Cyber criminals are targeting job seekers and employers, exploiting the current recession with phishing campaigns which intend to steal sensitive information such as login credentials and other other personal information. According to a report made by cybersecurity company Trellix, attackers pose as recruitment agencies that target job seekers, attempting to obtain their sensitive information. Moreover, attackers also pose as job seekers, intending to deceive employers through malicious attachments or URLs disguised as applicant resumes. Over 70% of these attacks are targeting the United States.
According to the report, "These emails look legitimate but are designed to steal sensitive information such as passwords or financial information. The malware can then be used to steal sensitive information or to gain unauthorized access to the job seeker's device and the information stored on it." Furthermore, the report claims that this type of attack will become even more common as cybercriminals will look to exploit the increase in job applications that employers will receive.
In order to appear legitimate, attackers are using fake or stolen documents such as Social Security numbers and driver's licenses to make the emails look legitimate and increase credibility, increasing the likelihood that the recipient falls for the hoax.
Additionally, Trellix has observed an increase in registration of typo-squatted domains for job related platforms such as Linkedin, Indeed or others. (Typo-squatting is a form of brandjacking which relies on Internet users inputting the wrong address into a web browser. Should the user accidentally enter the wrong URL, they may be redirected to an alternative website owned by a cybersquatter).
Several examples of typo-squatted domains observed are:
- indeed-id.com
- indeed-7.com
- indeed-a.com
- indedd.com
- linkhedin.com
- linkegin.com
- linkednn.com
Here are a few tips that should help you to avoid job themed phishing campaigns:
- Be careful with emails from unfamiliar sources, especially those containing links or attachments; verify the legitimacy of the sender before clicking on any links or download any attachments.
- Do not provide personal information in response to unsolicited emails.
- Use strong, unique passwords for all online accounts and enable multi factor authentication whenever possible. If your credentials ever get stolen, this will massively mitigate the potential damages you could incur.
- Use reputable job search websites and avoid clicking on links from unfamiliar sources.
- Check the spelling of the domain names before entering any sensitive information.
- Always be updated on the latest phishing and malware techniques.
Other Posts you might be interested in:
IBM X-Force research led by Stephanie "Snow" Carruthers finds human-crafted phishing emails perform 3% better than AI-generated ones. The study, conducted in the healthcare sector, emphasizes the need for businesses to focus on human-centric email security
Read More
Amidst the proliferation of AI tools, Google has announced new features that allow users to protect themselves from threats, identify AI-generated images and further protect sensitive data.
Read More
How will the new National Cybersecurity Strategy authorized by the White House officials impact the future of your cybersecurity?
Read More