by In the past twelve months, parts of the U.S. have moved from having high unemployment to a shortage of interested applicants. With this shift has come the return of an unscrupulous practice to use the good reputation of companies to collect resumes and applicant contact information for companies wholly unaffiliated with the identified employer. The method is also used to get personal data from people who would, under normal circumstances, never provide an unknown company with information that can be used to set up financial accounts or otherwise conduct a scam.
Known as ‘recruitment phishing’ or ‘company spoofing,’ the scam can be done in a number of ways. In the worst case, the applicant turns over personal information to a company that uses it for identity theft. Even in the best case, where someone is actually recruiting for a client company, the candidate is involved in a recruitment process under false pretenses, and the employer whose identity is spoofed gets nothing.
One kind of recruitment phishing is when a recruiter puts out an ad that describes a company and an opportunity that comes across as a veiled reference to a prominent employer. The ad states it is recruiting for a company that prefers to keep its identity confidential, but the description seems to fit a well-known company. The well-known company has not, in fact, engaged the recruiting company. If a candidate takes the bait, the recruiter collects resumes and now has a resume bank that can be used to fulfill the recruitment orders for its clients who are unaffiliated with the expected employer. Only the recruiter wins in this scam. The recruiter gets the fee for providing qualifying candidate resumes to one or more client companies, but the candidate did not seek out the client company. The client company gets candidates who may have no interest in the location or type of work and may resent having been tricked into sending in a resume.
Another version of the scam is bolder and can have more severe consequences. It involves ‘spoofing’ by using the name of the prominent employer to send out recruiting e-mails to a mailing list of people. The e-mail states that it is recruiting for the company and has positions that look like a great fit for the e-mail recipient. The potential position is described in detail, including an attractive pay scale and a good working environment. The recipient is encouraged to click on a link to the ‘recruiting site’ to complete an application. The purported employer’s name is usually somewhere in the return address or on the recruiting site. During the ‘application,’ the candidate provides personal information that may be used as part of other scams. Of course, the applicant never hears from the purported employer.
Employers can protect themselves (and their potential job applicants) from these kinds of scams by:
- Having its own recruiters regularly check out various job posting sites, including major general sites, industry-specific and profession-specific sites for unauthorized ads that seem to describe the company. If one is found, follow up with the job posting site to explain the concern. The site will likely remove the misleading posting. If the ad is unintentionally misleading applicants, job sites may require the posting to include a disclaimer regarding certain employers.
- Checking out complaints about lack of response to applications, particularly when the potential candidate states that the recruiter initially contacted them to apply for a position. Check to see if the person did actually apply for a job or if the complaints describe practices that are inconsistent with how the company handles recruitment and follow-up. If there was no record of the person making an application or if the description of the process is different than actual practice, get more information, including asking that the complaining applicant to forward a copy of any correspondence (e.g., e-mail).
- If you discover that your company has been ‘spoofed,’ the Federal Trade Commission (www.ftc.gov) provides the following advice regarding what steps to take:
Report the scam to local law enforcement, the FBI’s Internet Complaint Crimes Center at IC3.gov, and the FTC at FTC.gov/Complaint. You can also forward phishing e-mails to reportphishing@apwg.org(link sends e-mail) (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies).
