The FBI’s Internet Crime Center (IC3) is warning that scammers are exploiting verification weaknesses in job-focused networking sites to post legitimate looking ads, capture personal information and steal money from job seekers.
Scammers “continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI warns in a new public service announcement.
The bogus ads threaten to damage the impersonated firm’s reputation and financial loss for the job seeker.
SEE: Cybersecurity: Let’s get tactical (ZDNet special report)
According to IC3’s complaint reports, the average reported loss from this scheme since early 2019 has been $3,000 per victim.
In one notable scheme, attackers used a real company account on an employment-oriented network site to post fraudulent job postings.
“The lack of strong security verification standards on one recruitment website allowed anyone to post a job on the site, including on official company pages,” the FBI notes.
“Those postings would appear alongside legitimate jobs posted by the business, making it difficult for applicants and the spoofed company to discern which job posting was real and which one was fraudulent.”
The FBI doesn’t disclose which site lacked verification checks. However, BleepingComputer reported in August that a feature on LinkedIn allowed anyone to post a new job ad from the account of a known brand without providing verification. Additionally, admins of the company account couldn’t take down the fraudulent job ad.
Microsoft-owned LinkedIn last week published its latest Transparency Report, highlighting how many scam postings and fake accounts it took down in the six months to June 30, 2021. It claims its automated defenses blocked 97.1% of all fake accounts during the period, amounting to 11.6 million fake accounts stopped at registration. However, some 85,700 accounts were stopped after users reported them.
It also proactively removed 66.1 million spam and scam pieces of content on LinkedIn, but removed 232,000 pieces of such content after members reported them.
According to the FBI warning, scammers also replicated legitimate job postings, changed the contact information, and then posted the now-fraudulent job ad on other networking sites,
The job recruitment scam ads borrow a lot of real information from impersonated hiring firms, including logos, images, email address and spoofed websites. In some cases, the scammers use the names and positions of actual company employees to improve online impersonation and then use those borrowed identities during the fee interview and hiring process. The FBI cites three examples of these scams over the past year where real employees names were used.
As the FBI warned in 2020, fake job scams are an old trick, but online recruitment and teleconferencing apps have made it more lucrative and easy to create false interviews. Stolen personal information is used to take over a victim’s financial accounts, open new accounts, or use it to obtain fake driver’s licenses or passports.
Victims are often offered work-from-home jobs and are sent a bogus employment contract to sign, and then asked to submit driver’s licenses, Social Security numbers, direct deposit information, and credit card information. Victims are asked to pay upfront for background checks, job training, and startup supplies and told they will be reimbursed in their first paycheck. After victims pay, the scammers vanish.