So, #security folks, how are you handling all of these job scams? Specifically, we're seeing a lot of folks coming to us who were "hired" by us, but the hiring process was a scam. ie, we had nothing to do with it.
I'm not sure there's much of anything we *can* do, but maybe I'm incorrect? Thoughts?
@jerry Yeah, it's a major problem. The scammers basically pose as HR folks from various firms, “hire” the employees and then get them to send all their personal info to them. Then the duped folks end up contacting the companies, only to find out that they don't actually have a job. I heard a really good segment on it, but I can't remember which of the many podcasts I listen to that it was on.. I did find this basic article, though :
https://www.cbsnews.com/news/job-scams-how-to-protect-yourself/
@XenoPhage I've heard of plenty of hiring scams to steal personal data, but I didn't realize they were doing it under the name of actual companies
@jerry @XenoPhage Yup, and a lot times, the TA and legal teams won't take it very seriously, like it's a problem that'll just work itself out.
At a previoius company, we actually had one of the scammed file a claim against us with the BBB. It didn't go anywhere, of course, but that threat can help add some tangible realism to this for other groups. At a minimum, you want a statement on your careers page saying that legit jobs can only be found at .
You can monitor the job sites a bit, but know that these are mostly appearing in the 3rd and 4th tier sites where jobs are posted or "recruiters hang out" in an effort to snag these people. We founda recruiter profile on one of these sites where they specifically listed themselves as being a part of our company. This is a good exercise for your intel and offensive security teams to think about, threat model, and see if there are controls you can apply to reduce the likelihood. But it's a lot of effort with little reward, so it gets pushed pretty far down the priority chain.
