That’s why it’s important to remember that not all state-level attacks are created equal. Intelligence agencies can create fake personas at varying levels of cost and realism, but if North Korea is doing that for revenue they’re not going to spend the same kind of resources they would trying to get, say, nuclear weapons data.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.
It's not naive at all. Most of these threats can be thwarted by simply following basic business and security best practices. Many hiring managers are lazy and incompetent, and don't even do the bare minimum.
That’s why it’s important to remember that not all state-level attacks are created equal. Intelligence agencies can create fake personas at varying levels of cost and realism, but if North Korea is doing that for revenue they’re not going to spend the same kind of resources they would trying to get, say, nuclear weapons data.
The situation here is significantly asymmetric: the attacker has to do a lot of work to build a realistic persona but the defense can make that much harder with a few basic checks. It’s been cost-effective in the past because companies were skimping on their hiring and internal security, similar to how the identity theft crisis was mostly a crisis in companies doing due diligence.