Beware: Hackers Are Targeting Employers Looking To Hire

Beware: Hackers Are Targeting Employers Looking To Hire

Businesses that are looking to hire employees make great targets for hackers, so, whether you are an entrepreneur running a small business, the HR director of a large multi-national firm, or someone looking for a job, you should be aware of the following:

The hiring process is inherently risky. Businesses need to expend time and money searching for appropriate, qualified candidates – sometimes under pressure to fill a particular position or set of positions before some deadline. In most cases, the process of recruiting also necessitates that a business carry out electronic communications – often primarily by email – with parties with which it has never corresponded before. Hiring managers may be forced to open email attachments from untrusted parties sending in resumes, or, if they refuse to take such risks, may end up overlooking great applicants.

As one would expect, these factors combine to open the door for cyberattacks. In the case of small businesses the problem is exacerbated by the fact that organizational budgets often preclude having an information-security team involved in the design of the recruiting process and its associated technology. Hackers know about this weakness – and seek to exploit it.

So, here are several pieces of advice to help keep you safe when you are recruiting. If you are looking for a job, understanding these points may also help you ensure that the firm to which you are applying actually receives and reviews your CV:

1. Whenever possible avoid having resumes sent to you as Word documents.

There are a plethora of attacks that can be carried out via materials embedded in Word documents, and, while regular patching, malware scanning, and maintaining strict security settings can address the majority of them, why take chances when you don’t have to? There are other formats that are less risky: While text included in the body of an email message is ideal, for various technical reasons, PDFs are also likely a better alternative than Word documents. Depending on the nature of the open position that you are seeking to fill, you may not even require that candidates submit resumes: links to a LinkedIn profile or the like may suffice. On that note, however:

2. Do not click links to social media profiles that candidates send you (via email).

It is simple for a hacker to send you an email applying for a job with a link that is mislabeled (e.g., it displays in the email as “https://www.dhirubhai.net/in/SomeName” but really links to https://www.RogueSite.com) or that varies slightly from the name of a real social media site (e.g., a dangerous link of the form of https://www.linnkedin.com/in/JosephSteinberg or the like - did you notice the "mistake?"), and which points to a rogue site that delivers malware to your system. If you want candidates to be able to direct you to their social media profiles either:

  • Have them spell out the full link and manually enter it into your browser. In my case, you’d want me to write https://www.dhirubhai.net/in/josephsteinberg not create a link that says “Here is a link to my LinkedIn Profile.”
  • Ask them for their handles, rather than links, when appropriate. For me that would mean @JosephSteinberg for my Twitter account, rather than https://www.twitter.com/josephsteinberg. Manually enter the handle in the social media platform search bar. Do not click links.

3. Stay safe when candidates send links to social media link consolidators

Some have suggested that people utilize social media profile link consolidators (e.g., about.me, etc.) to provide potential employers with complete lists to all of their social media profiles. While I do use such a service for other purposes, I am not convinced that it is a good idea for organizations to rely on the use of such sites on their own to address the security risks of links to social media profiles, so, if you do receive such a link:

  • Do not click the link – instead enter it manually. (Similar dangers exist to those discussed above vis-a-vis links to social media sites.)
  • If the link is to some site that you don’t recognize as a social media index site – maybe ask the sender to send you direct links and forgo the consolidator site altogether.
  • Beware the links on the site – you really should not click them; enter them manually as well. On some sites it is possible for hackers to create a profile containing links to rogue sites.

Because of this, I prefer to ask a previously unknown to me job applicant to send as text via email the list of any social media profiles that he or she wishes to share with me.

4. Do not treat communications from a job website as secure.

As is the case with most verticals, there have been multiple security problems found on job hunting and placement sites; for example, the CareerBuilder.com website was found to have been sending “resumes” containing sophisticated malware to companies posting open jobs. The attack is believed to have been carried out by hackers who literally “applied “for jobs posted on the website and uploaded “poisoned” CVs to be sent by CareerBuilder to the companies posting the positions. Other job recruiting websites have also been found to be vulnerable to various attacks, so always proceed with caution. If something seems off, it might be.

5. Avoid attachments. Text-based resumes should be good enough.

If you create some proprietary system that allows people to apply for jobs via your website, and want them to submit resumes, consider having them submit text in a text box, rather than attaching a file that may turn out to be infected. Of course, use good secure coding practices to ensure that the site itself does not become a gateway for crooks into your organization. It is true that text does not show a candidate’s style as well as a formatted document – but, if the person does end up coming in for an interview, or if you speak with him or her by phone, you can always ask him or her to bring/send you a formatted version. By that point, you’ll have a much better idea about the person’s identity and trust level.

6. Don't ask people to mail or fax their CVs.

While some have suggested that an ideal way to address these risks is by asking candidates to fax or mail their resumes, rather than submit them via email, from a practical standpoint such approaches are severely outdated, and can both complicate the recruiting process and scare away excellent candidates. It should be noted that asking candidates to fax their resumes to a fax-to-email service does not eliminate the security risks either, as there are plenty of criminals sending malware that impersonates fax-bearing emails from such services.

7. Consider transferring some of the risk to someone else.

Risk levels may also be reduced by using a recruiting agency (e.g., a headhunting firm) – many of which edit resumes before sending – or if you are dealing strictly with candidates whom you know. But even in these cases, of course, all emails should be subject to virus scans.

For more information-security related articles please subscribe to my mailing list and follow me on Twitter at @JosephSteinberg.

(A version of this article originally appeared in Forbes.)

Wes Lyle

Sr CyberSecurity Solutions Architect at Byteworks

7 年

Good article. Identifies risk in some places you might not expect it.

回复
Mark Wagasky

Data Protection | Life-Long Learner | Sales

7 年

Great Awareness Piece. Thanks for sharing things that many of us are not thinking about.

回复

要查看或添加评论,请登录

?? Joseph Steinberg的更多文章

社区洞察

其他会员也浏览了