Forget being catfished on a dating site, con artists have turned their attention to the professional world, with scammers posing as fake recruiters and job applicants, infiltrating the inboxes of unsuspecting business owners. It’s a case of small business owner beware, writes Arni Hardason, Head of Assurance at Pure Security.
Small and medium-sized businesses are increasingly a major target for cybercriminals
Business owners need to be aware when doing a call out for new staff of the increase in scam recruiters on LinkedIn. Fake candidate profiles and malware-laden documents and CVs can be used to infiltrate companies in order to defraud them or steal personal data. Social engineering, ransomware and phishing attacks cost businesses of all sizes big money each year.
5 ways to help you spot online scammers
1 – Fake recruiter profiles
Scammers use LinkedIn to create fake recruiter profiles to initiate contact with companies. They typically offer a candidate’s CV, before following up with emails direct. The email attachments contain malicious software code that can initiate ransomware attacks or gain some form of access to the target organisation’s computer network. When responding to a job ad, look carefully at the recruiter’s profile. Does the profile picture look real? Does the recruiter’s history look legitimate? Do they have a large number of connections? Fake recruiters often have very few LinkedIn contacts. Do they have a corporate email address or are they using a free email address? There are usually red flags you will see with a bit of extra digging.
2 – Fake candidate profiles
When a job ad is published, businesses can be flooded with cover letters and resumès from candidates. Criminals take advantage of this by sending documents infected with malicious software or by directing owners and staff to websites, purporting to be online profiles but are actually a way to distribute malware through drive-by downloads or other methods. These can be used to initiate ransomware attacks. Ensuring your operating system, security software and any third-party applications are up to date is important. And you should have software to scan all attachments as they enter the business before they reach your inbox. As part of your due diligence, you should always cross-reference shortlisted candidates before the interview and look at their social media profiles and other sources of information to first determine if they are a real individual and secondly a fit for your company.
Red flags can include a lack of connections in your network, and unusual employment and education histories.
3 – Be careful how you word job advertisements
Don’t fall into the trap of giving too much information in job advertisements. Some advertisements, particularly those for technical roles, can provide vital intelligence that can be leveraged in an attack. Rather than detailing the exact names and versions of software or models of hardware you use, keep the description more general.
4 – Run a secure operation
You have access to a vast amount of personal employee information, so it is important that user accounts are secured. Criminals may try to access your account and change the banking details of staff. When automated payroll comes around, salaries are directed into the criminal’s account and quickly siphoned off before you’ve noticed. Or they might access medical information or other sensitive data. It is critical that all user accounts have two-factor authentication enabled so a compromised password isn’t all that stands between a criminal and a massive financial loss.
5 – Keep your staff informed
It is important that you keep staff informed about the presence of these scams, teach them to verify the identity of all recruiters and candidates who approach them and keep information on LinkedIn to a minimum only, enough to attract the right people to want to join your team, but not too much that you give scammers useful intelligence. As well as being aware of specific scams, ensure all your staff have undertaken general security awareness training.
Even information such as holiday plans, managers with financial delegation being unavailable or staff vacancies can be exploited by criminals looking for weaknesses they can exploit.
Want more? Get the latest coronavirus news and updates straight to your inbox! Follow Kochie’s Business Builders on Facebook, Twitter
Now read this