Before Christmas was a busy time down at the fake job factory, with all manner of dubious antics out to ruin someone’s day. We’re now info February and the bogus job offers show no sign of abating. In fact, the FBI considers it to be such a problem that it’s issued an alert. This isn’t your typical warning about plain old fake job postings, or random messages sent via services like WhatsApp or Telegram though.

This one involves a dash of the old website exploitation.

Sounding the alarm

The alert begins as follows:

Malicious actors…continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money. These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial loss for the job seeker.

Since early 2019, the average reported loss from this scheme is nearly $3,000 per victim, and many victims have also reported that the scheme negatively affected their credit scores.

So, we have a scheme that’s been ticking along for a couple years. It’s also fairly profitable for whoever is pulling the strings.

How do these attacks work?

The FBI doesn’t go into detail as to how sites being referenced are exploited. They instead mention that the scammers go in for a variety of tactics. Some of their fake ads are posted to commonly-used employment-oriented networking portals. Others are a bit sneakier, being posted to “official company pages” due to the “lack of strong security verification standards on one recruitment website”.

This had an impact on both potential victims and the organisations being spoofed. It seems it was hard for the latter to tell which postings were genuine too. This is definitely not what you need when sifting through potential job opportunities. The FBI notes that they also replicated existing, legitimate postings, altered contact information, and sent them out into the wild too. All in all, a tangled mess of lurking menaces waiting to strike.

The scam gets underway

The links posted on the ads take would-be hires away from the job site(s). What they land on is a fake site sporting bogus contact details and phone numbers operated by fraudsters. Wary of people doing some digging to ensure the legitimacy of the posting, they also use contact details of genuine employees. Those details are likely harvested beforehand from sites like Linkedin, or even just browsing the company’s website or other directories.

Again, the FBI don’t go into specifics with regard to how money is extracted from victims. The most common methods used in these scams is to wire money to fraudsters. It might be a regular wire, or they may ask them to make cryptocurrency payments. These are usually accompanied by an explanation about paying for office equipment or other expenses, with the promise to send the money back to jobseekers once everything is set up. Of course, this doesn’t happen.

Considering the impact on businesses

It isn’t just the jobseekers at risk from these tactics. As the FBI notes, there’s the possibility of reputation damage to consider for the organisations being spoofed. It’s quite possible people caught by these scams will post negative reviews or comments in relation to the unwitting businesses being impersonate. This isn’t a straightforward problem to resolve, and before long half a dozen sites could be full of bad reviews, negative replies. These kind of things can spread rapidly.

Tips to avoid being stung

The FBI has listed a number of hints to try and keep job hunters safe:

  • Conduct a web search of the hiring company using the company name only. Results that return multiple different websites for the same company may indicate fraudulent job listings.
  • Verify job postings found on networking and third-party websites on the hiring company’s own website or through legitimate HR representatives at the hiring company.
  • Provide PII face-to-face. Legitimate companies will only ask for personally identifiable information (PII) and bank account information for payroll purposes AFTER hiring employees. It is safer to provide this information in person, or via a video call where it is easier to verify everyone’s identity.
  • Never send money to someone you meet online, especially by wire transfer.
  • Never provide credit card information to an employer.
  • Never provide bank account information to employers without verifying their identity.
  • Never share your Social Security number or other PII that can be used to access your accounts with someone who does not need to know this information.

We wish you safe and prosperous job hunting.