The FBI released a statement in April 2021, warning of cybercriminals using fake job listings to target applicants’ Personally Identifiable Information (PII). In the COVID-19 era, over 16,000 people were reported to the FBI as scammed through fake job listings with losses totaling more than $59 million. There have been over 2,000 reports in 2021, the FBI reports.
How’s It Done?
Hackers advertise jobs the same way legitimate employers do, online (ads, job sites, college employment sites, social media), in newspapers, and sometimes on TV and radio. Technology makes these scams easier and more lucrative than ever for fraudsters. They promise you a job, but what they really want is your money and personal information. These employment scams occur when criminals deceive victims into believing they have a job or have a job lined up. Criminals leverage their position as “employers” to persuade victims to provide them with personally identifiable information (PII) or send them money.
The scammers will go to great lengths to get your information, even conducting a fake phone interview. They conduct fake interviews with unsuspecting applicants, requesting PII and/or money from these individuals. PII can be used for any number of malicious purposes, including taking over a victim’s account, opening new financial accounts in their name, or using the victim’s identity for another deception scam (fake driver’s licenses/passports).
How You’re Tricked
It can be quite difficult to spot tricksters, but this example of a LinkedIn user who reached out to KrebsOnSecurity to verify the scam might help:
On Monday, someone claiming to work with Gwin (LinkedIn ‘recruiter’) contacted Siegel and asked her to set up an online interview with Geosyntec. Siegel said the ‘recruiter’ sent her a list of screening questions that all seemed relevant to the position being advertised.
Siegel said that within about an hour of submitting her answers, she received a reply saying the company’s board had unanimously approved her as a new hire, with an incredibly generous salary considering she had to do next to no work to get a job she could do from home.
Worried that her potential new dream job might be too-good-to-be-true, she sent the recruiter a list of her own questions that she had about the role and its position within the company.
But the recruiter completely ignored Siegel’s follow-up questions, instead sending a reply that urged her to get in touch with a contact in HR to begin the process of formalizing her employment. Which of course involves handing over one’s personal (driver’s license info) and financial details for direct deposit.
According to the FBI, the attackers request the same information as legitimate employers, making it difficult to identify a hiring scam until it is too late. Some indications of this scam may include:
- Interviews are not conducted in person or through a secure video call.
- Interviews are conducted via teleconference applications that use email addresses instead of phone numbers.
- Potential employers contact victims through non-company email domains and teleconference applications.
- Potential employers require employees to purchase start-up equipment from the company.
- Potential employers require employees to pay upfront for background investigations or screenings.
- Potential employers request credit card information.
- Potential employers send an employment contract to physically sign asking for PII
- Job postings appear on job boards, but not on the companies’ websites.
- Recruiters or managers do not have profiles on the job board, or the profiles do not seem to fit their roles.
How To Protect Yourself
If you’re looking for a job or if you receive an enticing offer, it’s vital to do a little research. CyberHoot and the FBI recommend taking these actions if you receive a job offer of any kind through online interviews:
- Conduct a web search of the hiring company using the company name only. Results that return multiple websites for the same company (abccompany.com and abccompanyllc.com) may indicate fraudulent job listings.
- Legitimate companies will ask for PII and bank account information for payroll purposes AFTER hiring employees. This information is safer to give in person. If in-person contact is not possible, a video call with the potential employer can confirm identity, especially if the company has a directory against which to compare employee photos.
- Never send money to someone you meet online, especially by wire transfer.
- Never provide credit card information to an employer.
- Never provide bank account information to employers without verifying their identity.
- Do not accept any job offers that ask you to use your own bank account to transfer their money. A legitimate company will not ask you to do this.
- Never share your Social Security number or other PII that can be used to access your accounts with someone who does not need to know this information.
- Before entering PII online, make sure the website is secure by looking at the address bar. The address should begin with “https://”, not “http://”.
- However: criminals can also use “https://” to give victims a false sense of security. A decision to proceed should not be based solely upon the use of “https://”.
While these actions will help you stop the hackers from stealing your information in Employment Scams, there are certainly other actions you and your business should be taking to help secure your sensitive information.
CyberHoot’s Top 7 Cybersecurity Program Recommendations:
Take these seven actions to improve your company’s cybersecurity program:
- Adopt two-factor authentication to prevent a password breach of your business’s VPN, email services, and any other critical service that is directly Internet accessible
- Adopt a password manager and adopt 14+ character length passwords across your company both personally and professionally for strong password hygiene
- Train employees monthly on a variety of cybersecurity topics, but with a focus on how to spot and avoid phishing attacks – the primary way cyberattacks occur
- Test employees with fake phishing test to help employees apply their training to spotting and deleting phishing attack emails
- Regularly backup data following the 3-2-1 backup method for backing up all your critical and sensitive data
- Govern your employees with a set of cybersecurity policies that outline requirements for the protection of your most company critical data
- Consider performing a Risk Assessment every 2-3 years against your companies administrative, technical and physical practices.