Attorney Steven Fahlgren hoped to receive a flood of qualified applications when he posted a job opening on Monster.com for paralegal help at his Hilliard, Fla., law firm.
However, he wasn’t expecting a school of “phish” to swim in on the deluge. Phish are those piranhalike e-mail probes that prey on the feckless.
“Shortly after I signed up, I got a bunch of e-mails purportedly from Monster.com, but I quickly determined that they weren’t,” Fahlgren says. “They weren’t the typical sort of phishing e-mails; they had something that identified my (Monster) account.”
Fahlgren was convinced that his information had been compromised. And he was right.
In January, Monster.com notified users that its database was breached and that account information — including names, phone numbers, e-mail addresses, user names and passwords — had been compromised.
Fahlgren’s misfortune is just one example of a nefarious trend. Increasingly, identity thieves are targeting today’s growing number of job seekers — and the employers looking to hire them.
As banks, credit card companies and other financial institutions beef up security, data thieves naturally gravitate toward less-secure data sources such as job-search sites.
“To the extent that you were a skilled identity thief, you would look at the most low-cost, fertile areas,” says Claudia Bourne Farrell, acting public affairs director for the Federal Trade Commission. “Online job posting companies would undoubtedly draw identity thieves.”
Preying on the unemployed
Fortunately for Fahlgren, Monster.com generally does not collect — and hence, could not lose — resumes, which might have contained more sensitive information such as birth dates or even Social Security numbers.
Still, the tech-savvy Fahlgren says he was surprised by the sophistication of the phish.
“It’s an example of how someone relatively sophisticated, who does try to secure his data, can still receive something that almost looks good enough to click on or use,” he says. “I don’t think it should put anybody off (Monster.com). I think technology is 99 percent good and 1 percent bad. You don’t throw the baby out with the bath water. You just have to be careful.”
Although the FTC does not specifically track identity theft specific to job seekers, the British-based Association for Payment Clearing Services found that the 873 bogus job postings in the U.K. for the first half of 2008 represented a 345 percent increase in fake ads compared with three years earlier.
Jay Foley, executive director of the San Diego-based nonprofit Identity Theft Resource Center, not only fields consumer complaints but also sets up and monitors his own job posting accounts to study the disturbing trend.
“For the last three months of 2008, I saw an increase of about 20 percent of spam or spam e-mails offering employment,” Foley says. “People who have posted a resume anyplace online are now being targeted by the thieves.”
Job seekers are a particularly vulnerable group, Foley says.
“Your average job seeker has posted his resume on the Internet. He’s passed out his information everywhere because he wants to get hired. He’s going to be cooperative,” Foley says. “If he has moved from cooperative to desperate, he’s not going to look quite as close at the offering as someone who is employed and may be just testing the waters. The scammers prey on that.”
Applying for trouble
Identity thieves target job seekers and employers in several different ways. Each scam is designed either to piece together enough personal information to rip off someone’s identity, or to trick job seekers into frauds that pose as legitimate employment.
Some thieves post fake job ads, hoping to prey on the desperate and gullible. Others pose as job posting companies and ask employers and job seekers to provide more information, such as Social Security numbers, home addresses or driver’s license numbers.
Still others pose as employers who express interest in a job seeker before using various tactics to trick the candidate into divulging personal data.
Foley describes how this scam works:
“They’ll say, ‘I’ve got a job lined up here for you. You’ll be the accounts receivable clerk in the United States for our company. We’ll have customers send you checks, you deposit them in the bank, wire the funds to us and keep a percentage for yourself.’
“Then they send you a bunch of bogus checks and you do as instructed. When the bank finds out those checks bounced, they’re going to want every dime back, and the only person they have available to get that money back from is you.”
The scammers find job seekers and employers on job posting sites such as Monster.com, CareerBuilder.com and even Craigslist.
“Job seeker data is easy to obtain,” Foley says. “It’s already publicly posted. All they need is a name and an e-mail address.”
The background check is one popular ruse used to obtain personal information.
“We saw that one quite a bit last year. ‘You are a candidate for this particular position, and we need to do a background check.’ Well, when have you ever, ever had a company do a background check on you before they met you? It’s not happening,” Foley says.
Another scam is to pose as the hiring agent for a company.
“If I’m contacted by somebody I don’t know who says they represent this company, I want to verify that they really do work for that company and that, that company really is looking for an employee before I start giving out any personal information,” says Foley.
What’s real and what’s not can sometimes be difficult to ascertain. One identity thief used the name of a small Minnesota company to contract with an unsuspecting temporary employment service. The thief received the resumes, not the company.
“The company was real, the temp service was real, the job seekers were real. The problem was they were not being referred to the actual company. They were being referred to the imposters,” Foley says. “The temp company got scammed just like everybody else. They thought they were going to get a great check at the end of the month on the referrals.”
As these scams proliferate, it becomes more important than ever for job seekers to keep their guard up to prevent becoming a victim, Foley says.
“When you hunt for work, you need to be aware of the ramifications of sharing your information,” says Foley. “You need to do your own due diligence. Check out every company and every offer. And remember: No one is going to hire you based just on a resume; they have to meet you. That is a key factor that any business considers.”
- Never include the following on your resume: Social Security number, driver’s license number, bank account or credit card information, date of birth or passwords. Instead of home address, simply list your city and state. It is unlawful for an employer to ask your age or sex.
- Open a separate e-mail account for your job search and include it on your resume.
- Avoid any Web site that requires you to “preregister” with your Social Security number, driver’s license number or home address.
- If a company contacts you, check it out thoroughly before you reply. In particular, be sure that the URL of the person who contacts you matches the company’s standard e-mail URL, which is usually available on its Web site. If it doesn’t, it might be a scam.
- Check your area codes. If a fax or phone number of a potential employer does not match that of the corporate headquarters, find out why before proceeding.
- Beware of “work from home” employment ads, especially those that involve forwarding packages or working as a “payment representative” or “accounts receivable clerk.” You could wind up as the middleman in a stolen goods, money theft or laundering scheme.
- Never open a bank account for a company.
- Never give out sensitive information over the telephone.
- Never give out sensitive information at a job fair. It could be shared with numerous people who have no need to know it.
- Before starting your job search, update your computer security to protect you from the latest viruses, Trojan horses and other types of computer malware that may find its way to your inbox.
Jay MacDonald is a contributing editor based in Texas.