Job seekers beware of recruiters

Paying a recruiter to find you a job could leave you the victim of a scam


Fraud is prevalent in our digital world. Unfortunately, in both our social and professional lives, we can't always trust that those who present themselves as authentic are actually who they claim to be.

Lots of end users have learned this truth the hard way, having fallen victim to social engineering, but these scammers are tangling wider nets of deception preying upon a new category of vulnerable targets--the job seekers.

A new blog/whitepaper from ZeroFOX, talks about the concept of recruiter scams. In short, hackers are impersonating company recruiters by using their logo and providing a contact form about job opportunities via email.

As soon as an applicant engages with the fake email address, the perpetrator will either try to extract Personally Identifiable Information or demand payment for an application fee.

As upcoming college graduates search the web for job opportunities, malicious actors are capitalizing on this trend by leveraging company recruiter scams across LinkedIn, Twitter and Google+ platforms to breach applicants’ credentials and syphon money.

Recruiter impersonation fraud is a growing concern, said Brian Reed, CMO of ZeroFOX as these scams can cause damage to a brand’s reputation.

"What’s been evolving is that the bad guys come up with a million ways to attack across social media, which exists on this inherent notion of trust," said Reed. Despite understanding the cybersecurity risks in the digital work, when it comes to social media, people’s guards go down.

"They assume that these social channels are different from the web in that they are more protected, but bad guys are exploiting social media every way they can," said Reed.

They are exploiting social trust, and in these newest scams, "They tend to target two areas in recruiting, the younger folks or the job," Reed said.

With relative easy, they can create a fake recruiter identity, complete with company logo and employee names, and they engage with people to sign up and pay a fee.

"What they are technically doing is creating a fake email address that might look like the company’s email. They create a fake profile on LinkedIn on Twitter, and there might be a number on the end, or they may create something like Chevron Inc instead of Chevron," said Reed.

They steal the logos and graphics, collect a cast of fake employees with fake LinkedIn accounts and fake email addresses, even fake connections.

"They find the real head of HR and then create a a fake version of this person and add her to the fake company account, which has a link to the fake website, that is also connected with the fake recruiter account," Reed said.

Then, they get to work posting jobs and actively engage with people who are looking for jobs by looking for people who have posted on or other popular employment websites.

By posting fraudulent job links to LinkedIn and sharing communication, they are able to get users to send private information. Once they have made that connection, they then fast track the user into paying a small fee, said Reed.

The result is lost and stolen PII and credit card information. Data scientists, said Reed, "Have found hundreds of active recruiting scams, and they have seen pockets of patterns particularly in the oil and gas, transportation, high tech and telecom industries. While there are scams In every industry, the highest entities are in oil and gas."

They clone the big companies because that is where the money is, but there is also  an inherent trust.

So, if I'm a job applicant, I want to follow the same rules of best practices that I would as a consumer of any other product across any other industry. "Make sure it's real. Look at the domain. Be wary of the link. When you get an email address, make sure it’s really for the company."

On the business side, though, organizations should be monitoring for impersonations and take that stuff down. "Look across social media for impersonators that could damage the brand as well as. Recruiting people should be monitoring for themselves to see if they are being impersonated, and security teams should monitor for impersonations of all HR employees," said Reed.

For a list of security recruiters that is not a scam, head to CSO's Security Recruiter Directory.

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!