Tim Mortimer
Eddie BorreroNew technology helps define the rapidly changing world we live in. Combining the power of artificial intelligence (AI) with analytics opens a world of opportunities for organizations. But the reality of this new world is that scammers are usually close behind to put their own unique twist on those digitally driven opportunities.
Online scams come in all shapes and sizes. But who would have imagined, just several years ago, that online job boards would become a lucrative target for creative phishers? Clients tell us stories of how scammers have tapped into their Human Resource (HR) systems, posting fake job opportunities and even using actual senior management names and information to make the fake posts look real. Job seekers are asked to pay to apply for roles, or to provide cash for documentation or technology. It’s a dangerous, frustrating situation for both the hiring organization and the job seeker and sadly, this scam is quickly becoming more commonplace.
Recently, the Chief Information Security Officer (CISO) reached out to us, detailing the non-stop fake job postings on his organization’s online job boards. In the most common scenario, a posting advertised an opening with the organization and included the names of actual HR managers, giving the post a legitimacy to any applicant who might be researching the company. The fake job postings follow a predictable scenario: When job seekers apply for a position, the scammers set up a Google hangout meeting with them, usually not leveraging the video meeting features. Following this, they offer the candidate the job and ask for additional personal information. The scammers also demand applicants purchase equipment required for their position, and direct them to deposit bank checks into a specific account. While the candidate is reassured he or she would be reimbursed for the money spent, that never happens. While applicants might receive a check, they soon learn it is not cashable.
In another typical scenario, the fake job posting is the first step in the attack lifecycle. Once candidates apply, they are asked to pay an application fee. (It should be noted that, in some parts of the world, an application fee is a normal step in the process.) In this scam, once the application fee is paid, the attackers conduct interviews and send offer letters with a fake email/ phone number. The next step in the process is for the candidates to pay the applicable “visa” and “travel” fees to visit the home office for orientation and onboarding. Once the fee is paid, all communication stops.
Organizations often feel there is not much to be done to prevent this type of scam, as job boards do not screen fake postings. But there are steps organizations can, and should, take to combat this evolving challenge:
- New technology such as platforms that fully automate the hiring process.
- Social engineering campaigns to train teams to stay safe; for example, Protiviti works with organizations to conduct social engineering tests (phone calls and test phishing emails) and also provides customized training to raise awareness, help employees understand the risks and key indicators of suspicious content.
- Monitor the creation of similar-name domain names, another important clue to a scammer’s presence. Organizations can engage brand protection services that monitor and take-down infringing content.
Both companies and job seekers are looking for a seamless hiring experience. Organizations have significant reputational damage at stake if their system is hacked, either by a scammer working to take money from applicants, or through a risk of malware entering its systems as scammers exploit the resume documents coming into the system.
Here’s where “Trust and Verify” become the operative words. Organizations and those looking for work should be as proactive as possible as they go through the process. Don’t assume an organization’s systems are protected from scammers just because it’s a well-known company. Don’t let a lack of awareness be your downfall. Here are some actions companies can take to prevent these issues:
- Organizations can assist the job boards by simply putting in big, bold text on every job posting: “BEWARE OF FAKE POSTINGS. We will never ask you for an application fee. Please verify all job postings on our website.” This is not a foolproof method and may not completely eliminate scammer attacks, but will help raise awareness among the applicant pool.
- Organizations can also focus on developing crawlers for the sites on which they do not regularly post. While it’s not possible to track down every site, consider sharing with major boards and the sites where fake job postings regularly come up.
- A bot can also post directly to the ad, assuming comments are enabled, advising would-be applicants that the party is not affiliated with the organization, warding off potential victims.
- Finally, reputation services may help identify bad actors attempting to register a web domain that could represent itself as part of the organization – these domains help malicious individuals set up email accounts that look authentic enough to convince an individual they are communicating with a valid representative (this is often called typo-squatting). Reputation services scan the registrars for domains that look similar to their clients and can also help take down these sites.
Yes, our world is changing as technology helps seamlessly connect hiring managers with candidates. But we’re learning that education is the number one way to prevent fake job posting fraud. HR and IT leaders, be aware of the continually-evolving need to include security and validation into your hiring practices. Job seekers, stay alert to any posting that asks for personal information or fees up front. With increased awareness and an ever-alert team on both sides of the hiring desk, companies can keep their reputations intact while candidates can find the career of their dreams.
Zion Um
Kim Bozzella
Juli Ochs
