Criminals are trawling recruitment websites to search for their latest victims. Their promises of legitimate easy money soon prove false - instead a new scam tricks users into committing financial fraud. We uncover the tricks behind the crime - and how to beat it!
Hackers are exploiting security flaws in recruitment websites to dupe job-hunters into committing the decidedly low-tech crime of cheque fraud. In the elaborate new scam, criminals seize the personal details of candidates from recruitment websites and contact them with an offer seemingly too good to be true.
Victims are offered the chance to become part-time ‘financial officers’, working from home to perform the simple task of cashing business cheques on behalf of overseas firms in exchange for a cash commission. To earn the commission, the cheque has to be redeemed within 24 hours and the money - less commission - wired to the overseas firm.
The proposition sounds too good to be true - and it is. In reality, the firms are a front for a Russian cybergang and the cheques expertly-crafted forgeries. The cheques are of low-to-medium value in order to evade each bank’s fraud detection systems and the scam has to be executed within 24 hours to have any hope of succeeding.
The job ‘offer’ has been circulated to job-seekers on both sides of the Atlantic who’ve posted their details on legitimate recruitment websites and was first detected in April by researchers at IT security firm SecureWorks. It was made public by the firm at last week’s Black Hat cyber security conference in the US.
Researchers at the firm found that the fake cheques were copied from digital cheque images, stolen from a variety of databases and downloaded to be duplicated as paper cheques with startling accuracy. This explains why nearly 3,000 people fell for the scam - even though the names of the front-firms were often strange and oddly spelled.
Job sites under attack
This latest fraud isn’t the only scam to target job-hunters - nor the only one to hack into recruitment websites.
Last October, hackers broke into the popular Guardian Jobs website with the firm forced to contact 500,000 people to warn them that their personal details had been breached. And in May 2009, several job sites run by Trinity Mirror Group - including JobSearch.co.uk - were also compromised, although no CVs were copied or accessed in that particular attack.
There are two primary reasons why recruitment websites are such an attractive target for criminal hackers. The first is that the sites contain a wealth of personal data - including home addresses, email details and in some instances secure password details - that can be used by thieves to commit identity fraud.
The second is they allow the fraudsters to target job-seekers directly with bogus job-offers, like the cheque-clearing scam above. One common scam sees criminals contact candidates directly claiming to represent legitimate firms. The perpetrators often ask recipients to complete bogus recruitment documentation to be returned by email, such as application forms, terms and conditions of employment - and of course bank details. The data is then used to commit fraud.
Don’t be scammed! Emma Roberts reveals some dangerous scams that are circulating the web
The other most common scam involves tempting opportunities to earn huge sums working from home. There are two main types of these - in the first, directory scams, applicants are invited to purchase a directory full of companies claiming to offer work from home opportunities. Usually, the firms are bogus and demand a further “registration fee” in return for work that will never arise.
The second type is the so-called craftwork scam. This one offers - again in exchange for a fee - the chance to make gift items at home before returning them upon completion to the company in question. Yet once the bogus firm cashes your fee, they repeatedly reject your items on ‘quality grounds’ - if, indeed, you ever hear from them again.
To ensure that any job opportunity is genuine, contact the Direct Selling Association, a regulatory body that any legitimate work-from-home company must be a member of.
How to protect yourself
Data breaches in all their forms are the most damaging form of cyber-crime in circulation - but fortunately there are ways to stay safe. The first is to ensure all your computer’s anti-virus and firewall software is up-to-date - PC users can download Microsoft’s Security Essentials suite for free, while Apple users look to the ProtectMac software suite.
Use best practice whenever you surf the web. Change email and bank passwords regularly - particularly if you’ve used your date of birth or child’s name. Go for a “strong”, less obvious password with a combination of letters and numbers instead - better still, if you can remember them without resorting to writing them down, use separate passwords for each website you visit.
If you think your personal information has been compromised, contact your bank, any credit reference agency you may subscribe to and also contact the Protective Registration Service from UK fraud watchdog CIFAS.
Finally, to ensure peace of mind at all times, it’s worth signing up for a free trial of our credit report monitoring service to uncover any suspicious activity on your account.
Keep on top of all your accounts at all times with our simple online banking tool and keep ahead of the thieves with our award-winning expert Tony Levene’s Scam Magnet blog.
Award-winning scams expert Tony Levene explains why he's writing a blog about scams and why he is The Scam Magnet!
More: The smart new way scammers steal your cash | Serious trouble ahead for borrowers