With record low unemployment, a tight labor market, and increasing customer demand, everyone says it is an employee’s job market out there. But it is getting tougher to get a real job and to hire a good employee these days. An increase in social engineering attacks offering fake jobs and fake employees is making it harder for both potential employees and employers to know who to trust.
Job seekers are being offered fake jobs solely to steal their money or they are utilized as unwitting pawns to compromise their existing employers; and employers are being exploited by fake employees who want to steal intellectual property, secrets and value. Fraudulent jobs and employees are becoming something all job hunters and employers need to worry about.
If you are looking for a job, do you know how to spot a fake job?
If you are an employer, do you know how to detect a fake employee?
This article will offer some suggestions to both potential employees and employers.
Fake Job Offers
If you are in the job market these days looking for a potential new employer, be aware that there is an entire cybercriminal cottage industry operating out of several regions (e.g., Africa, Asia, etc.) that exists to offer you a fake job to steal your money. This has been happening for decades, but it used to be fairly rare. Most job seekers did not know about it and did not need to worry about it. Now it is quite common. Even if you are looking for a job in all the regular, legitimate, places, there is an increased chance that you will come in contact with a fake employer. The fake employers will often claim to represent well-known companies and have fake, look-a-like, websites, social media presences, IM contact information, email addresses, and phone numbers. The U.S. FBI put out several warnings about fake recruitment scams over the last few years, including this one.
The most common job hiring scam is one where the scammer attempts to get you to pay an advanced fee. They start by offering your dream job. Its got a terrific salary, it is exactly what you have been looking for career-wise, and you can work from home with flexible hours. They will try to offer you the job over email or chat but may feign a brief job interview. If you do get interviewed, they will most likely let you do the talking, answer any questions you have with the absolute best answers you were hoping for, and then tell you the job is yours except for one small piece of red tape: a background check or some other type of service that requires that you pay money up front to get the job.
Real jobs almost never ask you for money, especially before you are hired. If a real job asks you for money, it is then often taken out of your future paychecks. Fake jobs will tell you that you need to pay the entire fee up front, but that you will be fully reimbursed after you are hired. The victim is usually hesitant at first but thinks any money they spend will be quickly back in their pocket. The victim is then tricked into providing personal identifiable information (PII) and their credit card or banking information. They may be told that the fee is less than a hundred dollars, but according to the FBI from the report listed above, the average amount stolen in a fake recruitment scam is nearly $3000.
Insert Trojan Horse Programs
Over the last few years, fake employers, have started to try and trick victims into installing malicious content. It can be from a booby trapped document or a trojan horse program, for example, that claims to be a questionnaire. Either way, the victim, from a trust that can be built up over multiple interactions, runs and executes the malware. The malware is usually a backdoor program that allows the hacker to come back and look around the victim’s computer so they can steal PII, passwords, credit card information, and whatever it takes to steal the victim’s money or identity.
Here is related news story where hackers pose as recruiters and get victims to open malicious Microsoft Word files.
Compromise Your Existing Employer
A more recent, more sophisticated recruitment scam involves using victims with existing jobs to compromise a particular targeted employer. In these instances, the victim working at the current targeted company is wooed for a higher paying dream job, supposedly at another employer. The victim may be interviewed many times by different people. They are then sent malicious content, which compromises the device they use for work, and that exploited device is used as a gateway into the victim’s current employer’s network.
This sort of recruitment scam came to light when a video game/cryptocurrency/NFT provider, Axie Infinity, had $540M of value stolen from them. Here are some of the stories on that scam:
- https://blog.knowbe4.com/one-employees-desire-for-a-new-job-cost-his-employer-540-million
- https://www.secureworld.io/industry-news/fake-job-offer-hack-axie-infinity
- https://kotaku.com/axie-infinity-hack-nft-pokemon-clone-phishing-scam-1849149357
Early evidence indicates a North Korean group may have been behind the attack.
Hackers have long been using social engineered employees to gain access to victim networks (for example). What is different here is that particular employees with relevant desired company access are being attracted to do their company in by fake jobs. A regular phishing scam usually includes a “stressor event” where the potential victim is told to do something quickly to avoid some negative thing happening (i.e., lose a contract, lose a discount, lose access to their social media account, etc.).
