Businesses, HR pros, recruiters and job hunters are being urged to remain alert, due to an emerging cyber threat targeting the job market. Cybercriminals often prey on vulnerable groups of people and this latest tactic does just that, targeting those searching for paid work with employment scams.
The trend sees cybercriminals impersonating organisations by sending fraudulent WhatsApp messages to unsuspecting job candidates. The messages encourage job hunters to unknowingly respond to, click links, download software or share personal information via the app.
Whilst this also happens over email, WhatsApp is increasingly being used in business settings and fraudulent messages are often more difficult to spot via the app. It may be that criminals prefer WhatsApp due to its global popularity and mobile accessibility. Messages are delivered instantly and read quickly, ideal for exploiting time-sensitive situations. WhatsApp’s informal feel can lower suspicion, and users are often likely to trust messages from known contacts or businesses more readily than emails.
What does an attack look like in reality?
An anonymous victim whose marketing agency recently suffered such a cyber attack has shared their story. The business owner comments,
“Earlier in the year, we were alerted to unusual activity relating to our business by a job applicant. Fraudsters had messaged several digital freelancers with a link to a fake job portal, asking them to pay a deposit to secure work with the agency and share financial information. Applicants were told they would be refunded, alongside an additional payment once the work was complete. However, this was a clever plot to steal personal and financial information and no such jobs existed.
“The criminals targeted freelancers across Europe, and after clicking the links and sharing payment details, the applicants eventually sought out and emailed the correct agency contact details, asking where their payments were.
“Upon receiving these emails, we knew something was very wrong and that we’d been impersonated in a sophisticated cyber-attack. A huge challenge then became finding all those who had fallen victim. We didn’t know who was affected unless they reached out to us directly. Luckily we had an action plan and process in place for any cyber breaches, thanks to our local business resilience center, the NEBRC, and so had support to help navigate the attack.
“I’d strongly recommend getting the message out as soon as you have an understanding about what is happening. We created social media posts, blogs and relevant email comms which highlighted the events which were taking place. This not only meant those who were vulnerable became educated but it seemed to stop things happening. The blog post on our website about “how to spot if it’s really us” and the various channels we communicate on, was an important part of the process.”
Guidance for candidates: Whatsapp employment scams
Top signs of recruitment scams that could leave you at risk1.
-
Poorly written job adverts.
-
Suspicious contact information.
-
Unrealistic salary.
-
Being asked for money.
-
A job offer without an interview.
-
Illegitimate companies or email addresses.
-
Non-UK web domains.
-
Unsolicited contact from an unknown number
If you’ve fallen victim…2
-
Once you suspect a scam, stop all communication but make note of their details.
-
Do not give any money or further details to the scammers.
-
Report the scam to Action Fraud. In the UK, you can report employment or recruitment fraud to Action Fraud on their website, or at 0300 123 2040. Alternatively, you can seek advice from the Serious Fraud Office.
-
Warn ActionFraud of where the recruitment scam can be found.
Martin Wilson, Detective Inspector and Head of Student Services at NEBRC said, “Responsibility doesn’t just lie with the candidate, businesses have obligations, they should put recruitment processes in place which recognise this risk . A written process should exist, which is regularly reviewed and should include a section on any risks to the organisation’s stakeholders and a section in any client contracts. Failing to plan and respond to a threat quickly and appropriately can cause additional losses and depending on what has happened, the reputational losses may even have the biggest impact.”
Martin’s guidance for recruiters and businesses: how to prevent and protect against fraudulent Whatsapp employment scams
-
Verification Processes: Implement robust verification processes for all job applications and communications. Verify identities through multiple channels before sharing sensitive information.
-
Official Channels: Use official company channels (such as verified email addresses or company websites) for initial contact and information sharing rather than relying solely on messaging apps like WhatsApp.
-
Educate Employees: Train employees and recruiters to recognise common scam tactics, such as requests for personal information, upfront payment requests, or unusual job offers.
-
Clear Communication: Clearly communicate to job applicants about the company’s recruitment process, including which channels will be used for communication and what information will be requested.
-
Privacy Settings: Encourage the use of privacy settings within WhatsApp to control who can see profile information and contact details.
-
Report and Block: Promptly report suspicious activity to WhatsApp and block suspicious contacts or numbers.
-
Public Awareness: Raise awareness among the public about the potential for WhatsApp scams and advise job seekers to verify the legitimacy of job offers through official channels.
-
Legal Disclaimers: Include disclaimers in job postings and communications, stating that the company does not request sensitive personal information or payments through messaging apps like WhatsApp.
*Alert provided by NEBRC (North East Business Resilience Centre)