Attackers usually have to do their own homework to pull off a credential harvesting campaign. Make sure you don’t do their homework for them as we’re seeing happen with an uptick in recruitment scams!
Employee turnover is at an all time high in nearly every industry due to a wide range of factors, with the ongoing global pandemic being a chief driver of them. For a recruitment scammer, this is like reliving the gold rush.
Recruitment scams, sometimes also called employment fraud, happen when a malicious actor claims to be a recruiting agent for a job that does not really exist. These types of fraudulent job offers can be found all around the internet; they could be posted on recruitment sites, advertised on social media, or sent via email.
By offering a good salary, nice benefits, and a flexible work environment, malicious actors gain easy access to vast amounts of personal information unwittingly sent from job seekers, which in itself can be used for more targeted phishing campaigns or identity theft.
Unfortunately, many job seekers are desperate for a job, and therefore easily manipulated by malicious actors using social engineering techniques.
In one fraudulent recruitment campaign we’ve identified, the malicious actors are posing as a newly founded United States subsidiary of a large European energy company. The job offers are advertised via email and text messages.
Should one apply to this job, a homework assignment is given to increase the legitimacy of the process.
With that out of the way, we’re moving to the paperwork section of the process. Here, the malicious actors have a great opportunity to request in-depth information such as social security numbers, banking information, tax information, and other personal information. You already did the homework assignment, so why stop now?
At this point the scam can continue in a few ways. Usually, all contact is dropped as the malicious actors have already stolen so much valuable information. However, another oft-used technique is to make the job seeker pay for supplies or administration fees before starting work. Depending on the position advertised, these can be disguised as fees for software, time tracking devices, or other work equipment.
Staying safe from these types of scams can be quite tricky when hurriedly sending out multiple applications. Sometimes these fraudulent job offers find their way even to the most trustworthy recruiting sites.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.