Tag Archives: identity

Deepfake Recruiters and Invisible Recruiters

Why do scammers target anti-fraud experts? Because sometimes we’re dumb too.

But in this case I didn’t fall for the two deepfake recruiters who emailed me yesterday.

However, I have some concerns about the REAL recruiters that the fraudsters were impersonating.

Deepfake recruiter 1, the Senior Vice President

The first fraudster emailed me early Tuesday morning California time:

Hi John,

I hope you’re doing well. My name is Ethan [REDACTED LAST NAME SPELLED WITH AN “E”], Senior Vice President at Aerotek, a national staffing and recruiting firm.

I’m reaching out regarding a confidential, retained search for a Senior Product Marketing Leader with a real, actively operating company in the identity verification and biometrics space. Your background in product marketing, go-to-market strategy, and competitive intelligence across identity technology firms stood out strongly during our shortlist review.

This role is ideal for leaders who drive product launches, shape competitive positioning, and accelerate growth in B2B/B2G SaaS environments.

If this aligns with what you’re exploring, I’d be happy to share the full role brief.

Best regard 
Ethan [REDACTED LAST NAME SPELLED WITH AN “A”]

When a Senior Vice President can’t spell his own last name consistently, that’s a warning flag.

When said Senior Vice President emails me from ethan.aerotek.desk2@gmail.com, that’s another.

Finding the real recruiter

So because I am a Know Your Recruiter practitioner, (Adriana Linda, Kristen the guy, Amanda the guy, Randstad and Indeed people) I looked up Ethan on LinkedIn.

Turns out Ethan is a U.S. based person employed by Aerotek, with the same picture used in the Gmail account (which I guess qualifies this as a “deepfake”), but he is a Recruiter, not a Senior Vice President.

So I messaged the real Ethan on LinkedIn early Tuesday morning, reproducing the email message above and prepending it with:

Ethan, I received this from a Gmail address

Replying to the fake recruiter

Then I responded to the email from the fake Ethan:

Ethan, I have contacted you via LinkedIn. Please provide your Aerotek email address. Your client will understand.

My final comment probably went over the fake Ethan’s head, but any identity verification company would clearly understand why a candidate would insist on an Aerotek address rather than a Gmail address. Except in certain circumstances that I’ll address later.

And of course Aerotek would be very concerned about fraudsters impersonating real Aerotek employees…or so you’d think.

Back to the fake, who responded a few minutes later. Oddly enough, even though Ethan is U.S.-based, this email indicated that my reply was received in a time zone eight hours ahead of the Pacific Time Zone. Anyway, here’s the fake Ethan’s non-surprising response.

Thank you for reaching out. I’ve been experiencing some technical issues with LinkedIn this week, so I appreciate you continuing the conversation here.

This is the usual tactic employed by scammers. Stay off reputable platforms such as LinkedIn and move the conversation to another platform, in this case email. At least fake Ethan didn’t direct me to WhatsApp or Telegram.

As of Wednesday morning I left both conversations there. I didn’t reply to the fake Ethan’s latest email, and the real Ethan didn’t reply to my messsage.

And that’s a problem.

Concerns about the real recruiter

As I mentioned earlier, Aerotek obviously doesn’t want fraudsters impersonating their employees. And Aerotek employees certainly don’t want fraudsters impersonating them and lifting their facial images for fake Gmail accounts.

But the real Ethan apparently hasn’t checked his LinkedIn account in over 24 hours, and is completely unaware that a fraudster is impersonating him.

Causing damage to him and his employer.

If you’re a recruiter (or any professional) and you have a LinkedIn account, check it regularly. You don’t know what you’re missing.

But let’s move on to deepfake 2: technically not a deepfake since the fraudster only appropriated a name and not a likeness, but worrisome all the same.

Deepfake recruiter 2, the independent and invisible recruiter

The second fraudster emailed me late in the afternoon California time.

Hello John,

I hope you’re doing well.

I recently came across your background in B2B/B2G SaaS product marketing, particularly your work across identity, biometrics, and broader technology markets. Your experience driving product launches, developing go-to-market strategy, and building high-impact content and competitive intelligence frameworks really stood out.

I’m currently supporting a respected technology organization operating at the intersection of SaaS, cybersecurity, and identity, and your ability to bridge complex technical solutions with clear market positioning aligns closely with what they’re looking for.

Given your track record of both strategic thinking and execution (“ask, then act” definitely came through), I believe you could be a strong fit for this opportunity.

If you’re open to exploring, I’d be happy to share a brief overview of the role and why I feel it aligns well with your background.

Looking forward to hearing your thoughts.

Again this person emailed me from a Gmail address, consisting of the person’s name with an appended “8.”

Finding the real recruiter

So I checked out this person also, and discovered a few things.

