Before you click ‘Apply;’ understanding the job post phishing epidemic

Posted on: February 3, 2022 | By: Grant Looper | Filed under: Data & Identity, Info Security, Online Safety Tips

Phishers and scammers never miss a trick. Fraudulent job listings are just the latest scheme in their long list of dastardly doings.

The FBI recently released a public service announcement warning individuals that “malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money. These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial loss for the job seeker.”

Scammers are imitating legitimate companies and posting fraudulent job postings on commonly used employment-oriented networking sites. Sometimes, these scammers even replicate and replace legitimate job postings with altered contact information on additional networking sites. Fraudulent job listings include links and contact information that directs applicants to spoofed websites, email addresses, and phone numbers controlled by the scammers where they can steal the applicant’s personal information then sell or use it in additional scams. In some cases, the scammers use the identities of actual company employees to increase their perceived authenticity. These kinds of scams affect both the company and applicants. The applicant can lose personal information and incur a financial loss, while the company can receive negative reviews from applicants. This can adversely impact the company’s ratings on career websites and social media platforms.

How Businesses Can Protect Themselves

• Search job postings on common networking sites and job posting boards and look for fraudulent postings.
• Where available, enable options to block unauthorized posts and require secured verification when using job recruitment websites.
• Watch for unauthorized account changes, changes to your employer profile, messages coming from your account that you did not send, and jobs that you did not post.
• Inform your Human Resource staff about fraudulent application scams and create a plan to help employees identify and report suspicious job postings.
• Ensure employees involved in the hiring process know that victims of recruitment scams may contact them and that a sensitive response to their situation may help mitigate potential damage to your company’s reputation.
• Immediately report any fraudulent job posting to the appropriate website administrator.

How Candidates Can Protect Themselves

• Verify job postings found on networking and third-party websites on the hiring company’s own website or through legitimate HR representatives at the hiring company.
• Never provide credit card, bank information or your social security number to employers without verifying their identity and authenticity.
• Never send money or pay fees when responding to an online job posting.
• Never share any Personally Identifiable Information (PII) with job recruiting websites. Most legitimate companies will ask for PII and bank account information for payroll purposes AFTER hiring employees.
• Whenever you send PII to a prospective employer, first validate their identity and ensure the information is encrypted in transit.

For additional information on how individuals can protect themselves from hiring scams, see the FBI’s full public service announcement. The COVID-19 pandemic has drastically changed interview and hiring processes, making it imperative that businesses and job applicants verify the legitimacy of postings and employment opportunities. The FBI urges the American public to use caution when applying for and accepting positions through an entirely remote process that has limited or no in-person meetings, contact, or onboarding.

Grant Looper

Grant Looper is the Communications Strategist for Teaching and Learning Technologies at Elon University.

More Posts


Comments are closed.