What to Do About Identity Thieves Posing as Recruiters

There was a time when you could put a padlock on the dumpster to keep identity thieves at bay, but in the age of the internet, stealing personally identifiable information (PII) or money is easier than ever before. As financial institutions come up with more ways to prevent fraud, scammers respond by getting more creative. From December 2014 to December 2016, malicious impersonators on social media multiplied by a factor of 11, according to "Social Engineering in the Social Media Age: Top Fraudulent Account Impersonator Tactics," a white paper from social media security firm ZeroFOX.

Of particular concern to the corporate recruiting industry, identity thieves are taking to social media sites and posing as recruiters to steal money and personal information.

"Recruiter scams can be found across all major social networks, but they thrive on Facebook and LinkedIn in particular," says Spencer Wolfe, security research writer at ZeroFOX. "This is to be expected, considering these platforms are most often used for actual recruiting."

Wolfe says recruiting scams "come in two main flavors":

The scammer asks the job seeker to submit an "application fee," which is usually a few hundred dollars.

The scammer sends the job seeker to a phishing page, which the scammer uses to harvest the job seeker's credentials and PII.

"In terms of delivery, the scammer always sets up a fraudulent impersonation account and attempts to siphon off traffic to the legitimate brand account," Wolfe says. "With this impersonation, they direct-message candidates, many of whom self-identify as job seekers to attract attention from employers; they cross-post on other social networks to advertise their fraudulent account; and they engage in existing conversations about jobs and the company in general."

However simple or elaborate the scam, the endgame is predictable.

"As with nearly all criminal enterprises online, the ultimate goal is money," Wolfe says. "This can be direct, in the case of the fake application fees, or indirect, in the case of the phishing attacks. This phished PII is almost always sold on the dark web and in hacker market places to other cybercriminals who seek to monetize the data."

Fighting Back Against Identity Thieves

Businesses that want to protect their brands must crack down on thieves who impersonate representatives of their companies.

"Companies ought to monitor for these accounts and take a proactive approach in removing them," Wolfe says. "These accounts blatantly violate the social network terms of service, and [social media platforms] will always comply in removing the account. With this in mind, companies need to find and report the accounts [in a way that is] as fast and as automated as possible. Once an account is taken down, it takes a cybercriminal just 20 minutes to build a new one, hence why social media is so attractive to the modern attacker."

While scammers constantly find new ways to defraud companies and individuals, the digital security industry also works tirelessly to find new ways to combat scammers.

"To find and eliminate malicious accounts at this speed and scale, companies rely on robust automation, advanced analysis, and programmatic access to the social networks' security queues," Wolfe says.

Anyone who finds themselves the target of a fraudulent social media account should report it immediately to three places, Wolfe says: the social network itself, the company being impersonated, and the FBI's Internet Crime Complaint Center (IC3).

"Although the FBI will not be able to take action, the IC3 aggregates this type of data for future use by government and industry alike," Wolfe says.