Scammers are exploiting recruitment for phishing attacks

As a term we're all getting more familiar with, phishing attacks are evolving and now we've got smishing, vishing, quishing; the hackers are always innovating. Phishing attacks are growing more sophisticated by the day, and one of the latest tactics scammers are using is to disguise themselves as recruiters. They target businesses or individuals through what appear to be legitimate job offers and recruitment communications, making it essential for small to medium-sized enterprises (SMEs) to recognise and defend against these threats.

If you’re a business owner or manager or any other sort of corporate professional, understanding how scammers exploit the recruitment process can be crucial in protecting your company’s data, reputation, and financial health. Our article will help you understand this growing threat and take proactive steps to help safeguard you and your organisation.

The Growing Threat: Recruitment-Based Phishing Attacks

Phishing is a form of cybercrime where attackers impersonate legitimate entities to steal sensitive information, such as login credentials, financial data, or personal information. Traditionally, phishing was carried out through mass emails that tricked recipients into clicking on malicious links or downloading harmful attachments. However, these attacks have evolved and become more targeted, with recruitment-based phishing being one of the most alarming new trends.

In these schemes, scammers pose as recruiters or HR representatives from reputable companies. They use the trust people place in job-related communications to extract personal information or gain access to corporate networks. With the increasing reliance on online recruitment platforms like LinkedIn, these scams have become more difficult to detect.

Why SMEs Are Particularly Vulnerable

Small and medium-sized enterprises are often prime targets for phishing attacks. Why? Because they typically don’t have the same level of cybersecurity resources as larger companies. Limited IT budgets, fewer security protocols, and sometimes less comprehensive employee training make SMEs easier targets for cybercriminals.

The impact of a successful phishing attack on an SME can be devastating. It could lead to financial losses, damage to the company’s reputation, and even legal issues if customer data is compromised.

Real-World Examples: How These Scams Play Out

One of the most notable cases involved scammers using LinkedIn's recruitment features to target victims. They posed as recruiters from well-known companies, sending messages that included links to what looked like legitimate job descriptions. However, these links led to fake websites designed to steal personal information.

In another case, scammers sent emails pretending to be from a company’s HR department, asking candidates to fill out a "pre-employment verification form" that requested extensive personal details, including social security numbers and bank information. Another scam involved fake job postings on popular job boards that tricked victims into downloading malware disguised as an application form.

These examples highlight the common tactics used by scammers, such as using official logos and professional language to appear legitimate. The consequences can be severe, including identity theft and financial loss.

Understanding the Scammers’ Playbook

Scammers typically start by identifying potential targets, often through platforms like LinkedIn or by scouring company websites for information. Once they have their targets, they craft convincing emails, messages, and job postings that mimic legitimate recruitment efforts.

After establishing contact, scammers engage in back-and-forth communication to build trust. They might request resumes, personal details, or prompt victims to click on malicious links. Once they have the information they need, they execute the attack, using the stolen data for identity theft, financial fraud, or unauthorised access to corporate networks.

Scammers also use advanced techniques like spear-phishing (targeted phishing) and social engineering to manipulate victims into lowering their guard. By exploiting emotions like trust, urgency, and fear, they increase the chances of a successful attack.

Recognising the Red Flags

• Unsolicited Job Offers: Always be cautious of unexpected job offers, especially from unknown contacts. This goes for unfamiliar contacts congratulating you on a new position
• Suspicious Email Addresses and Domains: Look for inconsistencies in sender information, such as slight misspellings in email domains.
• Urgent and Pressuring Language: Scammers often create a sense of urgency to prompt quick, unthinking responses.
• Requests for Sensitive Information: Be wary of requests for personal or financial details early in the recruitment process.
• Poor Grammar and Spelling: Errors in communication can be a red flag for fraud. It's also worth sense-checking the letters are consistent with the Latin alphabet, as homograph attacks are used to direct you to 'recognised' and 'trusted' websites, that are ever-so-slightly different when you examine the letters closely.

Always verify the legitimacy of communication channels during the recruitment process. For example, official company emails should match the company’s domain, and you should avoid responding to messages from personal accounts. If you're interested in implementing automatic systems that take the guesswork out of matching email domain, speak to the Crosstek team.

Proactively Defending Your Business

The best way to ensure you've got as many layers of protection in place, is to plan to defend against as many known threats as possible. Tackling the topic of today, here are three techniques to implement, to better protect your business from recruitment-based phishing attacks:

1. Robust Cybersecurity Protocols: Use spam filters and email authentication protocols like SPF, DKIM, and DMARC to filter out potentially malicious emails. Ensure your recruitment processes use reputable platforms and secure communication channels.
2. Employee Training and Awareness: Regular training sessions can educate employees on how to identify and respond to phishing attempts. Consider conducting simulated phishing exercises to test and improve employee vigilance.
3. Incident Response Planning: Prepare for potential phishing incidents by developing a clear response plan. Ensure that employees know how to report suspicious activities and that your IT team is ready to respond quickly to threats.

Phishing attacks disguised as recruitment communications are a growing threat that businesses, especially SMEs, need to take seriously. By understanding how these scams work, recognising the warning signs, and implementing robust cybersecurity measures, you are better placed to protect your team from becoming a victim - and by extension, your business. Stay vigilant, educate your team, and always verify the legitimacy of recruitment-related communications.

?Give us a call on 01732 617788 or drop us an email to [email protected].