Keep Job Scams From Hurting Your Organization

Job scamming is a pandemic within a pandemic. These operations can grow to multimillion-dollar businesses, operating in countries all over the world. In one survey, 32% of job seekers reported applying and even interviewing for a fake job, 15% had their personal information stolen, and 9% said they'd lost money to the scammers. Financial losses topped $367 million last year in the United States alone.

Gabriel Friedlander, founder and CEO of Wizer Training, says these scammers operate just like any other business. But instead of marketing products or services, their goal is to commit crimes.

"They have marketing, where they send out their scams," Friedlander says. "They try to capture leads, convert them to opportunities, and close the deal by scamming the person or hacking the company. They're using a lot of the tools that marketers are using. The thing is, they have a better mousetrap because they can offer anything."

Risks to Companies and Brands

Job scams not only hurt job seekers, but they also wreak havoc on company brands and expose sensitive data to exploiters. Roger Grimes, the data-driven defense evangelist at KnowBe4, says he's surprised by the sheer creativity of job scammers, who steal the credentials of real people and then apply to jobs using legitimate-looking emails or portfolio URLs. Often these emails will hide malware within resume attachments or links, according to a report by Trellix.

Fred House, senior director of detection research and operations at Trellix Advanced Research Center, gives one example: Qakbot malware in emails can be exposed, rooted out, and addressed. Then within a few days, Qakbot evolved into a new threat.

The scamming company is "an organization that's very well-funded, that's very agile," House says. "And that's the cat-and-mouse game."

Companies sometimes receive a huge volume of job applications through social media applications like LinkedIn or software-as-a-service apps like Workday, and making sure each applicant is legitimate can be a monumental task. Even if an application appears safe, these threat actors are also prepared for interviews.

Grimes says he has spoken with employers who think they've found the "perfect candidate" — someone who has answered all of their interview questions correctly. However, once the person is hired, they disappear or are unable to do the job.

"They're very rehearsed," Grimes says. "When you're trying to verify the legitimacy, they've heard [it] 100 times, and they know how to respond. They know what documents to send you. That can be very convincing."

Vulnerable companies include those without a cybersecurity team or software in place to monitor potential job applicants. While this implies smaller firms are at risk, it's often the Fortune 500 brands that are targeted.

"The bigger they are, the harder it is for them to verify that this headhunting firm is the one that's working on behalf of them," Grimes says. "It's not as easy as people make it out to be."

Adds AJ Nash, vice president of ZeroFox: "If you're a company that's desirable, that's a bigger brand, that's a bigger opportunity to lure people in. That dream is an opportunity. That's going to be enticing."

How to Guard Against Scams

The most important protections against scams for human resources and security departments are awareness, education, and training. Companies that lack knowledge about these kinds of job scams are more prone to attacks.

If you can't meet the applicant in person, conduct a thorough background check, says Wizer Training's Friedlander. Background checks, he adds, are no longer "nice-to-haves" but a must to keep companies safe. He also suggests reaching out to that applicant in multiple ways to make sure this is a legitimate person being hired for the role.

Having a tight security posture is fundamental to staying safe.

"It comes down to the protections they have in place," Trellix's House says. "How sophisticated is their email security? Do they have a Web proxy where once the user clicks on the link, it goes through their Web proxy, and it has a chance to analyze it?"

Companies should aggressively look to root out these scams and put pressure on job sites, like Indeed, and social media channels, like LinkedIn, to make sure these cybercriminals are defeated, according to KnowBe4's Grimes.

In a statement, LinkedIn acknowledged the "rise in fraudulent activity across the internet over the last several months, and we have the technology, including artificial intelligence systems, and teams of experts to stop the majority of detected fraudulent activity before you ever see it. In addition, we've introduced new tools to ensure a safe experience, including the ability to see if an account has a verified phone number or email." A LinkedIn report states that 57.9 million fake accounts were removed between July and December in 2022.

Listing specific do's and don'ts on the company's career page and social media platforms is one step to assisting potential job seekers on avoiding scams. This includes phrases such as "We will never ask you for money" and "We will never ask for your Social Security number or identifying information," says ZeroFox's Nash.

Outsourcing may be the best solution to combat these scams, based on the size of the company and the number of employees dedicated to cybersecurity. Nash says this includes setting up social media monitoring and brand protection. The potential damage to a company may be significant and requires investment in security.

"Companies who aren't doing that — they're going to find out the hard way when bad things happen," Nash says.

Protect Your Reputation

A company's reputation can be damaged, even if a company isn't affected financially after reports of fake jobs. Even though the company isn't responsible, leadership should understand how their brand can be stolen and used for malicious purposes, Nash says.

"It's not their fault, but it is going to reflect on them," Nash says. "When someone is scammed out of a job, their company name will be associated with that scam. A job seeker will now have a lesser opinion on that organization."

Once the HR department or security team is notified that a job scam associated with the company has occurred, Nash recommends showing empathy toward that potential job applicant. He recommends using language such as, "I'm really sorry to hear this has happened to you. Thank you for reporting it to us. We will take it under advisement, talk to our intel team — whatever it might be."

The Future of Job Scams

Grimes notes that these scams have evolved in the past decade or so. Finding a job applicant wasn't always this complicated.

"This is something our parents didn't have to worry about," Grimes says. "If you're applying for a job to GE, it really was for GE, and GE was hiring somebody. They were dealing with a person that they met in person. But I don't think the problems we have with the employment industry are going away anytime soon. I think it's as much of a part of our fabric as social engineering and phishing."

Learning to protect ourselves from cybercrimes is an unfortunate part of the Internet age. It's the way of the world, according to Friedlander.

"Cyber-risk is not as clear as physical risk," Friedlander says. "It's not tangible. And people need to be educated. You just can't see it most of the time."

SIDEBAR: Will Job Scamers Use Deepfakes?

Remember when the reverse image search was a great way to determine if a photo was fake or stolen? Thanks to synthetic scams using artificial intelligence and deep fake technology, that service isn't quite as useful.

"You go on websites and in one click have a fake image of a human being that never existed in the history of humanity, and it's really convincing," said AJ Nash, vice president of ZeroFox. "Whether it's video, whether it's pictures, whether it's audio, whether it's sound effects, there's a lot of synthetic scams. And the technology is really coming along quite well." 

The speed of this kind of tech and the ways they can be used maliciously can be mind-boggling. Gabriel Friedlander, CEO of Wizer, said voice cloning has become increasingly simple to do. 

Wizer posts training videos on security awareness and one features how a job seeker's face and voice were used to land an IT job to hack into a company. The only reason the scam was revealed is when the company reached out to the real person wondering why she had disappeared. The video is a demonstration but the scammers are very real. 

"Deep fakes, AI will continue to get really good to the point where we just won't know the difference between an AI deep fake and a real person," said Roger Grimes, KnowBe4's data-driven defense evangelist. "I mean that's absolutely going to happen."

The good news is that the technology isn't flawless. Nash said it's difficult to impersonate human interactions and human movements. He recommended finding a way to see the hands of an individual in a photo or on camera. Apparently, the intricacies of fingers haven't been perfected yet.