Job hunting is stressful enough, but when the job you’re hoping for turns out to be a scam, the sense of embarrassment and loss compounds things. Not to mention costing you money. The Better Business Bureau estimated employment scams resulted in a median loss of $1,200 per victim.
Recruiters are particularly valuable to criminals, both as a target and as a resource for their access to open communication with corporations, as well as job seekers vying for their attention and willing to part with sensitive information because that’s how the process works.
For employers, employment scams can create reputation and compliance problems, since criminals will leverage established brands for legitimacy. If someone in the hiring chain is compromised, data breaches can cost companies millions of dollars.
Two employment scams that target recruiters and job seekers are a mix of social engineering and phishing. The result is the same: The victim is left with compromised personal information and/or financial resources.
But employment scams aren’t magic. They work by hijacking the normal workflow of applying for a job. Since job seekers and recruiters are more focused on developing a workforce or landing a job, subtle cues that something is amiss are often overlooked. Here’s what to look for.
Scamming through a connected offer
For connected-offer scams, job seekers are targeted by criminals posing as recruiters. In some cases, the fake recruiters will claim to work for an established recruiting firm, often hiring for a well-known company. That’s the lure. The key to making it work is authority and authenticity.
The fake recruiter will research the job seeker fully, including such things as their work history and industry contacts. This information can be found on social media (for instance on Facebook and Twitter) or on professional platforms such as LinkedIn. It doesn’t take long to get the basics needed for the scam to develop.
The results of this research are aligned with the pitch used during the initial contact with the victim job seeker. The pitch could include references to previous employers, peers, or desired job options, in order to determine if the victim is interested. If the victim is willing to discuss the job offer, the authenticity element of the scam has succeeded.
Now, the authority aspect kicks in. Since the recruiter has all the power in this dynamic, their authority is rarely questioned. In such cases, job seekers are asked to surrender personal information for background screenings. Sometimes this data is submitted via email or uploaded to a fake recruiting website the criminal has created.
Criminals can take a person’s information, such as the details needed for a background check, and sell it to marketing firms, sell or trade it to other criminals, or keep it and use the details themselves for identity fraud. Other variations of this scam will see the victim asked to send money in order to cover expenses for tools, recruitment, résumé development, or training.
Scenarios like this are why, according to the Better Business Bureau, employment scams were the number one scam type reported in 2018, with a median loss of $1,200 per victim. In fact, in 2019, the FTC issued a public advisory related to scams where victims were paying money in order to land a lucrative executive position.
When scammers hunt the headhunter
While criminals will impersonate recruiters with no hesitation, they also target them directly because of their access to high-value targets from executives to human resources managers.
Criminals will conduct phishing attacks, posing as a job seeker, against a recruiter and include malicious attachments disguised as résumés. If they’re successful, the malware installed by the criminal gives them access to all the information the recruiter has available, as well as access to corporate contacts and records. This enables the criminal to expand the scam.
In a variation of this tactic, the criminal will pose as an existing client, and either entice the recruiter to disclose corporate authentication credentials via a “recruiting portal” that was recently launched or again attempt to install malware on the system by offering up malicious attachments.
In the second scenario, the criminal will develop a website that uses the branding of the corporate client, and even register a domain with a familiar naming convention, all in order to offer a sense of false security to the soon-to-be-victimized recruiter. Once the corporate credentials are exposed, the criminal has a foothold on the victim’s network, and the opportunity to expand their scam further.
How to defend yourself
Recruiters dealing with the second scenario require basic awareness and verification. If you’re not expecting résumés, then be suspicious about opening attachments and make sure you’re keeping your office and antivirus software up to date to avoid known attack vectors. If the contact comes from an alleged existing client, call and verify the request or the submissions.
Job seekers can avoid scams such as connected offers with a few basic steps:
Trust your gut
If the offer sounds too good to be true, then it probably is. Check Google, and search for the recruiter’s details. If they don’t match up, or if they don’t exist, treat this as a giant red flag. Also, avoid meetings and interviews that are conducted via social media or generic platforms such as Google Hangouts. If you’re asked for money upfront to cover training, recruiting fees, or miscellaneous expenses, this is a clear warning the job offer very likely isn’t legitimate. You shouldn’t have to pay to get gainful employment.
Confirm with the company directly
Sharing information for a background check can be tricky because there are companies that require this. However, you shouldn’t hesitate to contact the company directly and confirm they are requesting a background check and are actively working with the recruiter. By the time you get to this stage, the hiring company is already aware of who you are. They’ll be happy to confirm the need for a background check, as well as verify the recruiter.
The key to stopping scams like these are keeping a level head, doing a gut check, and having the confidence to verify requests and offers. If you push a scammer too hard to verify details, they’ll fold and “revoke” the offer. But legitimate recruiters and job seekers will have no problem proving themselves to you in a way that leaves no room for suspicion.
Steve Ragan is a security researcher at Akamai.