The Threat Recruiters Can See, and the One They Can’t

You’ve probably already heard about deepfake candidates. A polished CV lands in your inbox. The video interview goes smoothly. The hire seems perfect. Then, weeks later, you discover the person who turned up on day one was not the person you screened.

It sounds alarming, and the scale is extraordinary. Research published by People Management in January 2026 found that one in four UK companies has now reported some form of identity fraud among new hires. According to Gartner, by 2028, one in four candidate profiles globally is expected to be fake. And a 2025 Pindrop report recorded a 1,300% year-on-year surge in deepfake fraud attempts, jumping from roughly one incident per month to seven per day across monitored enterprise systems.

Sixty-nine per cent of UK hiring leaders now consider AI-enabled impersonation and deepfake technology the most sophisticated emerging threat to recruitment integrity, according to a January 2026 survey by First Advantage. Experian’s 2026 Future of Fraud Forecast went further, naming synthetic identities powered by generative AI as one of the top five fraud threats facing UK businesses this year.

This is, rightly, dominating the conversation in the recruitment industry. But here is the part of the conversation that is not yet loud enough: the deepfake problem does not end at the recruiter’s desk.

The Supply Chain Blind Spot

When a contingent worker is placed through a recruitment agency, the journey from ‘candidate’ to ’employed worker’ rarely ends with you. In the vast majority of flexible workforce placements, there is a third critical party in the chain: the umbrella company.

The umbrella company is, legally, the employer. That means it is the umbrella (not the agency) that carries out the final four compliance checks before a worker starts drawing a payslip:

• Right to Work verification
• Identity verification
• Bank account validation
• National Insurance number checks

This makes the umbrella company something crucially important that is easy to overlook: it is the last meaningful identity checkpoint in the entire supply chain.

If a fabricated identity slips past your interview process, your video call, your document review, the umbrella company is the final opportunity to catch it before a fraudulent worker begins generating PAYE submissions, NI contributions, and RTI data in HMRC’s systems under a false name.

The question that too few recruiters are asking right now is: How confident are you in your umbrella company’s ability to make that catch?

Why JSL Has Raised the Stakes Dramatically

Until April 2026, this was primarily a reputational and operational concern for agencies. An undetected identity fraud case was damaging, but the financial exposure was mostly limited to the penalty for Right to Work failures, which can already reach up to £60,000 per illegal worker.

That changed on 6 April 2026, when the Joint and Several Liability (JSL) legislation came into force.

Under JSL, if an umbrella company defaults on its PAYE or National Insurance Contributions to HMRC, HMRC can now pursue the recruitment agency, or in some cases the end-client, for the shortfall.

The implications are significant. Consider what happens when a fraudulent AI-generated identity slips through to payroll:

A duplicate or invalid NI number. Generative AI can now produce convincing false identity documents of a quality that human reviewers struggle to distinguish from genuine originals. A synthetic worker assigned a fabricated or cloned NI number creates an RTI submission that does not reconcile with HMRC records. Under JSL, that tax irregularity flows back to the agency.

A disallowed payroll. A worker with no legitimate right to work in the UK, whose payroll is subsequently disallowed by HMRC, creates a tax liability. Again, under JSL, the agency may be liable for that liability if the umbrella company cannot meet it.

A fraudulent bank account. AI-enabled fraud increasingly involves misdirected payments. Where bank detail validation is inadequate, funds intended for a legitimate worker can be redirected to criminal accounts, creating both financial loss and a compliance failure with regulatory consequences.

In 2025, UK recruitment agencies collectively lost over £1 million to a sophisticated contractor fraud scheme, according to legal analysis published by Fieldfisher. In the post-JSL environment, the financial and compliance exposure from such schemes has grown considerably.

The AI Deepfake Threat Is Not a Niche Problem

It is worth being clear about how rapidly this threat has evolved, because it can still feel abstract.

The UK Government projected that 2025 would see approximately eight million deepfakes created and shared, up from 500,000 in 2023. Real-time face-swap technology can now convincingly alter a video interview feed. AI tools can generate photorealistic ID documents. Fraudsters are creating fully fabricated professional histories, complete with AI-generated LinkedIn profiles, fake references, and supporting social media presence.

In one widely reported case, a major US cybersecurity firm, Pindrop, discovered that a candidate who had applied for a role on its deepfake detection team was themselves a deepfake. The candidate appeared to apply legitimately, progressed through interviews, and was nearly onboarded before detection.

In the contingent labour market specifically, the risk profile is elevated. Contractors typically engage remotely. Hiring moves quickly. The volume of placements at busy agencies makes individual scrutiny harder. And as Lloyds Banking Group noted, advanced fee job scams alone surged 237% between January and August 2025, with AI significantly lowering the cost of running them at scale.

