts.
Identity-match signals
7. Name/email/phone don't converge to one person
When you search the name, the email, and the phone number separately, you should find overlapping hits — one person with traces across multiple sources. Fraudulent candidates show three independent trails with no crossover, because the persona is stitched together from borrowed parts.
8. Reverse-image search of headshot returns other names
Run the candidate's LinkedIn or résumé photo through a reverse image search. If the same face comes back tied to other names on other profiles, you're looking at a stolen or AI-generated headshot reused across personas.
Résumé and profile signals
9. Employment dates don't align with LinkedIn
This is the single highest-yield check. Fraudulent résumés are often written weeks or months before the LinkedIn profile is updated to match, and small discrepancies — a start date off by three months, an overlap that shouldn't exist — are common.
10. Generative-AI résumé fingerprints
Uniformly structured bullets across every role, achievement numbers that round suspiciously (exactly 25%, exactly 40%, exactly 3×), prose that reads like a product description rather than a person. Real résumés are messier.
11. "Stealth mode" company that doesn't resolve
A claimed role at a company that has no web presence, no employees on LinkedIn, no registered business entity. Some legitimate stealth startups have thin footprints; near-total absence is a red flag.
Behavioral signals
12. Application time clustering
Multiple applications to the same role within a short window, from different names but similar templates, is ghost-applicant fraud at volume. Look for identical phrasing in cover letters and identical résumé layouts.
13. Unwillingness to turn on video at any stage
A candidate who insists on audio-only interviews through to offer stage is a strong proxy-interviewee signal. There are legitimate reasons (bandwidth, disability) — but push back politely; real candidates can usually accommodate a 15-minute video call somewhere in the process.
14. Refusal of basic identity verification
When a candidate reaches offer stage and refuses to hold up ID on a video call, or refuses to have their shipping address verified, the probability of fraud is high. This isn't a privacy objection — the same candidate gave you a phone, email, résumé, and references. Fraud is a much more parsimonious explanation than a principled last-minute privacy stance.
FAQ
How do I tell a red flag from a real candidate's quirk?
A single signal almost never indicates fraud. The moment two or three flags land on the same candidate, the combined likelihood of "just a quirk" drops sharply. Bayesian reasoning is the right frame: each flag shifts the probability; you act on the posterior, not any single flag.
Which of these should a recruiter check manually vs. via tool?
Flags 1, 2, 3, 7, and 8 are tooling-friendly — they're fast, rule-based, and the cost of running them is near zero with a verification tool like Verif_Hire. Flags 4, 5, 6, 9, 10, 11 usually require a manual second look. Flags 12–14 emerge naturally during the recruiter screen and later stages.
Can I be sued for rejecting a candidate based on these signals?
You can be sued for anything; what matters is whether the rejection is defensible. Rejecting on unverified contact information is a neutral, process-based decision. Document the flags that fired, don't share them with the candidate, and apply the policy uniformly. See our Compliance Guide for more.