How to be a killjoy – Job scams in 2023
A few weeks ago, an acquaintance who had been out of work for a while called their family and was incredibly excited to share that they’d just been offered a job. Not just any job, but a job in a field they’d gone to college for and not been able to do since graduating. Not just in their field but for one of the largest organizations in said field. Fully work from home. They had begun planning to travel, they had even started scoping out new PCs to buy to do the work.
This was relayed to me second-hand, and I was overjoyed for them. Until I asked a question. They were being asked to buy a new PC? “Maybe? They just said they would get a new one. That would be strange, wouldn’t it? If they had to buy it themselves for work?”
Yes, it would be strange. An organization should be providing you with hardware. Aside from the risks of adding random computers to a network, even remotely, the organization should have a security program in place that covers where hardware is acquired from and why. As well as how it must be configured. And systems in place to ensure that all workstations are powerful enough to complete the work expected by the employee who uses it. Maybe… this is a new role? I kept the benefit of the doubt and asked another question.
What was the interview like? “Text message and then a facetime call!”
What is the salary like? “Amazing, really incredible.”
The red flags were impossible to ignore as I was relayed this story of hope and joy. A hope and joy that I truly wish for this person. I could not hide my concern and the person sharing the story noticed it. And then, it was as if I was ripping down the banner at a celebration dinner. Pulling the streamers off the wall and yelling, “Shut it down”, trying to be heard over the classic brass section that accompanies Kool & The Gang.
Whether or not you have seen them, job scams are everywhere. From January to March of 2023, losses were reported at $840,000 dollars. Up 250% from last year. The average amount lost per person in this fraud? $1000.
Why is it so much?
First, we must discuss how it happens. Gone are the days when it was a sketchy LinkedIn InMail from a person who has no followers, claiming to work for a Fortune 500, and offering a job that is too good to be true. People looking for jobs are getting tricked into giving money to the scammers. Now it is real jobs, on real job boards, made by companies that look real. The company’s name is spelt identically, enough to exclude it when you are only looking at the job title.
In fact, it is common that the job information itself is real. The scammers are stealing real job information from real job posts on other job boards, like Workday and LinkedIn, and posting them on different job boards that the company simply doesn’t use.
Those of you who have followed common scams are likely familiar with the “Cleared Check” Scam. These are still quite common, but they done in new ways.
Sometimes, they provide ‘cool’ or ‘unique’ changes to allow these things. Things are designed to sound, ‘in the know,’ but in reality, ways for them to make things more difficult to track. A scammer may claim that take interviews over common encrypted messaging apps, like ‘Signal’, because of ‘cybersecurity reasons.’ I personally have never heard of a legitimate company taking interviews over Signal. More importantly, tools like Signal are often used by corrupt people to hide their corruptions.
How do I get around it?
When I’m working with organizations, I recommend everyone have a ‘double confirmation’ policy before money is sent. An email invoice, new banking details for an employee, a phone call for a delinquent account? You should have a policy that requires at LEAST two people confirm these are legitimate prior to sending money. If one person has fallen for the scam, the second person catches it. It may be something as simple as a slightly different email address, or an important misspelling.
The scammers #1 tool isn’t ‘believability’ it is ‘independence.’ Convince someone they are the person that needs to do something, and then ramp up the pressure by making it increasingly important and people will make decisions they would not normally make.
You can do this at home: always look for double confirmation. Research the company. Google ‘Jobs + company name’ and see what comes up. Is it on their website? Do they have a Workday Account? Do they specifically call out “All job postings are found only on indeed.com”? They should. If you can’t confirm, keep looking for another way to confirm.
In short, the company itself is the authority on the job. Not you, not the person potentially interviewing you. Which leads me back to my story.
In the end, it was confirmed it wasn’t a real job. It was a scam. Before any requests for cashing checks, or anything else, it was resolved by one simple action.
A call to the company. They confirmed the job post was real and up, but it was on a different website. The one they’d applied to was fake.
This feels like a bad ending, and it wasn’t as joyful as it could have been. But the bad ending for this story isn’t a job offer disappearing. It would be that person falling for the scam. They receive the check, wait for it to become available to them, then buy the laptop and send the money that’s left over back to the scammer. When the check eventually bounces, and it will, they owe the full amount to the bank. Sometimes, you can get lucky and return the thing you bought. But not always. Some people are left holding onto debt that can be debilitating.
You may ask, “Do I feel like a killjoy when I do these things?” Yes. I do. If I’d been wrong, and it was legitimate, that would’ve been horribly uncomfortable. I do not do my job because I think it’s fun to be paranoid. (Though a lot of my job does require me to be quite paranoid.)
Get on with the story, Matthew.
Sorry, you’re right. After confirming it was fake, and before blocking the scammer, another message was received.
They company pay for a laptop and desk setup for home.
“It’s easy. Here’s what you do–”
Author: Matthew, GRC Analyst & vCISO