I imagine getting someone job-fair hired under assumed credentials and ghosting after one full shift of abusing their access, or giving a very poorly paid CSR just enough cash to make it worth the risk is probably more straightforward, but I don't know anything about that stuff. Most restaurants/bars I worked at had hourly staff working under 'borrowed' SSNs and names for years, though.