Job-related scams are on the rise.
In the first few months of 2024, two students reached out after being targeted by a job-related scam. As a part of these scams, the students were led to believe that they were getting real job offers when they were actually targets of identity theft or digital check fraud. While identity theft is nothing new, digital check fraud is not as well known.
Digital check fraud, to me, sounds like a lazy heist. It’s part social engineering and part fraudulent banking. It’s a type of shell game where the scammer tricks the victim into performing a series of actions. It starts when the scammer gives the victim a digital check to deposit. The check could be for services, advanced payment, or to purchase supplies as part of onboarding. As soon as some of the funds have been cleared for use, the scammer claims in one way or another that too much money was sent. The scammer then explains that part of the funds must be returned through a third-party money transfer like Zelle or Western Union. In some cases, the scammer will even offer to help walk the victim through the process of sending the money back.
This means that when the bank catches the fraudulent check and bounces it, the victim has already been walked through returning the “extra” money. At the end of the day, the victim was the one to authorize all deposits and transfers. So, when the dust of digital check fraud settles, the victim is left with less money than they originally had in their account. This happened because although the fraudulent check bounced, the money transfer still went through.
My first personal experience with digital check fraud goes back to 2015 when I was working as a freelance writer. A scammer pretended to be a client and tried to pay with a digital check to initiate the scam. In some cases, the bank will flag the activity immediately. This mostly leads to the check being bounced immediately and no funds showing as available. However, in some cases, freelancers that I’ve worked with have had their entire accounts put on hold by their bank to allow for an investigation.
In the cases of the two students mentioned earlier, they were able to catch on before any real harm was done. With these types of scams continuing to happen, it is always a good practice to take a few moments to remember how to deal with them. To help with that, here are a few tips about how to proceed with your job search while keeping an eye out for these scams:
Track all applications that you submit:
Having your own Excel document where all the details are broken down helps keep all the jobs you’ve applied to in a central location along with the information you’ve sent out. You may need more space to include additional information, and in that case, students linked their Excel spreadsheets to OneNote and used OneNote to house screenshots, conversations, and research.
Verify the domain tied to the email address:
By inspecting the email address, you may find a lookalike domain, or a malicious domain, attempting to look like a legitimate one. A company’s real email will likely be posted and available on their website and you can use it for comparison. In one case, a scammer used a domain similar, but which included LLC at the end of the company name whereas the real company’s domain did not have LLC. Other cases include the company name with addresses like secretary.net and gmail.com.
Be realistic about pay:
To get you to overlook inconsistencies, scammers will often try to offer you more money than the role would normally pay. In both cases, the pay was listed as $35 to $45 an hour with benefits included, for a remote position requiring little to no experience.
Do not engage with scammers:
All you should, and need to do, is report scammers to the job board. If it was a case of impersonation, an email could be sent to the company or individual being impersonated to let them know about the issue. If you engage with scammers, you might make yourself a target and open yourself up to further cyberattacks.
The Case of Digital Check Fraud
Looking at the process that a scam follows can highlight additional things to keep in mind when journeying through the job search. With that in mind, I’d like to look at the first few steps of a job scam that can lead to fraud. My interaction with this particular scam was to review all communications between the student and the scammer to verify that no personal information was exposed through their communication. To that end, I read through copies of emails, texts, and attached documents.
First, the student received an email requesting an interview. Close inspection of the email reveals that a @gmail.com address was used instead of the legitimate domain name and both suggested interview times were a week passed due. While neither of these things directly indicate malicious activity, (some companies still use a generic @gmail.com address and forget to check dates before sending emails) this time error could have been due to the scammer reusing an old message.
Next, when the student confirmed interest and availability for the interview, they were not asked to schedule an interview. Instead, they were sent a document containing “interview questions” that they were required to respond to within 90 minutes. This document contained basic interview questions and asked the interviewer to verify that they could fulfill the job duties. While it is still plausible that this could be an elimination tactic by HR to weed out folks who can’t quickly answer basic questions, it is more likely that the scammer was relying on social engineering tactics to rush their target through the process.
