If there is one group that lives by the maxim ‘never let a good crisis go to waste,’ it’s today’s online scammers. Amid a burgeoning economic crisis with significant job losses announced across industries, they are moving quickly to take advantage. A recent surge in recruitment impersonation scams is part of an ongoing story of sophisticated attacks where cybercriminals quickly hook onto current affairs—such as the looming recession and a cost-of-living crisis the worst in decades—to offer quick fixes for job security or promises of a higher income.
In Q3 last year, JobsAware, a service that provides free help to UK victims, reported a 35% year-on-year increase in job scams. With a higher number of people now searching for job opportunities or being more inclined to switch jobs if it boosts income, scammers are cashing in. Often, their approach is to use fake recruitment processes to extract personal information and gain access to sensitive data.
Targeted scam
Sophisticated techniques can be used to create a synthetic recruiting experience: fake adverts, application processes, and interviews are all becoming more targeted and convincing. Now, with the boom in conversational AI, such as ChatGPT, it is even easier for criminals to mock up recruitment materials packed full of relevant and convincing detail which are tonally accurate. These techniques are a powerful combination when paired with the rise in gig and remote working. People gain work through apps with little human interaction, and the associated threat is heightened.
However, scammers rely on less technologically advanced tactics, such as wholesale ripping off of legitimate job adverts - copy/paste jobs that lead job seekers to malicious links. Trusted platforms like LinkedIn are seeing a surge in fabricated job ads and profiles – with nearly 22 million fake accounts blocked by LinkedIn between January to June last year alone. Senior employees are the preferred targets for this type of targeted scam. Sending bulk messages to numerous social media profiles or via text continues to be a less-sophisticated entry point for scammers to request further personal information or induce malicious link-clicking.
From Aviva to PwC, UK companies are warning job seekers to be wary of fake online recruiters purporting to represent real opportunities. With reputations on the line, companies are keen to counter scammer’s efforts. However, beyond the reputational issues, successful approaches by scammers to individuals can often open a back door for criminals to access organizational data and systems.
84% of organizations have experienced an identity-related breach, and now, job scams are opening another avenue for hackers to capitalize on weak identity points. With most enterprises housing thousands to millions of identities, the opportunity for scammers to infiltrate these identities via job scams is increasing exponentially. How, then, can organizations protect against the fallout of fake recruiters targeting weak identity defenses?
Scam-spotting; it’s a team sport
As with most scams and hacks, the first line of defense is people. Beating scammers at their game is a team sport. Employees must be educated and supported to recognize the subtle signs of malicious communications, maintain a high level of skepticism and take steps to verify sources.
Employers can help by ensuring that they maintain consistent communication methods and clarify what sort of comms employees should expect. When communications raise suspicion, there should be a straightforward way for employees to raise the red flag and processes in place to manage and communicate the risks to the other employees.
Beyond employee communications, businesses should set expectations for their interactions with people inside and outside the enterprise and maintain authenticity and veracity in all their communications. With interaction on various social platforms now commonplace, education is even more important. Companies should publicize clearly how and where they communicate job opportunities and maintain consistency in this messaging across all their channels.
Where scammers do breakthrough and obtain stolen employee credentials, ensuring security through proper identity safeguards is vital. As the scale of identities in today’s enterprise environments rises rapidly, organizations must shift from human operations to newer, innovative approaches that can keep pace with a rapidly evolving environment.
AI and machine learning
Identity security technologies powered by AI and machine learning are an essential element of defense against malicious intruders. Such tools not only control the access that humans and non-human identities have to systems, but they can also spot risky user behaviors, detecting and preventing toxic access combinations that could lead to breaches and data theft.
While such technology is a vital component in the security ecosystem, it should not be seen as a panacea. As scammers become increasingly creative, humans will always be the first line of defense. The concepts of defense-in-depth do not only apply to technology, but to the entire model—blending human education and awareness with tools and innovation that can provide a robust approach to identity security. When human defenders stand alongside AI-enabled security tools, closing the gates to scammers becomes far easier work.