Zak Doffman Contributor
If you’re applying for a job online, then you might want to take a moment to check the latest advisory from the FBI on the scourge of fake job scams. Combining spoofed company websites and ads on legitimate job boards, malicious actors trick job hunters into applying for roles with well known, legitimate companies. The victims interview for those jobs and then complete employment contracts. The whole process is fake. The end result is the loss of personally identifiable information and money.
It’s no surprise that sophisticated cybercriminals are now adding some spice to this basic scam. Just as with other types of phishing and online fraud, a glossy website, a cleverly constructed URL and a slick application process lull us into a false sense of the familiar. None of these are difficult to put in place. Done well, they are exceptionally difficult to spot. But the advantage with an employment scam is that you can look for the company itself to seek reassurance that a job is real.
This type of employment fraud is not new, the FBI says in its advisory published on January 21, “but technology has made this scam easier and more lucrative.” We are all now so used to clicking our way through online processes for everything that it’s highly likely we won’t notice that the seemingly legitimate company website is fake. The interview will be conducted by phone or video call—again, nothing unusual these days. The paperwork will then come by email for us to print and return.
While we are now primed to watch for those fake emails and text messages from Apple or PayPal or Google or Microsoft, asking for us to enter our passwords and personal details to resolve a spurious account lock-up, we are less primed to suspect wrong doing when interviewing with a fellow human being and then providing a new employer with our passport or driving license details, our social security numbers, a bank account into which we will get paid, our home address and date of birth.
Armed with those details, it is veritable child’s play for an attacker to set up fraudulent accounts, make purchases, hijack existing accounts with new account details. Many of these fake jobs are of the work from home capacity. There is no office you need to visit. But you may speak to multiple departments during the recruitment—HR, line managers, finance, admin. Some of the fraudsters even trick victims into paying for background checks, training or computer equipment. All of which will be refunded with that first pay check. But there is no pay check.
The FBI warns that increasing numbers of would-be job applicants are falling foul to such scams, with average losses as much as $3,000 per time. And that’s on top of the hassle and stress of reporting losses, changing documents and cards and accounts. All while trying to find a legitimate job. “While hiring scams have been around for many years, cyber criminals’ emerging use of spoofed websites to harvest PII and steal money shows an increased level of complexity.”
Even the UN has warned of “fake vacancy announcements” issued for its agencies, “imitating UN email addresses—asking would-be applicants to part with copies of personal documents and even money.” Meanwhile, in the U.K., ActionFraud reported that 67% of us now job-hunt online and such scams are up 300% in just two years.
Fortunately, it’s remarkably easy to protect yourself from becoming victim. Check the email domain through which you’re contacted—it should be easily recognisable. If not, you need to investigate further. Check the company website—the job should be posted. If you don’t see the same listing, again investigate further. If you have not met an employer in person, if you have not ticked every box in assuring yourself that the listing and the company are real, then do not provide any personal details, do not sign any forms, and definitely do not send any money.
If you are in the U.S. and think you may have been the victim of such a scam, then you can report this to the Internet Crime Complaint Center at www.ic3.gov. If elsewhere, you can contact law enforcement or online regulatory bodies. You can also contact the legitimate company itself, in cases where it has been spoofed. Also remember to contact your bank or credit card company to report the fraud right away.