Checklist 255: Help Wanted: Data Guardian
On this week’s Checklist:
Data wanted, apply within
A recent ProPublica report warns of scam job ads on LinkedIn and other websites used by job seekers.
The scam postings are aimed at getting job seekers to give up personal information. In effect, they’re a form of phishing. And unfortunately, people who have studied the problem say that it appears to be getting worse: There were 36,350 suspicious job ads posted as of last month, up from just 2,900 in March of this year.
So what’s to be done? For job seekers, “just stay away from LinkedIn” is not helpful advice. They’re looking for work, and they’re not about to avoid the world’s largest professional networking site during their job search.
The good news is that there are a few easy ways to spot these job ad scams. The folks at ProPublica put together a report with advice on how to avoid being taken in:
Beware of “too good to be true” salaries
If the salary on offer seems a little too generous, beware. Compare the job posting against ads for similar jobs to see what’s normal. You can also use sites like Glassdoor or the Bureau of Labor Statistics’ Quarterly Census of Employment and Wages as benchmarking tools. If you’re being offered several times the going pay rate … that’s fishy.
Don’t take a job you didn’t apply for
Some scammers send out job offers as soon as a person uploads their resume to a job site. They’ll often send an email saying that the person has been “pre-approved” for a job or using similar verbiage. This is an attempt to get people to divulge personal details, or to download an attachment containing malware. If you get such a message, you can safely ignore it.
Be skeptical of early ID verification
Yes, if you actually get the job, you’re probably going to have to fill out tax forms and share some personal information. But when you’re asked to verify your identity or confirm your Social Security number as part of the initial application process, that’s a big warning sign. Scammers often use early verification as a way to steal sensitive personal information; a legitimate employer isn’t going to request any of that up front.
Do a web search
If cybercriminals were hard-working, productive members of society … well, they wouldn’t be cybercriminals. This fundamental laziness can help you spot their scams, because they’ll often reuse the same text in different scam job ads (instead of taking the trouble to write something new). If you aren’t sure about an ad, try doing a web search for a portion of the text. If you find that exact same ad being used by different “employers” all around the country, you’ve probably spotted a scam!
Look for lookalike domains
This one should be familiar to anyone who knows about how to avoid phishing scams: Keep an eye out for lookalike domain names. If you’re given a URL that is close to the official URL for the company, but not identical to it, stay sharp! This is a common tactic used by scammers. Alas, “careers.googel.ru” doesn’t really have a high-paying software development job for you.
Never give out credit card or login details
This one may seem obvious, but we’ll say it anyway: Legitimate employers won’t ever need your credit card information or your account login details. If anyone starts asking you for this as part of the job application process, run, don’t walk, the other way. Better yet, report them to the platform as a scammer.
Don’t buy anything
Scammers will sometimes ask job seekers to buy some work equipment (e.g. a new laptop or a phone) with the promise that they’ll be reimbursed later on. Don’t fall for it. This is a new variation on an old scam, and if you buy that piece of equipment, you’ll be on the hook for it.
Harmless fun or social engineering?
We’ve all seen those quizzes on social media. Which LOTR character are you? What’s your rock star name? What breed of dog best matches your personality? And so on.
Seems like a bit of harmless fun, right? Well … that’s what it’s supposed to seem like.
These quizzes are intended to appear harmless in order to get people to lower their defenses and start answering questions. But many of them are, in fact, social engineering tools — aimed at persuading you to give up your personal information so that it can be used against you. Even the ones that aren’t outright malicious aren’t really harmless, since bad guys are always scraping data from social media sites.
To get a sense of why these quizzes aren’t as innocent as they appear, just think about the kinds of questions they’re asking.
Questions like “What was the name of your first pet?” or “What is your hometown?” are exactly the sorts of things that are often used as password reset questions. Other questions, like “What’s your birthstone?”, “What was Best Picture the year you were born?”, or “What was the number one song the week you were born?”, can be used to determine your birth year, month, or even week!
For the scammers, the goal is to gather enough information to commit identity theft, breach an account, or launch a phishing scam.
Obviously, the best thing to do is steer clear of these quizzes altogether. But don’t just stop there: Spread the word. Let other people know that taking these quizzes is not just harmless fun. And keep in mind that certain demographics tend to be more vulnerable to these sorts of social engineering-based scams than others. In particular, the very young and the elderly are most at risk. So if you have a family member or friend who falls into one of those categories, take a moment this week to have a word with them about the dangers involved in these quizzes.
If you’d like to suggest a topic for a future show, or ask us a question that we may answer on the podcast, please write to us!