CIFAS, the UK’s leading fraud prevention service, warned in March 2026 that synthetic job candidate identities are now being created at “speed and scale” — a phrase that should focus minds across every part of the recruitment supply chain.

Five Questions Every Recruiter Should Now Ask Their Umbrella Company

Under JSL, the compliance rigour of your umbrella company partners is no longer just their problem; it is materially yours. The due diligence conversation you have with umbrella companies needs to expand well beyond rate transparency and accreditation status.

As a minimum, your umbrella company partners should be able to answer the following:

Do you use technology to detect faked or doctored identity documents? Human visual inspection of documents is no longer sufficient. AI-generated identity documents are now sophisticated enough to pass basic checks. Your umbrella partner should use multi-layered digital verification, not manual review.

Are NI numbers, addresses and bank details cross-referenced against external data sources? Checking that an NI number exists is not the same as checking that it belongs to the person claiming it. Look for umbrella companies that cross-reference submitted details against HMRC data and independent fraud databases.

Can you produce a verifiable audit trail for every worker’s identity checks, on demand? In a JSL dispute or an HMRC investigation, documentary evidence of the verification steps taken at onboarding is essential. Your umbrella company should be able to produce this quickly and completely.

Are identity checks real-time and automated, rather than periodic or manual? Fraudulent workers are not static. Circumstances change. A compliant umbrella company should have automated monitoring that detects anomalies throughout the engagement, not just at onboarding.

Is the umbrella company independently audited for its payroll compliance? Accreditation is a starting point, not an endpoint. Ask specifically whether payroll submissions are independently verified, and whether that verification happens in real time or retrospectively.

What a Genuinely Compliant Umbrella Company Looks Like

The standards described above are not aspirational. They are achievable, and achievable umbrella companies are out there. But they require meaningful investment in technology, processes, and independent oversight, and not every umbrella company has made it.

At SmartWork, identity and compliance verification are embedded into our onboarding from the first point of contact. As an employer, we conduct comprehensive worker verification and identity checks before onboarding begins, and our systems include automated monitoring for irregularities throughout the engagement.

Our compliance framework operates at multiple layers. We hold full FCSA membership with annual independent audits covering operational, tax, and anti-avoidance controls. We carry ISO 27001 certification for information security. And, critically, we are SafeRec-certified, which means our payroll submissions are verified in real time by cross-checking our RTI submissions directly against HMRC data. This is not a periodic review. It is a live check that ensures every payslip we produce is accurate, compliant, and fully reconciled.

This matters for the identity fraud conversation specifically because it means that fraudulent NI data or RTI submissions that do not match HMRC records will be flagged at source, before they generate the kind of tax irregularity that, under JSL, could travel back up the supply chain to your agency.

Our payroll is operated exclusively through UK-based bank accounts in SmartWork’s name. All agency partners and workers have full payslip visibility showing every deduction and contribution in detail. And all of our certifications, including FCSA accreditation, ISO 27001, and SafeRec compliance verification, are accessible via the FCSA Diligence Hub, giving agencies on-demand access to the documentation they need to demonstrate their own due diligence.

Preparing for the Second Half of the JSL Era

The JSL legislation is now in force, but the industry is still adjusting to what it means in practice. The deepfake threat is accelerating simultaneously. The combination of these two trends means that the standard of scrutiny agencies should apply to their umbrella company supply chain needs to rise materially in 2026 and beyond.

Recruiters who get this right, who ask the right questions, choose umbrella partners with genuine verification capability, and build supply chains that can withstand scrutiny, will be in a strong position. Not just to protect themselves from financial exposure, but to offer end-clients something increasingly valuable: demonstrable confidence in the integrity of the workforce being placed.

The agencies that are best positioned to make that argument are those working with umbrella companies that treat compliance as infrastructure, not as a box to tick.

Work With an Umbrella Company That Takes This Seriously

If you’re reviewing your approved supplier list, or if you’re a recruiter who wants to understand more about how SmartWork’s compliance framework protects your agency under JSL, we’d welcome the conversation.

SmartWork is an FCSA-accredited, SafeRec-certified umbrella company with over 20 years of experience in the contractor payroll sector. We work as a transparent, compliant partner to recruitment agencies, and we can evidence every step of our verification and payroll processes on demand.

Get in touch with our team or read more about our JSL compliance commitment to understand what working with us means for your supply chain.

Please remember to follow us on LinkedIn, Facebook, and Twitter if you’d like to follow along for new articles and industry updates.

SmartWork is registered in England & Wales (No. 4207299). FCSA member. ISO 27001 certified. SafeRec certified. APSCo Trusted Partner.