| The NJCCIC observed an uptick in employment scams that target and exploit individuals seeking employment. Threat actors first perform reconnaissance on their targets, gathering information from various sources, such as past data breaches, publicly disclosed data, social media profiles, and data purchased on the dark web. They communicate with their targets via emails, text messages, WhatsApp, or Telegram to initiate conversations about purported job opportunities created from legitimate job postings. They may also create and post fraudulent job postings or profiles through trusted professional online employment boards and websites, such as LinkedIn, CareerBuilder, Indeed, and Monster, or via social media platforms like Facebook. They typically impersonate legitimate employers and recruiters and spoof legitimate domains. The threat actors express interest in the target’s compatibility for a vacant position and attempt to ascertain the target’s willingness to explore the opportunity further. |
| The NJCCIC’s email security solution detected an employment scam in which threat actors use the legitimate Xero platform to create a trial organization to quickly send large amounts of spam emails before they are detected and shut down. In the above campaign, the threat actors impersonate Coca-Cola and incorporate their branding. The email contains a link with the Coca-Cola name in the URL, but it does not direct to Coca-Cola’s official website. Instead, it directs the target to a malicious website that prompts them to update their browser. If clicked and installed, sensitive information and devices may be at risk. |
| Threat actors also impersonate legitimate employers and recruiters through multiple random text messages in the hope that their target is an interested job seeker. In the above campaign, the text message outlines the position’s benefits, including remote work, flexible hours, and a potential average daily pay ranging from $300 to $900 or more. To avoid detection, they often request to continue the conversation on a chat platform like WhatsApp or Telegram. Legitimate employers do not typically request that applicants communicate or send information through instant messaging platforms. |
| The NJCCIC also received multiple reports of threat actors creating fake profiles on LinkedIn, impersonating employers and recruiters, and sending direct messages to potential victims regarding fraudulent job postings. The emails request interested targets to provide their email addresses and resumes. If there is no response, the threat actors sometimes attempt to contact their targets via email and phone. |
| Once contact with a target in these employment scams is established, the threat actors often request information as part of the application process or job offer. They intend to steal personally identifiable information (PII) or monetary funds, potentially committing identity theft and launching other cyberattacks. They may conduct fake online interviews to inquire about work experience, salary expectations, and other typical employment concerns. Threat actors may ask for personal information or request their target to pay processing or application fees, training, or background checks. They may also send fraudulent invoices for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement. In some instances, they also partake in fraudulent check scams via mail to cover all or a portion of the job-related fees or expenses. Until the fraudulent check supposedly clears, threat actors pressure their targets to start the job immediately and insist they front the money, resulting in monetary losses. |
| Key suspicious indicators of employment scams include vagueness from the purported employer or recruiter about the position, the job sounding “too good to be true,” and upfront requests for personal and financial information, such as a Social Security number, a driver’s license number, or banking information for direct deposits. Threat actors may also create urgency to respond or accept a job offer. Using unofficial communication methods, including personal email accounts, non-company email domains, teleconferencing applications, and apps like WhatsApp, Telegram, Signal, or Wire, are also red flags. |
| Besides targeting job seekers, threat actors also target corporate human resources departments and recruiters to steal account credentials and funds. They abuse legitimate message services and job platforms to apply for real jobs. Researchers discovered the financially motivated Venom Spider threat group sending spearphishing emails to the hiring manager or recruiter. These emails contain links directing them to download the purported resume from an external website. The threat actors insert a CAPTCHA box to create legitimacy and bypass security controls. They then drop a backdoor called More_eggs and use server polymorphism to deliver the payloads and evade detection and analysis. |
| Recommendations |
| Refrain from clicking links and opening attachments from unknown senders, and exercise caution with communications from known senders. Examine potential offers by contacting the company’s human resources department directly via official contact information and researching potential employers online to determine if others have reported a scam. Navigate to websites directly for authentic job postings by manually typing the URL into a browser instead of clicking on links delivered in communications to ensure the visited websites are legitimate. Refrain from contacting or clicking on unknown telephone numbers found in unsolicited messages or pop-up notifications. Avoid downloading software at the request of unknown individuals, and refrain from divulging sensitive information or providing funds. Review additional information on job scams on the FTC’s website. Report malicious cyber activity to the FTC, the FBI’s IC3, and the NJCCIC. If victimized, report the scam directly to the respective employer or employment listing service. If PII compromise is suspected or detected, contact your local law enforcement department and review the Identity Theft and Compromised PII NJCCIC Informational Report for additional recommendations and resources. |