Job vacancies are advertised on popular online employment boards and websites, in newspapers and other publications, or directly via communications such as email, social media, or SMS text messaging. Threat actors may spoof company websites and post fraudulent job vacancies to pose as legitimate employers.
They may also target job seekers with scams to click links to fraudulent employment websites, open attachments falsely labeled as resumes or other employment information, deliver malware, steal funds, participate in illegal activities such as money laundering, or collect personally identifiable information (PII) that can be used to commit further malicious activity and fraud.
Tactics and techniques used in job scams include urgent requests to respond, offers that are “too good to be true," and the impersonation of human resources recruiters, talent acquisition personnel, and department managers. Examples of job scams include work-from-home or remote work, nanny, caregiver, virtual personal assistant, mystery shopper, job placement service, and government and postal positions.
Job scams are increasing, as the Federal Trade Commission reported receiving more than double the number of job scams in 2021 compared to 2020, and more than 16,000 complaints have been filed in the first quarter of 2022. The NJCCIC continues to receive reports of job scams targeting individuals in New Jersey, especially students at colleges and universities who may be more open to flexible, remote work opportunities and the promise of quick cash. Young adults, especially high school and college students and university graduates, typically lack real-world experience in the professional workforce and could be more inclined to fall for job scams. Threat actors are targeting new graduates or current students seeking summer employment or upcoming fall positions.
In the example above, the job vacancy and subject line convey a sense of legitimacy from a trusted source by claiming to be for a personal assistant position in the fall for the Federal Work Study Program, despite the “Employment” display name and the Gmail sender email address. Victims who viewed the message on a mobile device saw only the spoofed display name and not the associated Gmail email address; therefore, they may be more inclined to deem the communication legitimate. Additionally, the email includes an attachment that contains more information about the purported position along with instructions to respond back to an AOL account with their full name, address, phone number, age, and email address.
One victim stated that once they submitted their information, they received a text message from an unknown number to confirm their identity. Threat actors can use the submitted information to contact victims and commit further malicious activity and fraud. The FBI warned of the use of stolen PII and deepfakes to apply for remote work positions, such as information technology and computer programming, database, and software-related job functions with access to PII, financial data, corporate databases, and proprietary information. During the interviews, the threat actors posing as applicants used voice spoofing or voice deepfakes in which the visual actions, such as lip movement, were not in alignment with auditory actions.
The NJCCIC recommends users and organizations reduce victimization by educating themselves and others on these continuing threats and tactics. Users are advised to avoid clicking links and opening attachments from unknown senders and exercise caution with communications from known senders. If a message’s legitimacy is unknown, contact the sender via a separate means of communication – such as by phone – before taking any action. Navigate to websites directly by manually typing the URL into a browser, instead of clicking on links delivered in communications, to ensure you are visiting the legitimate website and verify the posted job opening. In addition, job seekers are advised to research potential employers and businesses before responding or providing sensitive information. Requests for PII, such as a Social Security number or bank account number for direct deposit, should be considered a red flag when requested at the beginning of the application process. Also, be wary of interviews conducted remotely and over email only. If hired, ask for an employment manual or handbook, as threat actors typically are not able to provide these documents. Please review the Identity Theft and Compromised PII NJCCIC informational report for additional recommendations and resources, including information on credit freezes and enabling multi-factor authentication (MFA) on accounts.