IT recruitment fraud is on the rise, with victims in 2024 losing over $501 million to job scams, as per research published by Moody’s. Scams primarily target job seekers by asking them to pay upfront (supposedly reimbursable) payments for jobs, stealing their personal identities, or using cutting-edge technologies like deepfakes for false interviews. However, recruitment fraud can also be used as a means of attack against companies. Modern-day attackers also target organizations, in particular, their employees, HR systems, and networks. For instance, companies may receive résumés from fake applicants with embedded malware, a scam recruiter may impersonate an employee to obtain system access, or a compromised hiring portal (such as an applicant-tracking system or ATS) may be used to steal data or credentials. Attackers may also request IT staff to create “new employee” accounts for fake hires, potentially compromising sensitive data and negatively impacting the organization’s reputation.
Specific Social Engineering Attacks Employed by Fraudsters
Common strategies employed by fraudsters include creating convincing LinkedIn or Indeed listings and impersonating authentic recruiters by utilizing similar domains and spoofed emails. At other times, candidates are sent application forms or offer letters containing malware, which direct them to fake login pages that appear to belong to credible organizations. Once there, victims enter their username and password, allowing attackers to access their login credentials. Another common approach is to gain access to applicant-tracking systems (ATSs), where scammers exfiltrate résumé data, send malicious messages to candidates, or create fake job postings from legitimate accounts. In some cases, attackers ask victims to install remote desktop tools under the pretext of an interview setup or onboarding assistance. The intention is to compromise the victim’s whole system.
The Major Impact of Attacks
Typical organizations targeted by scammers include banks, tech firms, and government agencies, as these organizations manage high-value data, such as financial, personal, and operational information. They also interact with third-party vendors and remote recruitment systems, which allows scammers to access a wider attack surface. Banks, for instance, may have thousands of applicants and interact with dozens of internal recruiters. As such, they have a substantial digital footprint that attackers can exploit to access internal systems or damage their brand.
What Defenders Should Look Out For
Defenders should be vigilant for signs of recruitment scams, such as recruitment emails from free accounts (e.g., Gmail) claiming to represent known companies. Other red flags include job postings that don’t appear on a company’s official site, offer letters or forms requiring logins or password entry on unfamiliar domains, new or unusual ATS logins (especially from foreign IP addresses or those entered at odd hours), and attachments or links with file names containing words like “résumé,” “offer,” or “application.” It is vital to monitor these patterns, as they serve as early warnings that a system may be compromised.
Vital Tools for Defenders
Security teams don’t need to invest in expensive technology. They simply need to include HR and recruitment systems, focusing on the right types of detection. These include email filtering and monitoring to flag suspicious recruitment-related keywords, web traffic analysis to spot employees or applicants connecting to lookalike careers domains, and SIEM rules that correlate login anomalies from ATS or HR platforms. These anomalies include multiple failed logins or logins from unusual locations. It is also important to rely on endpoint alerts or security warnings from endpoint protection software, such as Microsoft Defender, CrowdStrike, or SentinelOne. These alerts notify security teams when suspicious activity is detected on users’ devices. In particular, they generate alerts when Microsoft documents (such as Word or Excel files) attempt to run code after being opened. This is a red flag for a potential phishing or malware attack, since authentic Office files rarely need to run code outside of Office itself.
Prevention Is Key
Defenders need to prioritize prevention by taking steps to authenticate recruiters and vendors, verifying their identities before granting them system access. They also need to enforce strong email security, employing email authentication technologies like SPF, DKIM, and DMARC, which prevent attackers from spoofing one’s domain or sending emails that appear to come from one’s organization. Another essential strategy is to integrate ATS and HR systems with a single sign-on (SSO) system. SSOs enable users to log in once and then access multiple applications without needing to enter separate passwords for each one. They also permit IT staff to monitor and secure access from a single place. Prevention also involves training HR staff and recruiters, as well as utilizing data loss prevention (DLP) tools to monitor for the transmission of personally identifiable information outside approved systems.
Taking Fast Action
If defenders suspect that a recruitment fraud incident has occurred, they must respond swiftly. Actions to embrace include identifying affected mailboxes, accounts, or systems, and disabling them immediately. Equally essential is the preservation of evidence, blocking of malicious domains, and revocation of access tokens, as well as clear communication with HR professionals and legal teams before contacting candidates. Organizations must continually update their detection rules and vendor security controls based on the information discovered during attacks. Organizations need to adopt continuous defense strategies, including integrating HR systems into routine security monitoring, conducting simulations of fake recruiter or job posting attacks, and measuring detection times and staff awareness.
Recruitment fraud influences not only candidates but also large organizations. These attacks can result in millions of dollars in damage and tarnish these organizations’ reputations. It is important for defenders to take a multifaceted approach to scam prevention, employing email authentication technologies like SPF, DKIM, and DMARC, and taking fast actions when attacks occur.
