FightCybercrime.org

Recognize, report and recover from cybercrime.

How Job-Seekers & Employers Can Stop Hiring Scams

Home » Blog » Imposter Scams » Job Scams » How Job-Seekers & Employers Can Stop Hiring Scams

Even under the best of circumstances, job-hunting is stressful. It’s even more stressful when applicants can’t be sure if the “dream job” they’re about to apply to even exists. In Illinois alone, job applicants lost $1.68 million to hiring scams in 2020.

Anatomy of a Hiring Scam

Hiring scams can take many different forms, most of them falling into one of two categories:

  • The scammer plagiarizes a legitimate employment opportunity posted by a legitimate company. To lend legitimacy to the listing, the scammer builds a lookalike version of the real employer’s website, complete with a very similar domain name. For example, instead of XYZcompany.com, the spoofed site may be XYZc0mpany.com or XYZcompany.co.
  • The scammer makes up an entirely fictitious job listing for a company that doesn’t exist. The scammer may or may not build a website to lend legitimacy to the listing. The phony company may have a name that’s similar to a well-known, legitimate firm; example, instead of XYZ Company, XYZ Enterprises or ZYX Company.

In both cases, the scammer posts the plagiarized or entirely fictitious job listings to popular job boards or, sometimes, freelance work sites. Applicants can apply either on the job board/gig site or, if there is one, the fake website. In all cases, the goal is to do one or more of the following:

  • Get the applicant to send the scammer money, frequently for a “background check,” “application fee,” the purchase of “equipment,” or “exclusive access to work-from-home job listings.”
  • Get the applicant to download malware, either via an email or text message attachment or a “drive-by download” on the phony company website.
  • Get the applicant to divulge highly sensitive personal information, such as Social Security Numbers, images of driver licenses or passports, or payment card data.
  • Frequently, the applicant is required to “register” on the company website, complete with a username and password. This tactic takes advantage of the fact that many people reuse passwords across accounts. Once the scammer has the password in hand, they attempt to see if it works on popular social media, shopping and banking websites.

In addition to harming job-seekers, these hiring scams can damage the reputation of legitimate companies whose job listings and names have been hijacked. If the job applicant doesn’t realize that the legitimate company wasn’t behind the scam, they may take to social media outlets and bash the company.

What Job-Seekers Can Do to Protect Themselves

Read job listings critically. Look for red flags, including:

  • Job listings that are extremely vague about the position being hired for and the company doing the hiring. Usually, these listings promise immediate start dates and very high salaries regardless of education or experience. For example: “Motivated people wanted to start work tomorrow! No experience necessary; we will train! Up to $40/hour!” If it sounds too good to be true, it probably is.
  • Applicants are contacted for interviews by “recruiters” using free, non-company email domains, like Gmail or Yahoo. Often, the recruiters don’t provide their full names, or they have extremely common names. For example, “Maya F.” or “John Johnson.”
  • The job listing contains numerous typos, and/or the job description includes requirements that don’t match the job title or just sound “off.” For example, an ad for a worksite in Chicago that says applicants “must be local to the Los Angeles area.”
  • The potential employer requires applicants to provide sensitive personal information, such as Social Security Numbers or a copy of their driver’s license, as part of the job application.
  • Applicants are required to send the employer money — for anything. No legitimate employer will ever ask an applicant for money. Ever.

Take proactive measures to avoid hiring scams:

  • When in doubt, Google the company’s name, visit their website, and search their job listings. If the job listing appears on a job board, but not on the company’s website, it’s probably fake.
  • Never send money or provide highly sensitive information to apply for a job.
  • Never download email or text attachments from unknown or untrusted sources.
  • Use an antivirus program and browser plugins to secure against drive-by malware.
  • Use strong, unique passwords for every online account, enable multi-factor authentication (2FA) on all accounts that support it, and use a password manager such as Keeper for individuals and families. This way, if you make a mistake and create an account on a phony site, the scammer won’t be able to use that password to access your other accounts.

What Employers Can Do to Protect their Reputation

Protect your organization from plagiarized and lookalike job listings by keeping on top of your company’s accounts on job boards:

  • Delete “zombie” accounts on job boards your company no longer uses. Scammers routinely target dormant accounts, banking on nobody paying attention to them.
  • Regularly copy sections of your job ads and paste them in Google. If Google finds duplicates — either on the same job boards you use, or on websites your company doesn’t use — immediately contact the job board and demand that the listing be removed.
  • Closely monitor your company credit card for charges you don’t recognize.
  • Closely monitor social media networks for mentions of your company’s name.
  • In some cases, scammers may compromise employers’ login credentials for popular job sites — then use that access to post phony job listings using your real account! Use strong, unique passwords for every account; enable 2FA wherever it’s supported, and deploy a password management platform like Keeper for business.

Don’t do things that can make your company look like a potential scammer. Consider giving applicants the option of initially applying to jobs as a “guest,” rather than requiring all applicants to create accounts on your website. Never ask for sensitive personal information, such as Social Security or driver license numbers, during the initial application process. Collect this data later, after your company has established trust with the job-seeker, and the job-seeker has reached a point in the application process where your company needs it for a background check or other verification purposes.

Sponsored Guest Blog By Keeper Security

Branding