Start with the threat model

Before you change any process, write down which fraud types are relevant to your company. A solo-founder hiring contractors has a different threat model than a public company staffing a SOC 2 environment. Use the four buckets from our detection playbook as a baseline:

  • Identity fraud — highest risk for roles with regulated access (finance, healthcare, government contracting).
  • Ghost applicants — highest volume risk for any remote-friendly role.
  • Proxy interviewees — highest risk for technical roles with offshore labor arbitrage.
  • State-sponsored placements — highest risk for infrastructure, crypto, defense-adjacent, and any role with production data access.

You're not defending against all four equally. Rank them, and spend protection effort in that order.

Policy layer: what's mandatory, what's optional

Policy decides what data you require, what you're willing to accept, and what blocks an offer. Three policies do the heavy lifting:

Required fields on every application

Name, phone, email, and work authorization status. No exceptions, no "we'll follow up later." The moment you allow exceptions, fraudsters find the exception path.

Verification-before-interview

No calendar invite without a verification pass on the candidate's contact info. This is the single highest-leverage policy change; it slashes recruiter time wasted on fabricated applicants, and it forces fraudsters to either invest in better infrastructure or move on.

ID verification before offer

A government-issued ID, verified against the candidate's face (live video, not a stored photo). Do it once, document that it was done, and move on. This blocks proxy interviewee fraud almost entirely.

Tooling layer: where to automate

Tools exist to absorb the repetitive parts of the policy. Build the policy first; the tool is a labor-saving device, not a substitute for the policy.

Intake verification

A browser-toolbar tool like Verif_Hire runs the intake-stage checks in a single click from your ATS or résumé view. It handles email-domain, contact-information, and cross-source identity checks without asking the candidate to do anything extra, which keeps the candidate experience clean.

Video ID verification

Standalone services (Persona, Onfido, and similar) handle the offer-stage check. They're comparatively expensive per verification, which is why you gate them at offer and not at intake.

ATS integration

The ideal is for the intake verification to sit inside your ATS, with verdicts written back to the candidate record. If your ATS doesn't support that yet, a browser extension is the next best thing — the recruiter sees the same verdict without a context switch.

Process layer: funnel controls that hold

Policy and tooling fail if process doesn't enforce them. Four process controls matter most:

The two-person rule for flagged candidates

A flagged candidate should never proceed on the decision of a single recruiter. Require a second set of eyes — senior recruiter, hiring manager, or security partner, depending on the role — to review before advancing.

The "late-stage surprise" control

If a candidate's contact info changes between intake and offer (new phone, new email, new shipping address), re-run verification. Fraudsters often switch infrastructure mid-funnel to avoid cumulative signal.

Audit trail

Every verification check, every flag, and every override should be logged. You need this for two reasons: to defend a hire if an incident surfaces later, and to learn which of your checks are actually catching fraud vs. generating noise.

Regular sampling

Once a quarter, pick ten hires who passed all checks cleanly and re-run the checks. You're looking for drift in your signal stack — high-risk domain lists get stale, vendors rotate signals, cross-source identity services occasionally break. Sampling catches it.

Rollout: what to change this quarter

If you're starting from nothing, adopt in this order over roughly one quarter:

  1. Week 1–2: Require phone and email on every application. Build the required-fields policy. No tooling yet.
  2. Week 3–4: Install a verification tool on every recruiter's browser. Train the team on the three-check intake process.
  3. Week 5–6: Adopt verification-before-interview as a hard rule. Handle the first few false positives with the two-person rule so the team sees what a real flag looks like.
  4. Week 7–8: Add ID verification at offer stage. Pick a vendor, run a pilot on 20 offers, adjust the workflow.
  5. Week 9–12: Instrument. Add the sampling audit. Publish a one-page internal summary of what the stack is catching.

A team of three to five recruiters can run this rollout without dedicated resourcing, as long as leadership signs off on the required-fields policy.

Measuring whether it's working

Three metrics, reviewed monthly, are enough:

  • Flag rate at intake: what percentage of applications trip a yellow or red flag. Expect 5–15% depending on the role and channel. If it's near zero, your checks aren't running. If it's above 25%, you have a channel-quality problem, not a fraud problem.
  • Flag-to-reject rate: of flagged candidates, how many get declined after second review. This tells you whether your signal stack is predictive. 50–70% is healthy; below 30% means the stack is noisy.
  • Post-hire incident rate: how many hires, per quarter, turn out to be fraud or quality-of-hire failures traceable to fraud. This is your ground-truth metric and the one that justifies the whole program.

FAQ

Does this framework work for contractor hiring too?

Yes, with one amplification: contractors often have a thinner verification surface (no corporate email, less LinkedIn presence). Weight the contact-information and cross-source identity checks more heavily for contractors, and verify ID before any access is granted, not just before any check is cut.

How do I sell this to leadership?

Pick one recent incident — one fraudulent hire, one near-miss, or one public story in your industry — and walk leadership through what the framework would have done at each stage. This is typically more persuasive than a generic risk narrative.

Will candidates push back?

A small number will, usually on the ID verification step. Frame it the way security-sensitive employers frame it: "We verify everyone's identity before offer, one time, and never again." The friction cost to real candidates is under five minutes. The protection value is high.