How scammers can turn a dream job into a cybersecurity nightmare

If you’re a new starter, the ping of an incoming message from a senior colleague can be thrilling.

When you find they’re asking for your help with a small task, you may well jump to it – and become a victim of Australia’s latest cyber scam.

Jobseekers and new starters are increasingly attractive targets for cybercriminals, who use sites like LinkedIn and sophisticated social engineering techniques to persuade their victims to part with money and personal data. But how does the new scam work, and why is employment fraud an increasing part of the threat landscape?

Recruitment and work scams are on the rise

Australians lost over $2 billion to scams in 2021 – more than double 2020’s figure. But while attacks are rising across the board, recent research suggests that work and recruitment scams are thriving in the current climate.

According to Queensland University of Technology (QUT) Associate Professor Deanna Grant-Smith, post-pandemic work patterns have “created a bountiful environment for offenders to effectively target potential victims”. More employees have begun to work remotely, some have lost their jobs and others have transitioned to freelance or gig work, leaving a higher proportion of the population outside the classic cybersecurity “perimeter”.

As a result, scams are circulating via email, SMS and Whatsapp, as cybercriminals hunt for personal data and bank details, and encourage jobseekers to spend money on fraudulent training materials or registration fees. New hires are under threat too, as scammers use information from social media to sucker recent arrivals.

How new starter scams work

Many of us share more than we should on social media, and cybercriminals are watching. One business software company recently described how a new starter was almost snared. The employee received a message from one of the organisation’s founders, addressing him by name and asking him to “get something done as soon as possible”. He replied, and got a response from the founder asking him to immediately buy gift vouchers for which he would be reimbursed. Thankfully, the employee checked with his line manager, who flagged the incident as a probable scam.

• This increasingly common scam shows some of the classic features of a social engineering attack:
• the message encouraged a sense of urgency (“as soon as possible”)
• it used a casual tone and used personal details, such as employee names
• the request for money, in the form of gift vouchers (frequently used by scammers) was not immediate – it came after the scammer had established a connection with their victim
• the request was carefully targeted at a new employee, who might not know the ropes
• the message used spoofing to make it appear that it was sent from the founder

The scammer got their information from a single source – LinkedIn. Job platforms are a serious cybersecurity risk since they detail employees names, recent projects and start dates: all freely shared information that scammers can leverage to make their requests more credible.

How individuals can stay safe

Targeted strikes on new starters are only one kind of employment-related social engineering attack. Scammers may use sites like LinkedIn to lure people to targeted job offers, after which they may be sent to a spoofed website page where their data will be captured. WhatsApp messages claiming to offer jobs at JB Hi-Fi and Target are another common approach. Scammers may ask their victim to buy a laptop, then mail it to them so they can install updates – with the laptop and scammer vanishing into thin air. Some job hunters may even be funnelled into cryptocurrency scams.

So how can individuals stay safe?

• Visit Scamwatch if you see a concerning message, and sign up to email updates on the latest scams
• Take your time: urgency is one of scammers’ most powerful weapons. Pause, walk away from your screen, and check with a colleague or friend if you are uncertain
• Review your privacy settings on social media to starve scammers of ammunition (you can also report suspicious profiles on LinkedIn)
• Be especially wary of any transactions you are asked to make in gift cards, iTunes cards or cryptocurrency
• Do not click on suspicious links or attachments
• If you’re not sure a message is from who it claims to be, contact the sender via an address you have obtained from an official website or app
• Spoofed emails and websites can be hard to spot, so check email and web addresses and company branding carefully
   

Making your organisation scam proof

No organisation can be 100% scam proof, but you can make yourself a harder target for cybercriminals. Key measures include:

• Have clear social media and device policies
• Ensure training is frequent, and targeted at your biggest threats
• New hires and part-time or gig workers can be your biggest weakness – make sure they do not slip through your security net
• Share news of recent attacks or trends
• Use firewalls, data segmentation and zero-trust frameworks to keep your data safe if a bad actor does make an incursion onto your systems
• Use anti-spoofing measures such as DMARC
   

The job market is a fertile place for scammers

Changes to the way we work since the pandemic have made jobseekers and new hires more attractive than ever to scammers. Job sites and governments are struggling to keep criminal activity in check – indeed, scraping data from LinkedIn was found to be legal in a recent US case. That means the onus to stay safe is on individuals and companies. Thankfully, a few basic steps can help us all stay safe when searching out or starting new jobs, not least trusting your own instincts. If an offer feels too good to be true, or a request seems out of the ordinary, get that message out of your inbox – and scammers out of your life.