Finally, as soon as the student submitted the completed interview, they received an email stating an employment decision would be made within the hour. Several hours later, the student received another email saying that they were hired for the position. In this email, the student was asked to reach out to a @security.net address to provide personal information needed for employment. The difference in the “within the hour” versus the several hours later that they actually heard back from the scammer could be due to poor management communication. However, since the employment offer was made without any actual interface with the company other than email, it is highly unlikely that this is a legitimate job offer.
In this case, the student was moved on to the next stage of the onboarding process. As part of this, they were presented with “out of band communication” trying to gain access to account credentials, a check for payment, and several different contacts to proceed. At this moment, the student decided to break off communications with the scammers and began to make sure that their financials and identity were not at risk. They even took steps to notify the company that was being impersonated.
Inside the emails and texts reviewed as a part of the job scam, the student was required to share banking information and when that didn’t work, money transfer apps like Venmo or Cashapp were introduced as alternatives. If the student hadn’t had multi-factor authentication (MFA) configured for all their apps and two-step verification (2SV) enabled with their bank, the scammer could have gained access to more than just the amount returned during the final step: digital check fraud. In this case, the fraud revolved around a check provided to purchase equipment to work from home. The list of items included everything from computer hardware and software to ergonomic furniture.
Closing Advice
It’s too easy to say, “The people getting scammed should know better.” Unfortunately, in these cases, the targets were people in situations where they trusted that it would be a legitimate job offer. These targets were students who were changing careers to IT and the companies impersonated were either run by minority groups or related to services for the disabled.
Using this scam as a cautionary tale, here are five tips with resources and reminders to keep in mind as you go about your job search:
1. Be wary of blind offers
a. Resource: Use your job tracking spreadsheet to figure out if you applied.
b. Ask yourself: If you did not apply, how did they find you?
2. Be mindful of domains and emails.
a. Resource: Tools like Scam Detector’s Website Validator can help you check domains.
b. Ask yourself: Is this the legitimate domain and email for the company?
3. Be realistic about pay.
a. Resource: Sites like Salary.com and Robert Half’s Annual Salary Guide can help identify realistic pay if you are unsure.
b. Ask yourself: Does it make sense for them to pay this much for this position or role?
4. Be cautious about the interview process.
a. Remember: Typically, the interview process will include a screening interview, technical assessment, and then a final interview that could be virtual or in-person but is almost always some form of face-to-face.
b. Ask yourself: What aren’t they asking me?
5. Be aware of switching domains.
a. Remember: Scammers will maintain multiple domains to evade security measures.
b. Ask yourself: Why would a company use more than a single domain?
Scams of this nature lead to more than just financial loss or identity theft. The victims themselves are exposed to stress, emotional damage, and even continued targeting. I read a story in January of this year about how one of the victims of E-Commerce Fraud ended up in legal trouble and even lost his job. While E-Commerce Fraud and Job Scams do not follow the same process, there are enough parallels that could leave potential job seekers at risk for legal trouble. In the E-Commerce Fraud case that I mentioned, there were two victims. Each victim’s information was played against the other victim so that the malicious actor could sit just outside of reach while they collected the fraudulent funds. Brian Kreb’s did a full investigation of the story and it can be found at: https://krebsonsecurity.com/2024/01/canadian-man-stuck-in-triangle-of-e-commerce-fraud/
In conclusion, criminals be doing crime. Despite this being a well-known scam, major organizations have yet to put appropriate protective measures in place. Additionally, victims of scams are often left with no course of recovery after one of these instances.
About the author: Jeff Krakenberg is a technical trainer and security researcher. With the goal of spreading awareness and knowledge, Jeff focuses his efforts on basic cybersecurity lectures, moderating open discussions about vulnerabilities, and building hacking labs for his students. Like many others, you can often find Jeff delving too deeply into the weeds of the Internet.