Skip to content
Search
  • There are no suggestions because the search field is empty.
Cancel
Get Started Now

    Security Awareness Training Blog

    How To Stop Job Scams

    Evangelists-Roger GrimesI am reading and hearing about a ton of job scams these days. So many, I wondered how anyone could get a real job or employee, especially in these days of often full-time, work-from-home (WFH) environments. There are many different types of job scams, both targeting potential victims wanting to be employees and employers. I wrote about many of these job scams a few months ago, but I have one more large defensive recommendation to make in this blog that I think will make it hard for the scammers to be successful.

    Fake Job Scam Summary

    There are two main scam victims: job candidates seeking employment and employers seeking employees. Both appear to be equally likely to be scammed these days.

    Fake jobs scams include the following types (I am sure I am missing some):

    • Fraudulent organization steals employee candidate’s money by learning candidate’s financial information.
    • Fraudulent organization tricks employee candidates into paying for something unneeded (e.g., background check, new laptop, etc.).
    • Fraudulent organization wants to steal candidates’ private information or money by placing a trojan horse program on their computer.
    • Fraudulent organization wants to get access to the candidate’s current employer by placing a trojan horse program on the employee’s work computer to steal money, place malware or steal information from the current employer.
    • Employee is offered a plausible job that is actually illegal (e.g., money mule, etc.).
    • Involve a real candidate applying for a real job with a real organization using a fraudulent “headhunter”, but then the headhunter switches out the real candidate with a fraudulent, less skilled, person (or fake non-existent person) after the prospective employer has offered the job to the real, intended candidate. Example stories here and here.
    • Fraudulent employee gets hired to spy on the organization. Story example here.
    • Fraudulent employee gets hired by a legitimate organization but does nothing but collect paychecks until they are fired.
    • Real employees working for a real organization, but splitting their time “on the clock” among two or more organizations, at least one of which does not know about the other.

    Note: Equifax just found at least 24 employees working two or more full-time jobs and there are people bragging about working three or more full-time jobs, none of which they are qualified for, on Reddit .

    Defenses

    Here is the advice I put in my last article that still applies:

    The best defense is education. Job seekers and employers need to know that the world is rife with job-seeking and offering scam artists. There are more now than ever. Everyone should be aware of the most common types of scams, and how to detect and avoid them. As usual, security awareness training is key.

    For job seekers:

    Start by seeking jobs on legitimate company websites. For example, KnowBe4 lists all its available jobs. You are not going to be scammed if you start with a legitimate company’s website. If you decide to use a well-known job site that actively polices and tries to eradicate fraud, follow their advice for avoiding scams, such as this advice.

    If someone claiming to be a recruiter for a particular company reaches out to you, call or email the purportedly represented company using known good, legitimate contact information and verify that the recruiter is working as an agent on behalf of the company or is at least offering a real available position. Do not accept from the recruiter, without first verifying that it is an unadvertised job that no one else knows about yet.

    If the job seems too good to be true, it likely is. If you are being interviewed, ask serious questions and details about regular job features, like the details of the position’s 401(k) plan or insurance plan. A real recruiter can get you the essential details and not just come back with a general saying, like “Yes, we have a 401(k) plan.” Real recruiters will know that the 401(k) plan is administered by a particular financial firm, what the matching is, etc.

    Never pay upfront fees. Never run executable content or macros sent to you in documents. Verify the contact information. Be very suspicious about any look-a-like contact information. Never reveal personal identifiable information (PII) in an employment application until you have verified that the person you are dealing with is offering a real job with a real company and has the authority to do so.

    If it is too good to be true, it is too good to be true.

    For companies trying to hire people:

    It is tougher for companies to weed out potential fake employees, especially in today’s world of remote workforces. Educate everyone involved in the hiring process about potential fake employees. At the very least, every employer should conduct a legal background check (not charging the potential employee candidate, of course), if that is possible. Previous employers should be contacted to verify employment dates and make sure they match the candidate’s claims.

    Every employee should be assigned the appropriate amount of tasks that will take the average person an average amount of time. If an employee is delivering slowly or pawning off work to subordinates, you might wonder if they are working other jobs. On the other hand, if they are delivering all tasks successfully and just doing it quicker and better than everyone else could, perhaps just accept the situation (although most people working multiple jobs are eventually going to burn out more quickly than if it was just one job involved even if the hours are the same).

    If hiring an employee from another country, let someone experienced and living in that local market help with the hiring process. They can more easily detect someone pretending to be from another country who is not really a native. And lastly, anyone hired should be monitored for their expected responsiveness and output. You do not want to be paying someone full-time wages for working part-time.

    It is a different world out there for job seekers and employers. Education for both sides is key. And making a culture of healthy, appropriate skepticism along with aggressive verification goes a long way.

    New Additional Advice

    Interview in person before accepting or offering the job, at a known relevant company location. In these days of WFH, many job offers are offered and made to people who have never met in person. In light of all of these fake job scams, I think it behooves both sides to meet in person at a legitimate location first. If the potential in-person meeting with the original parties is too expensive to set up, the employer should set up a meeting with a trusted partner who can conduct the in-person meeting and the potential employee must be able to verify that the job being offered is real. Nothing beats an in-person meeting.

    This does not stop all bait and switch scenarios where you met with what you thought was the real person or organization, only for another person or organization to be switched out after the job offer is accepted. But it will prevent most scams.

    Given the prevalence of fake employees and employers, spending the money to have at least the last meeting in person before accepting or offering the job is the best way to prevent being scammed in a job situation.

     

    Return To KnowBe4 Security Blog

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    PST ResultsHere's how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry

    Go Phishing Now!

    PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

    https://www.knowbe4.com/phishing-security-test-offer

    Topics: Phishing, Security Awareness Training

    Roger Grimes

    ABOUT ROGER GRIMES

    Roger A. Grimes is Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 13 books and over 1,200 national magazine articles. He frequently consults with international organizations of all sizes and many of the world’s militaries. Grimes regularly presents at national computer security conferences, and is known for his often contrarian, fact-filled viewpoints.

    Read more from Roger »

    Subscribe to Our Blog


    Security Awareness Training
    Blog RSS Feed
    Comprehensive Anti-Phishing Guide
    All Posts

    Posts by Tag

    See all

    Posts By Topic

    View All

    Get the latest about social engineering

    Subscribe to CyberheistNews