Return to the list of client alerts
Hackers target job hunters and HR Pros using malicious emails and malicious web sites. Sometimes they target military vets (Hire military heroes, but the attack can be used for many audiences). It can get employees to reveal sensitive information such as projects that they are working on, sometimes it collects information that the browsers return to them when a user clicks on a link, using that information later for more targeted attacks.
It is believed that, in one scheme, Iran is targeting active duty service members with bogus job offers.
Sometimes the scam even includes fake interviews, copy jobs that companies have really posted, except that the interviews are not conducted by or for the company.
Employees need to understand that if they get solicited for a job and the offer seems too good, it may well be too good.
One of the scams goes all the way through offering the victim a (supposed) job, complete with employment application (which captures the victims social and bank information).
Another version tells the newly hired person to buy a computer from the company’s preferred vendor for which they will be reimbursed. Needless to say, the victim never receives the computer and the “vendor” is actually part of the scam.
On the HR side, the hackers send emails with fake resumes. The resumes contain malware, using vulnerabilities in Acrobat and Office. If the HR person opens the attachment, their computer is infected with malware or ransomware.
It is a challenge for employees that, as part of their job, get unsolicited emails all the time. There are email security services that intercept attachments on inbound emails and provide a link to a sandboxed copy of the attachment that can trap the malware, but that, of course, is not free.
A lot of this boils down to aggressive anti-phishing training, which can be done cost effectively with cloud based tools (talk to me if you want a demo of the tool that we sell). Agressive means at least weekly, preferably with different campaigns targeted to different audiences. A campaign that might catch a sales person is likely different from one that would catch an engineer, for example.
Ultimately, humans are the weak link in this chain.