Looking for a Job? Beware of Recruitment Sites

There’s yet another reason to not let your employees go looking for a new job on company time: cybercriminals are now leveraging recruitment sites.

According to risk intelligence vendor Flashpoint, the number of mentions of activity, the availability of compromised credentials, and the solicitation of accounts to list fake jobs has increased in recent months on the Dark Web.

Recruitment sites are rich with PII from those uploading resumes and personal details, making them a perfect target for data theft. But they also provide cybercriminals with another money-making angle: an unwitting mule.

Those looking for a new job are eager to follow whatever recruiting process is put before them and are usually willing to divulge material amounts of detail about themselves. So, there are a number of ways your users can unknowingly become participants in malicious activity by means of recruitment websites:

  • They can be tricked into becoming money mules or participate in money laundering as part of a new phony job, such as a “merchandise handler” or “payment processor.”
  • They can be the successful victims of malware infection or credential theft via fake PDF applications.
  • They can become the involuntary accomplice in providing a cybercriminal access to your network.

Scams like this prey on the emotional engagement of the victim and their willingness to open emails, click on attachments, and follow links. The more reputable the recruitment site, the more likely the job seeker will become a victim.

You can effectively minimize the risk of these kinds of attacks by educating your employees with new-school security awareness training about the potential dangers of recruitment sites, and that they should be vigilant even when deciding to move onto a new position.

And, because job seeking can potentially breach the security of your network (by means of becoming the victim of a malware attack), you should also consider only giving HR the ability to surf to recruitment sites while on company devices.

This blog originally appeared on knowbe4.com.

Stu Sjouwerman
About the Author
Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4 Inc, a provider of the most popular Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman is the author of four books, with his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.” Along with his CEO duties, Stu is Editor-in-Chief of Cyberheist News, an e-zine tailored to deliver IT security news, technical updates, and social engineering alerts. Stu is a four-time Inc 500 award winner and EY Entrepreneur of the Year finalist.