In these cases, the victim is hoping to gain something of greater value and is reaching out (or back) in attempt to get something they covet. It is not a threat. It is a dream. Either way, the victim, after several seemingly positive interactions, develops a premature trust with the new potential employer and is more ably to be tricked into executing malicious content.
Company Employment Threats
It is not all just threats against employees. Companies are now increasingly being targeted by fake employees. Since COVID hit, Reddit has been full of “Ask Me Anything” posts from people claiming to be making strong six figure salaries working remotely for multiple companies at the same time. Each victim’s company thinks the employee is their full-time employee, but in reality, the employee is sharing their time across multiple companies.
These employee scam artists often brag about how little they work (“Just five hours a week!), often brag about asking for huge salaries (and getting them!) because they have zero risk in asking, and how they often do not have any relevant experience and just outsource all requests to their employees or associates. Here are some example Reddit listings:
- https://www.reddit.com/r/antiwork/comments/r9n6ns/i_now_have_three_3_work_from_home_jobs_i_now_make/
- https://www.reddit.com/r/AMA/comments/r4o33z/i_work_3_full_time_jobs_ama/
- https://www.reddit.com/r/fatFIRE/comments/p6i21k/secretly_working_2_jobs/.
Apparently, working for multiple companies at the same time without them knowing is so common, popular financial magazines write about it.
In the age of hyper-nation-state attacks, an increasing threat is the accidental hiring of fake employees who are really just nation-states spies. Again, this is not new. Employers have been hiring competitor and nation-state spies for a long time. What has changed is the frequency, daringness, and methods.
Often it is a government agency telling you that you have been had. Here is an example. In this case, a cryptocurrency startup was infiltrated by a North Korean citizen pretending to be a Chinese citizen. North Korean bad actors are well-known for stealing value from cryptocurrency companies. They are arguably behind many of the largest heists. Perhaps they have had inside help in many of the thefts.
The FBI recently warned that deep fake technology is being used to apply for remote jobs.
In summary, both potential employees and employers are being routinely socially engineered and scammed.
Defenses
The best defense is education. Job seekers and employers need to know that the world is rife with job seeking and offering scam artists. There are more now than ever. Everyone should be aware of the most common types of scams, and how to detect and avoid them. As usual, security awareness training is key.
For job seekers:
Start by seeking jobs on legitimate company websites. For example, KnowBe4 lists all its available jobs. You are not going to be scammed if you start with the legitimate company’s website. If you decide to use a well-known job site which actively police and try to eradicate frauds, follow their advice for avoiding scams, such as this advice.
If someone claiming to be a recruiter for a particular company reaches out to you, call or email the purportedly represented company using known good, legitimate contact information and verify that the recruiter is working as an agent on behalf of the company or is at least offering a real available position. Do not accept from the recruiter, without first verifying, that it is an unadvertised job that no one else knows about yet.
If the job seems too good to be true, it likely is. If you are being interviewed, ask serious questions and details about regular job features, like the details of the position’s 401K plan or insurance plan. A real recruiter can get you the essential details and not just come back with a general saying, like “Yes, we have a 401K plan.” Real recruiters will know that the 401K plan is administered by a particular financial firm, what the matching is, etc.
Never pay up front fees. Never run executable content or macros sent to you in documents. Verify the contact information. Be very suspicious about any look-a-like contact information. Never reveal PII in an employment application until you verified that the person you are dealing with is offering a real job with a real company and has the authority to do so.
If it is too good to be true, it is too good to be true.
For companies trying to hire people:
It is tougher for companies to weed out potential fake employees, especially in today’s world of remote workforces. Educate everyone involved in the hiring process about potential fake employees. At the very least, every employer should conduct a legal background check (not charging the potential employee candidate, of course), if that is possible. Previous employers should be contacted to verify employment dates and make sure they match the candidate’s claims.
If hiring an employee from another country, let someone experienced and living in that local market help with the hiring process. They can more easily detect someone pretending to be from another country who is not really a native. And lastly, anyone hired should be monitored for their expected responsiveness and output. You do not want to be paying someone full-time wages for working part-time.
It is a different world out there for job seekers and employers. Education for both sides is key. And making a culture of healthy, appropriate, skepticism along with aggressive verification goes a long way.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