  • This is also a real person, based in Europe. So she supposedly sent this email after midnight her time.
  • The real recruiter DOES have a Gmail address, but without the “8.” Why? Because the person is NOT employed by a huge recruiting firm such as Aerotek, but is a self-employed recruiting specialist. So it’s understandable that the real recruiter has a Gmail address. But as we will see, not advisable.
  • Her company name is her name with the word “Consulting” appended, according to her personal LinkedIn profile.

So I messaged the real recruiter with the message “Possible scam artist” and the email address (with the “8”) that sent the message.

Replying, and not replying, to the fake recruiter

About an hour later (now well after midnight European time), I received a second email from the fake recruiter that didn’t reference my reply to the first one.

Hello John,

I hope you’re doing well.

I recently came across your background in B2B/B2G SaaS product marketing, and your work across identity, biometrics, and go-to-market strategy really stood out—particularly your experience positioning complex technologies like IAM, biometrics, and AI-driven solutions.

Your track record in product launches, competitive intelligence, and building high-impact content at scale aligns closely with what we’re currently prioritizing.

I’m supporting a respected technology organization that is expanding its product marketing leadership team, and based on your experience, you could be a strong fit—especially given your depth across both public sector (B2G) and commercial (B2B) environments.

If you’re open to exploring, I’d be happy to share a brief overview of the role and why I believe it aligns well with your background.

Looking forward to hearing your thoughts.

I didn’t bother to reply to the second email from the fake recruiter, or to notify the real recruiter of the second email.

Eventually I received a reply to my first email early Wednesday morning…oddly enough, indicating that the fake was in the Pacific Time Zone, not Europe. (Note to scammers: change your computer and software settings so that your time zone matches the time zone of the person you’re impersonating.)

Here’s how the reply began:

Thank you for your message here—and I did see your note on LinkedIn as well. Apologies for the slight delay in getting back to you, I was tied up attending to a few things earlier.

Yeah, sure you saw my LinkedIn InMail.

Anyway, forget about the scammer. Let’s look at the real recruiter.

Concerns about the real recruiter

As I mentioned, the real recruiter has a personal LinkedIn profile and a Gmail address.

And that’s it.

  • I couldn’t find a LinkedIn company page for her consulting company.
  • A couldn’t find a website for her consulting company.
  • In fact, the ONLY reference I found to her consulting company was her personal LinkedIn page.

And that’s a problem.

The fact that she has no LinkedIn posts and no LinkedIn recommendations is another.

Now I’ll grant that many consultants get their business from word-of-mouth. Bredemarket certainly does.

But the only publicly-known way to contact THIS consultant is via email or LinkedIn InMail.

And as of now she hasn’t checked her InMail in over 12 hours.

What if she were to lose access to her LinkedIn account?

If you’re an independent recruiting consultant, own your own website, and don’t depend upon someone else’s social platform.

That’s one reason why Bredemarket offers several ways to reach me, most importantly the contact mechanisms available on my own website, free of the control of Microsoft, Meta, or any other company that could yank my access at the drop of a hat.

But there are others.

Bredemarket’s active platforms as of March 29, 2026.

So if you have content or other needs…such as the need to create content to publicize your recruiting consultancy…why don’t you talk to me?

Returning to Lattice Identity

The last time I delved into lattices, it was in connection with the NIST FIPS 204 Module-Lattice-Based Digital Signature Standard. To understand why the standard is lattice-based, I turned to NordVPN:

“A lattice is a hierarchical structure that consists of levels, each representing a set of access rights. The levels are ordered based on the level of access they grant, from more restrictive to more permissive.”

In essence, the lattice structure allows more elaborate access rights.

This article (“Lattice-Based Identity and Access Management for AI Agents”) discusses lattices more. Well, not explicitly; the word “lattice” only appears in the title. But here is the article’s main point:

“We are finally moving away from those clunky, “if-this-then-that” systems. The shift to deep learning means agents can actually reason through a mess instead of just crashing when a customer uses a slang word or a shipping invoice is slightly blurry.”

It then says

“Deep learning changes this because it uses neural networks to understand intent, not just keywords.”

Hmm…intent? Sounds a little somewhat you why…or maybe it’s just me.

But it appears that we sometimes don’t care about the intent of AI agents.

“If you gave a new employee the keys to your entire office and every filing cabinet on day one, you’d be sweating, right? Yet, that is exactly what many companies do with ai agents by just slapping an api key on them and hoping for the best.”

This is not recommended. See my prior post on attribute-based access control, which led me to focus more on non-person entities (non-human identities).

As should we all.

If Your Phone Has IMEI 440015202000…

When I posted (two times) the fact that International Mobile Equipment Identity (IMEI) numbers are NOT a reliable way to ascertain the identity of a user, I was pooh-poohed.

Tell that to the people of Bangladesh.

In that country, the National Equipment Identity Register (NEIR) went live on January 1, and it uncovered some surprising findings.

Turns out that tens of millions of phones in Bangladesh share their IMEIs with other phones. A single example:

“According to data generated after NEIR went live on January 1, a single IMEI, 440015202000, was found to be linked to 1,949,088 devices nationwide.”

