Skip to main content

Employment phishing lures pose a big threat to organisations

(Image credit: Image source: Shutterstock/wk1003mike)

 Job hunting or changing companies is demanding of your time, energy, and mental capacity, no matter what position or career you’re aiming for. The bad guys are banking on your eagerness, stress, and often time constraints to target you for their various scams from credential mining to credit card theft. Anyone looking either actively or casually entertaining ideas for a new career opportunity should keep in mind that the online employment landscape is fertile ground for social engineering and phishing attacks, as bad guys use various platforms to impersonate hiring organizations and lure unsuspecting job seekers or current employees into their profitable cons. These scams become even more widespread during the summer and at the end of the year when job seekers are most active.

Companies should also be mindful of these threats, since any employees looking for a new job are most likely doing so during weekday working hours, according to ApplicantPro. Likewise, they may be content in their current jobs but casually checking their private messages on LinkedIn or other social media sites. A common scam is a phisher posing as a very convincing recruiter on LinkedIn, and going after a Systems Administrator or other security staff with a lucrative new job offer. The employee can be lured in if the role pays more, has amazing benefits and work flexibility, and then are encouraged to click a link on the job description. Of course, this could be a link to malicious site or malware used for credential stealing to access sensitive corporate systems. Scammers are looking to score personally identifiable information, harvest credentials, and install malware that could lead to a corporate breach. There are many variations of phishing employment scams targeting employees that organization can expect their employees to encounter. 

Another example would be fake jobs posing under major company names where the job posting or the website claim to be a real employer from a well-known company or often from less well-known names. The employer name is legitimate, but the jobs are not because they not actually from that employer. In this scam, the real employer doesn’t have anything to do with the posting. A bad actor will use a legitimate employer’s identity as part of their con, which can be equated to corporate identity theft because the scammers have “stolen” a real company’s identity to use in this scam. The scammers are advertising bogus jobs that are completely unrelated to the legitimate employer named in the posting or on the site, claims  

Tread carefully

Bogus jobs can also be posted on legitimate job boards like Indeed or Monster. Cybercriminals use job boards that have a good reputation knowing they can’t possibly police all paying job postings. The cost to post a job is not that steep and an unsuspecting job seeker can easily stumble onto a phishing site that gathers personal data.

Phishing emails still reign supreme, so job hunters should be wary of anything suspicious in their inboxes like this scam claiming to be from HotJobs. An unusual subject line and generic greeting, the fact that HotJobs no longer exists, and the “too good to be true” nature of the scheduling and benefits points towards it being a scam.

In another recent scam, a man fell victim to a very sophisticated employment con offering him a full time and well-paid job purchasing electronics and shipping them out. The “company” sent him $2,000 initially to buy a batch of iPhones, then for the next shipment told him to temporarily use his own credit card but provided bank account and routing numbers he could use to reimburse himself for those expenses. A call from his credit company weeks later alerted him that the account was stolen, and he was out $35,000 of his own money. The Better Business Bureau says that sadly he’s one of thousands of Americans who fall for employment scams, as employment fraud tops the list of the riskiest scams targeting consumers last year. 

No matter how the scams are delivered from the methods outlined above, The BBB stresses that all job applicants be cautious and look out for key signs a listing or recruiting effort might be bogus:  

  • Generic job titles, work-from-home, or secret shopper positions that don't require special training or licensing
  • If the same job post description comes up in other cities
  • Strange procedures or on-the-spot job offers without doing an interview, or any company asking for money to be wired somewhere as payment for coaching, training, or certifications
  • Any offer to give you special access or guarantee you a job for a fee, especially in the public sector – no government agency (US or Canada) will ever ask you for payment.
  • Recruiters that are not willing to provide you with a complete contract for their services with cost, what you get, who pays (you or the employer), and what happens if you do not find a job.

Phishers will attempt to profit from endeavours where the stakes and emotions are high, making your employees a likely target. If they are using the corporate network as a launching point for career change (whatever IT’s rules against that), they are opening up the organisation and themselves to potential phishing sites and links that can cause major damage or money loss. Having a combination of the right security tools in place to protect against phishing attacks coming in from both the email and the web are critical, along with regular phishing training and coaching across departments to protect against these attacks at their target of origin.

Atif Mushtaq, CEO, SlashNext

Atif Mushtaq
Before founding SlashNext as its CEO, Atif Mushtaq spent nine years as a senior scientist at FireEye working with law enforcement to take down some of the world’s biggest malware networks.