Phishing attacks have become more sophisticated, with scammers now using recruitment processes as a cover to trick businesses. These attacks often appear legitimate, making them particularly dangerous. If you’re running a small or medium-sized business, it’s crucial to understand these scams and take steps to protect your company and your own reputation.
This blog will help you understand how constantly-adapting scammers are using recruitment as a way to launch phishing attacks and what you can do to help safeguard your business. Staying aware and taking proactive measures can help protect your data and your company’s reputation.
Did you know nearly 80% of data breaches in Verizon’s 2024 Data Breach Investigations Report point the finger at phishing attacks and misuse of credentials, with an increasing number using fake job offers as the bait? From this research, it’s clear that professionals from all industries need to be on high alert, especially if they’re looking at new opportunities or you’re looking at growing your team.
What is Recruitment-Based Phishing?
First, let’s talk about the basics of phishing. In this method of attack, scammers pretend to be someone else to steal sensitive information, like passwords or credit card numbers. Traditionally, phishing was done through mass emails that looked like they came from trusted sources. However, as people became more aware of these tricks, scammers had to get more creative, leading to the rise of recruitment-based phishing.
So why are they now focused on recruitment? Scammers love using recruitment as a cover because it naturally involves sharing personal information. When you’re applying for a job, you expect to provide details about yourself, making it easier for scammers to trick you into giving away too much. Plus, job-related emails are often implicitly trusted and emotionally driven, which is exactly what scammers rely on.
You may believe that you and your business aren’t of a size that would interest a would-be scammer but the truth is that SMBs are often targeted because they may not have the same level of cybersecurity resources as larger companies. With smaller budgets and fewer IT staff, SMBs can be more vulnerable to these kinds of attacks through willful negligence or simply not having the time to update the workforce with the knowledge. The impact can be severe, leading to financial losses and damage to your business’ reputation. Particularly since the pandemic and the move to hybrid and remote working structures, phishing attacks have been on the rise, especially targeting smaller businesses that might not be as well-protected.
Real-World Examples of Recruitment Phishing Scams
A recent scam reported by the BBC involved scammers using LinkedIn to pose as recruiters from well-known companies. They sent messages with links to what seemed like legitimate job offers, but these links actually led to fake websites designed to steal personal information.
Victims believed they were applying for real jobs and ended up giving away sensitive information, which was then used for identity theft and fraud.
A scam where emails pretending to be from a company’s HR department asked job applicants to fill out a “pre-employment verification form” that asked for highly sensitive details, like social security numbers and bank information.
Fake job postings on popular job boards that led to victims downloading malware disguised as application forms.
Whilst for some people, it’s too late, what can we learn from these examples? They demonstrate that scammers are already creating fake job offers and they bide their time, observing digital footprints to ensure their communications looks legitimate.
How a Recruitment Phishing Scam Works
Step 1: Finding Targets:
Scammers start by identifying potential victims, often through platforms like LinkedIn or by scanning company websites. This is made especially easy with LinkedIn’s ‘Looking for Work’ filter function but the opportunties across job boards are plentiful.
Step 2: Creating Fake Communication:
The scammers craft emails or messages that look professional and convincing, often using official logos and language. Sometimes they go a step further and spoof someone with a trusted position within the recruitment industry, adopting their name and digital presence such as their email address.
Step 3: Engaging the Victim:
The scammer builds trust by asking for a CV or other personal information, sometimes directing the victim to click on malicious links. Given that the potential for earning could number as high as six figures, scammers have been known to ‘court’ victims for as long as a few months.
Step 4: Stealing Information:
Once the victim has provided sufficient details, the scammer uses this information for fraudulent activities, such as identity theft, selling their profile on the dark web or to gain unauthorised access to company systems including your finance team.
The Tools Recruitment Scammers Use
Scammers often use fake email addresses, websites, and even malware to carry out their attacks. More advanced techniques include targeting specific individuals (known as spear-phishing) and manipulating people through social engineering. The risk of being exposed in the latter is greatly increased, the more information you make available on social networking sites like Facebook, Instagram and Linkedin.
Scammers don’t hesitate to play on emotions like trust, urgency, and fear. For example, they might create a sense of urgency by saying a job offer is time-sensitive, pushing victims to act quickly without verifying the details.
5 Red Flags to Watch For When Spotting a Recruitment Phishing Scam
🚩Unsolicited Job Offers:
Be wary of job offers that come out of the blue, especially from people or companies you don’t know.
🚩Suspicious Email Addresses:
Always check the sender’s email address for inconsistencies, like slight misspellings in the domain name.
🚩Urgency:
If an email or message is pushing you to act quickly to click or download, take time to verify its authenticity.
🚩Request for Sensitive Information:
Be cautious if you’re asked for personal or financial details early in the recruitment process.
🚩Poor Grammar and Spelling:
Typos or awkward language can be signs that the communication isn’t legitimate. Also be aware of web links that appear familiar but actually use lookalike characters from alphabets other than the latin alphabet used in English, otherwise known as homograph attacks.
To make sure a job posting or recruiter is legit, cross-check the details on the official company website or contact the HR department directly.
Regularly train your employees on how to spot phishing attempts. The more aware your team is, the less likely they are to fall for these scams.
Next Steps for Your Business
Strengthening Your Cybersecurity
For efficiency, focus your cybersecurity efforts on several key areas. First, improve your email security by implementing spam filters and email authentication protocols such as SPF, DKIM, and DMARC to prevent phishing attacks. Secondly, secure your recruitment processes by using trusted job platforms and encrypted communication methods to protect sensitive information. Lastly, make sure to keep your software up to date; regular updates are crucial for closing security gaps that could be exploited by scammers.
Educating Your Employees
Implement ongoing training programs to keep your team up-to-date on cybersecurity best practices. Conduct periodic simulated phishing tests to see how well your team responds and improve their skills. If you don’t have the internal resource to implement a simulated phishing tests, get in touch with a cyber security expert like Clearsky to plan bespoke awareness training for you.
Have a Response Plan
Being prepared for the worst is always advisable, as an essential layer of your security. The longer a vulnerability is exposed, the fewer options there are to put things right. Start by developing a plan for how to respond to a phishing attack, including clear steps for reporting suspicious emails. Consider working with cybersecurity professionals to audit your systems and help improve your defenses.
Phishing attacks that use recruitment as a cover are a growing threat, especially for businesses like yours. By staying informed and taking proactive steps, you can better protect your business and yourself from these new scams.
Start implementing the strategies discussed here to secure your business today. For more tips and updates on cybersecurity, consider subscribing to our tech tips newsletter. Remember, protecting your business isn’t just about technology—it’s about staying aware, being prepared, and empowering your team to spot and stop these scams before they cause damage.
Further Reading: Why Phishing Tools are so Useful