So will you now admit that an IMEI is not a reliable way to identify an individual phone?

Two Footballs, Two Biscuits, Two Presidents: A Cybersecurity Nightmare.

Last year I wrote about a biscuit and a football, but I wasn’t talking about the snack spread on game day.

Google Gemini.

I was talking about the tools the United States President uses (as Commander-in-Chief) for identity verification to launch a nuclear attack.

But sometimes you have to pass the football. If the President is temporarily or permanently incapacitated in an attack, the Vice President also has a football and a biscuit. Normally the Vice President’s biscuit isn’t activated, but when certain Constitutional criteria are met it becomes operative.

Other than this built-in redundancy, the system assumes one football, one biscuit, and one President.

If you’re a cybersecurity expert, you know this assumption is the assumption of a fool.

  • It is not impossible to have duplicate functional footballs and duplicate functional biscuits.
  • And it is not impossible to have duplicate functional Presidents, with identical face, voice, finger, and iris biometrics. Yes, it’s highly unlikely, but it’s not impossible. If the target is important enough, adversaries will spend the money.
Grok.

And most of us will never know the answer to this question, but how do government cybersecurity experts prevent this?

Today’s Acronym is PADFAA. And It Has Nothing To Do With Liveness Detection or Airplanes.

TAA.

Too many acronyms.

And this one, PADFAA, sounds like a mashup of presentation attack detection and the Federal Aviation Administration.

It isn’t.

PADFAA stands for the “Protecting Americans’ Data from Foreign Adversaries Act of 2024.”

So while it doesn’t involve PAD or the FAA, it does involve PII (personally identifiable information) and the FTC (Federal Trade Commission).

“The Federal Trade Commission sent letters to 13 data brokers warning them of their responsibility to comply with the Protecting Americans’ Data from Foreign Adversaries Act of 2024 (PADFAA).

“PADFAA prohibits data brokers from selling, releasing, disclosing, or providing access to personally identifiable sensitive data about Americans to any foreign adversary, which include North Korea, China, Russia, and Iran, or any entity controlled by those countries. The law defines personally identifiable sensitive data to include health, financial, genetic, biometric, geolocation, and sexual behavior information as well as account or device log-in credentials and government-issued identifiers such as Social Security, passport, or driver’s license numbers.”

Although frankly it’s not a good idea to sell PII to our friends either, but that’s another topic.

How Can Identity/Biometric Product Marketers Cut Through the Slop?

Slop is everywhere, and even I generate slop. (For experimental purposes only, of course.) But slop makes it hard for product marketers to share their messages with prospects.

Bredemarket has adopted two tactics to cut through the slop and ensure my clients’ messages reach those who need to hear it.

Tactic 1: Before I write, I ask

To bound the message I am about to create for an identity/biometric client (or any client), I ask a number of questions. These questions ensure that the question addresses the right people, their concerns, and their fears. I’ve shared seven of my questions elsewhere.

Seven Questions Your Content Creator Should Ask You.

When all the questions are answered, I have a clear roadmap to start writing.

Tactic 2: I act, not the bot

In writing, generative artificial intelligence’s proper place is as an outside advisor, not an author. I’ve shared my thoughts on this on LinkedIn.

I don’t feed the answers to Bredebot and have it churn out something. I pick the words myself.

Rewrite this. Don’t write it.

Now perhaps I might use generative AI to tweak a phrase or two, but I remain in complete control of the entire creative process.

The result?

I believe, and my clients also believe, that this careful approach to content results in pieces that are differentiated from the mass-churned content of others.

So my clients stand out and aren’t confused with their competitors.

After all, even though Bredebot fakes thirty years of experience in identity and biometrics, it doesn’t really have such experience. I do. That’s why I’m the biometric product marketing expert.

So if you want me, not a bot, to polish your biometric product marketing sentences “until they shine,” let’s talk about how we can move forward.

Bredemarket can write your biometric company’s product marketing content.

Identity/Biometric Marketing Leaders: In Case You Missed It

If you’re an identity/biometric marketing leader who requires content, proposal, and analysis expertise from a biometric product marketing expert, make sure you read the following:

It will be worth your while.

Landscape. Biometric product marketing expert.

What is the Difference Between “Bredemarket Identity Firm Services” and “Bredemarket”?

I’m putting myself in the shoes of someone reading stuff on LinkedIn or Facebook.

  • At one point, the reader may encounter a reference to “Bredemarket.”
  • At another point, the reader may encounter a reference to “Bredemarket Identity Firm Services.”

Are “Bredemarket” and “Bredemarket Identity Firm Services” two separate entities?

No.

They overlap.

So if your specific interest is biometrics, or secure documents, or other identity factors, visit Bredemarket Identity Firm Services.

If your interests are more general (such as product marketing), visit Bredemarket.