Job ad scams are on the rise. According to the FBI, more than 16,000 Americans reported employment scams in 2020. Some are easy to spot. Others are quite sophisticated.
Fake employment postings often promise thousands of dollars in earnings for little or no work. In some cases, it is a re-shipping scam: The individual targeted is tasked with receiving packages at home and forwarding them. In other cases, the scam involves paying a fee or sending something of monetary value. The many people currently unemployed or working from home have become a big target for these kinds of ruses.
“Be very wary of work-from-home online job ads/postings,” said Brian Gant, assistant professor of cybersecurity at Maryville University in St. Louis. Gant has almost two decades of experience working in the private and public sectors, including for the FBI and the Secret Service. “If it sounds too good to be true, it most likely is.”
Unfortunately, even bona fide jobs sites are being abused by cybercriminals.
“Fake job ads are popping up on websites like Indeed that are convincing [and] well-written, and some [criminals] go as far as performing interviews with unsuspecting candidates,” said Chris Ray, an analyst at IT research and analysis firm GigaOm in San Francisco. “The goal is usually to purloin confidential data such as Social Security numbers and bank details.”
The people creating these fake job ads generally bait individuals with unrealistically high salaries and promises of large chunks of equity. On occasion, targets of scams are even told that they are hired after just a few minutes on a call.
“Hiring organizations should occasionally Google their name in combination with popular hiring terms to attempt to identify and take down fraudulent job ads on popular hiring sites like ZipRecruiter, Indeed and Glassdoor,” Ray said.
Attacks on LinkedIn
LinkedIn’s popularity as a recruiting tool has put it in cybercriminals’ crosshairs.
“An e-mail with a job offering can be the perfect way to lure someone into downloading malicious files, such as one masquerading as a job description, or spoofed LinkedIn messages,” said Karen Krivaa, chief marketing officer of Perception Point, a cybersecurity firm in Tel Aviv, Israel.
A common example is a LinkedIn connection e-mail bearing a message about a potential job or stating that the individual targeted appeared in specific searches. When the individual clicks Accept Invitation or See All Searches, he or she is routed to an illegitimate LinkedIn website that immediately asks for login credentials.
Here are two ways organizations and job seekers can protect themselves from sophisticated online job scams:
- Don’t agree to send funds back as a portion of a larger check received.
- Do contact someone familiar with the job or industry to ask their thoughts about the job posting. Those entrenched in the industry usually know all the players.
The trickery doesn’t necessarily require money to change hands or goods to be forwarded. In some cases, the fake job posts are simply phishing and social engineering ploys. All they want you to do is engage someone via chat boxes and e-mails and be lured into clicking on malicious links or attachments.
“Ninety-eight percent of cyberattacks rely on social engineering, which is the manipulation of people into performing actions such as clicking on a file or divulging confidential information,” Krivaa said.
But there are always subtle hints or glaring errors indicating it is a scam. Compare the sender URL, display name and actual e-mail address used. Common tricks are to have a plausible display name disguising a strange e-mail address or outdated domain name. URLs also may appear valid, yet a closer inspection shows an added character or slight alteration in the organization’s name (e.g., company.com could be changed to company-jobs.com).
Grammatical errors or typos in the e-mail or overly formal or clumsy English can also be clues. Calls-to-action for a limited time are sometimes used to inject urgency as part of a cyberswindle.
Krivaa said further warning signs include broken links on the fake website, out-of-date website certificates or a brand-new certificate issue date. The FBI and the Federal Trade Commission, too, offer plenty of pointers and tips in recent alerts and posts on this topic.
Cybersecurity and artificial intelligence tools are available to help organizations find and eradicate fake job posts and e-mails. For example, e-mail security and protection solutions from companies such as Perception Point scan messages, URLs and files to identify malicious content and intercept dangerous e-mails before they reach users’ inboxes.
They achieve this via:
- Image recognition algorithms that validate the website.
- URL reputation engines that monitor traffic for phishing attempts.
- Threat intelligence scans of URLs and files outside the organization, searching for signs of potential or current attacks.
- Dynamic scanning to rapidly identify malicious files.
- Anti-evasion capabilities to unpack embedded content in the e-mail and properly scan it.
“The ability to easily check any suspicious e-mail or file improves the security posture of the organization,” Krivaa said. “It is also wise to leverage an incident response service to monitor, analyze and report on e-mail security incidents; provide rapid alerts and analysis of malicious attempts; and optimize the security system’s engines.”