Job scams are spreading rapidly. In the first three months of 2023 alone, job scams grew by 250% compared to the same period in 2022. It is estimated that employment scams cost businesses at least $2 billion in direct losses annually.
How do job scams work?
At a high level, job scams can be divided into two categories: one that offers fake jobs and the other where fake people or fraudsters apply for jobs.
Fake jobs and fake recruiters
On websites such as Craigslist, Indeed, ZipRecruiter and Linkedin, scammers create fake job postings that impersonate legitimate businesses and well-known staffing firms. To sweeten the lure, scammers advertise flexible hours, full-time remote working, above-market pay and generous benefits. Some even go to the extent of reading resumes to understand their target’s experience and background, offering them the “perfect job” that’s highly aligned with their interests and career goals.
See also: Screening out scammers
The end goal of recruitment fraud is typically financial gain—either from the victim directly or the victim’s employer (in case they have one). Scams are executed using either of these methods: First, the victim is tricked into downloading a malicious program, which is a credential-stealing trojan or a backdoor that allows hackers entry into the victim’s machine or environment. Once they’ve secured access, they look at stealing private data (Social Security numbers, intellectual property, credentials to restricted systems, etc.) that they can monetize on the dark web. Second, the victim is tricked into paying an application fee with a false promise of reimbursement. Sometimes, the unaware job seeker is asked to buy expensive hardware or computing equipment, which must be shipped to a subcontractor who will make the necessary configurations. All bogus. The subcontractor never returns the equipment.
Nearly 40% of job seekers claim to have encountered false job postings from leading companies such as Amazon, Walmart, FedEx, Target, DHL, etc. What’s worse? Eighty-four percent of people encountering a scam become its victim without even realizing that the job they had applied or interviewed for was fraudulent.
Fake job applicants
Remote hiring allows employers to hire virtual expertise from anywhere in the world. It is believed that thousands of fake employees are posing as remote workers and are securing real jobs. The FBI issued an alert last year, stating that threat actors were employing deepfakes (synthetic identities created using audio and video spoofing) to apply for work-from-home positions and attend online interviews.
Threat actors usually do this to collect paychecks from employers or to secure access to the employer’s systems, where they steal credentials and private data or access restricted areas. In certain cases, a fake but knowledgeable candidate is planted in the interview so that they can answer all the technical questions, secure the job and then hand it over to the less capable hire. Incidents have shown employees showing up in person who not only looked different but had significantly inferior skills than the individual who was originally interviewed.
What can HR teams do to prevent job scams?
As an employer, it is important to recognize the significant risks that virtual hiring can introduce to the business. These aren’t just HR risks, but they are real business risks that lead to financial setbacks, legal and compliance failures, theft of sensitive and private information, and, most importantly, loss of reputation and credibility. Best practices HR teams can adopt to reduce the risk of job scams include:
- Impart security training to your hiring team: Every employee, especially recruiters and hiring managers, must be made aware of the risks associated with social engineering during the hiring process. They must undergo mandatory training and phishing simulation exercises so they can recognize phishing red flags when they interview candidates virtually. It is also important to keep them updated with the latest threats and tactics as scamming methods evolve.
- Employ verification processes: Implement verification processes for both job applications as well as job postings. For instance, instead of a virtual interview, try to opt for a face-to-face interview. Always conduct thorough background checks before hiring. If your company is posting a job somewhere, ensure that the job portal only permits legitimate, authenticated and verified employers to submit postings.
- Have transparent recruitment processes: Have clear and unambiguous hiring processes in place so that malicious actors cannot take advantage of confused job seekers. If feasible, recruit using only reputable platforms and not via a network of freelance recruiters. Make it clear to prospective candidates whom they can contact if they encounter something unsafe or suspicious.
- Be sensitive with private information: Always be mindful of your candidate’s private information. Make it clear to them in your job posting that you will never ask for sensitive data like bank information, Social Security numbers, marriage status or other private info until onboarding. Always use secure platforms to store and process private employee data.
- Monitor and review hiring processes: It is advisable to monitor and review recruitment processes at periodic intervals to improve security measures and identify weaknesses and vulnerabilities. If your business handles recruitment via third parties, it is recommended that they undergo regular security training and share the same protocols and security principles followed by your organization.
By leveraging the above security measures, HR teams can not only lower the risk of job scams but also significantly boost the overall security posture of the organization.