PSA: Avoiding Recruitment Phishing Scams
Sesame Street used to have a segment called “one of these things is not like the others” to teach kids how to focus on the differences in a group of seemingly similar items. Who would have guessed that the ability to “spot the not” could be applied later in life to identify phishing scams?
Phishing is a form of fraud in which a cybercriminal impersonates another entity or person to collect sensitive information or to send malicious links and attachments. Phishing attempts can be conducted over email, messaging services, and social networks. Unfortunately, phishing scams can also be a common tactic used to trick job seekers into sharing sensitive information.
Last year, more than 4,000 people in the United States reported employment scams to the Better Business Bureau. Scammers often target job seekers by masquerading as employees of real companies and reaching out to job seekers to conduct fake job screenings or interviews. They use interviews as a way to collect sensitive, personally identifiable information (DOB, social security number, driver’s license, etc.) from applicants.
As purveyors of a digital ecosystem — including custom software, mobile, and web apps — that empowers the safe exchange of information and ideas, we wanted to share the following tips to identify potentially harmful phishing attempts:
- Check the domain name: If the email domain is from a public provider such as “@gmail.com” or “@yahoo.com,” it may be a scam. Typically, established organizations use domain names they purchase to align with their company name.
- Look for spelling and grammar errors: Excessive spelling and grammar mistakes, including in email addresses, may indicate that an email is a phishing attempt.
- Beware of requests for highly sensitive information: Many established organizations use secure document sharing tools to exchange documents and information. Be cautious of any “recruiters” who request copies of a passport, social security card, or banking information to be sent over email or before employment begins.
- If it looks to good to be true, proceed with caution: As employers, we want to put our best foot forward and tell applicants all of the wonderful things awaiting them as an employee. However, an immediate offer after a cursory interview is not the standard practice here or anywhere I’ve previously worked. Most legitimate organizations have a thoughtful application process, so be wary of an immediate offer, particularly alongside some of these other questionable practices.
- Consider requests for gift cards a red flag: Over my more than two decades in HR roles, there has never been a situation in which an employer should request a gift card from a candidate or employee. Proceed with caution (or not at all) if a “prospective employer” suggests this.
As the adage goes, “if you see something, say something.” The more we all report potential risks, the more we can deter cyber threats and help keep our digital ecosystem a safe place for everyone to create, learn, and share.
There are several steps individuals can take if targeted by a scam involving employment offers. First, report the communications as spam. Then contact the following sources if relevant:
- Telegram: Start a conversation with @NoToScam and report the username.
- Indeed.com: Forward the email message to firstname.lastname@example.org.
- Email: Report the email here and mark the message as spam.
- LinkedIn: Follow the steps outlined in the Recognizing and Reporting Scams section of their site.
- Internet Crime Complaint Center (IC3): IC3 is a division of the FBI that investigates internet scams and provides a lot of great information on identifying scams to prevent becoming a victim.
In the event any personally identifiable information is given to a scammer, targeted individuals should immediately contact authorities to inform them of the activity. Reach out to your banks or other financial institutions to shut down accounts or credit cards if that information was shared. And of course, make sure your credit reports are always locked.
DockYard employs a rigorous hiring process and never asks applicants to share any personally identifiable information prior to an official start date. Please contact email@example.com if you have any questions or concerns about a recent interaction regarding employment opportunities with DockYard.