Policing and cyber experts at the NEBRC (North East Business Resilience Centre) are urging businesses, recruiters and job hunters to remain alert, due to an emerging cyber threat targeting the job market. Cybercriminals often prey on vulnerable groups of people and this latest tactic does just that, targeting those searching for paid work with employment scams.
The trend sees cybercriminals impersonating organisations by sending fraudulent WhatsApp messages to unsuspecting job candidates. The messages encourage job hunters to unknowingly respond to, click links, download software or share personal information via the app.
Whilst this also happens over email, WhatsApp is increasingly being used in business settings and fraudulent messages are often more difficult to spot via the app. It may be that criminals prefer WhatsApp due to its global popularity and mobile accessibility. Messages are delivered instantly and read quickly, ideal for exploiting time-sensitive situations. WhatsApp’s informal feel can lower suspicion, and users are often likely to trust messages from known contacts or businesses more readily than emails.
What does a Cyber attack look like in reality?
An anonymous victim whose marketing agency recently suffered such a cyber attack has shared their story. The anonymous business owner comments, “Earlier in the year, we were alerted to unusual activity relating to our business by a job applicant. Fraudsters had messaged several digital freelancers with a link to a fake job portal, asking them to pay a deposit to secure work with the agency and share financial information. Applicants were told they would be refunded, alongside an additional payment once the work was complete. However, this was a clever plot to steal personal and financial information and no such jobs existed.
The anonymous business owner adds, “The criminals targeted freelancers across Europe, and after clicking the links and sharing payment details, the applicants eventually sought out and emailed the correct agency contact details, asking where their payments were.
“Upon receiving these emails, we knew something was very wrong and that we’d been impersonated in a sophisticated cyber-attack. A huge challenge then became finding all those who had fallen victim. We didn’t know who was affected unless they reached out to us directly. Luckily we had an action plan and process in place for any cyber breaches, thanks to our local business resilience center, the NEBRC, and so had support to help navigate the attack.
“I’d strongly recommend getting the message out as soon as you have an understanding about what is happening. We created social media posts, blogs and relevant email comms which highlighted the events which were taking place. This not only meant those who were vulnerable became educated but it seemed to stop things happening. The blog post on our website about “how to spot if it’s really us” and the various channels we communicate on, was an important part of the process.”
Martin Wilson, Detective Inspector and Head of Student Services at NEBRC said, “the responsibility doesn’t just lie with the candidate. Businesses have obligations too, they should put recruitment processes in place which recognise this risk. A written process should exist, which is regularly reviewed and should include a section on any risks to the organisation’s stakeholders and a section in any client contracts. Failing to plan and respond to a threat quickly and appropriately can cause additional losses and depending on what has happened, the reputational losses may even have the biggest impact.”
Martin’s guidance for recruiters and businesses: how to prevent and protect against fraudulent Whatsapp employment scams
implement Verification Processes
Implement robust verification processes for all job applications and communications to verify identities through multiple channels before sharing sensitive information.
Use Official Channels
Use official company channels (such as verified email addresses or company websites) for initial contact and information-sharing rather than relying solely on messaging apps like WhatsApp to mitigate scams.
Educate Employees
Train employees and recruiters to recognise common scam tactics, such as requests for personal information, upfront payment requests, or unusual job offers.
Communicate clearly
Clearly communicate to job applicants about the company’s recruitment process, including which channels will be used for communication and what information will be requested.
Adjust Privacy Settings
Encourage the use of privacy settings within WhatsApp to control who can see profile information and contact details.
Report and Block UnknWon Numbers
Promptly report suspicious activity to WhatsApp and block suspicious contacts or numbers.
Raise Public Awareness
Raise awareness among the public about the potential for WhatsApp scams and advise job seekers to verify the legitimacy of job offers through official channels.
Provide Legal Disclaimers
Include disclaimers in job postings and communications, stating that the company does not request sensitive personal information or payments through messaging apps like WhatsApp.
How can engaging your staff help protect against Whatsapp employment scams?
Businesses are becoming prolifically digital and increasingly AI-centric, which means staff need to be engaged within this space too. Companies have an obligation to bring awareness too issues such as employment fraud, so that that team members can help protect the business against fraudsters.
By providing comprehensive cybersecurity training and engaging staff can provide an extra line of defence against the challenges posed by such threats. Raising awareness can help staff become more engaged to participate actively in this cybersecurity training, retain information, and implement correct processes and protocols following any training – which in turn allows for better business performance.
They are also more likely to be diligent in all aspects of their work, spotting cyberthreats and impersonation attempts. This may mean your business is alerted to potential threats sooner and the correct people within the business are notified to take action more quickly.
For example, proper governance around email enquiries and other communication channels such as social media or phone communications can mean that all enquiries can be dealt with effectively. Staff have a responsibility to find a solution to the enquirer’s problem and if this problem is a job applicant that is confused by a WhatsApp scam, this can then be flagged appropriately and handled.
conclusion
Cybersecurity fraud such as the current Whatsapp employment scam is becoming increasingly prevalent and it is up to internal teams to remain vigilant. This can be daunting for business owners and management, which is why support from experts is crucial to engage the correct people and protocols.
For further guidance on protecting your business from hiring fraud, contact enquiries@nebrcentre.co.uk. You can also stay up to date with the ever-changing digital landscape and security threats, by signing up for our free core membership. The NEBRC is a Police-led non-profit organisation that seeks to educate, inform, and support businesses across the UK on how to protect their business online through good cyber security practices.
Author: Martin Wilson – Detective Inspector and Head of Student Services, NEBRC
Photo credit: StockCake