Security Awareness – Recruitment Scams are a Threat to Seekers and Employers

Job recruitment scams are nothing new, but related campaigns have been on an uptick in recent weeks as threat actors seem to be exploiting mass layoffs, resignations, and recruitment efforts.

Job recruitment scams are a social engineering ploy. They are a threat to those who are seeking a job and those looking to hire. The threat to job seekers is pretty straightforward – threat actor’s prey on the desire or need to find a job by typically sending phishing emails pretending to be a recruitment agency. The messages often ask the candidate to provide personal information, login credentials, or money. The actor could also attempt to drop malware to steal even more information. However, these scams also represent a threat to employers. There is an indirect threat if a current employee is job searching during work hours on company owned devices where malware could be installed and valuable company information could be harvested. However, the more direct threat emanates from threat actors pretending to be job searching and responding to employment notices by sending malicious documents such as resumes or identification documents to recruiters. Similar to how BEC actors looking to cash out on invoice/wire-transfer or payroll direct deposit fraud target HR and/or finance staff, actors using recruitment scams target HR staff for obvious reasons.

To help combat this technique, members are encouraged to offer focused security awareness training to human resources staff. Likewise, as the nature of recruitment involves receiving communications from someone we don’t know, it is vital that staff be extremely vigilant during times of job recruiting. Likewise, for their own benefit it may be practical to remind users to use caution if/when they are looking for a new job (and preferably do it on their own time and devices). The resources below can be used to help develop relevant training materials or to share with staff. For more, visit DataBreachToday.

Additional Resources on Recruitment-Themed Scams

• Looking for a job? Scammers might be looking for you (FTC)
• Job scams: How they persuade and how to protect yourself (Tripwire)
• LinkedIn Struck by Recruitment Scam Wave Following Tech Layoffs (PYMNTS)
• Fake US govt job offers push Cobalt Strike in phishing attacks (BleepingComputer)