Job Scams and Identity: The Connection You Need to Know

In 2020, the whole world went online. In some ways, that has been very beneficial. But in other ways, it has put us at risk. There are still few ways to validate or authenticate an identity online, so it’s difficult to know if a person or company you’re communicating with is fake. Because of this, job scams are on the rise.

See Employment Scams are On the Rise with Mike Kiser for a complete transcript of the Easy Prey podcast episode.

Mike Kiser is the Director of Strategy and Standards at SailPoint, a regular speaker at identity and cybersecurity conferences, and a member of several standards groups. He does strategy work, helps establish internet identity standards, and develops working groups. Working with colleagues in the industry, he tries to make things better for people online. He also researches privacy and how people can protect themselves online.

Job Scams are On the Rise

Job scams have always existed. People have impersonated companies, posted fake jobs, and sent fake job offers for as long as jobs have been around. But as identity has become more and more important, so have job scams. In the last three to five years, we’ve seen a major increase in the importance of identity and employment-related scams.

As identity has risen in importance and is having a moment, so have job scams.

Mike Kiser

According to the FTC, there was a 64% increase in employment-related scams in 2022. This makes sense because we’re doing so much more online. If you’re working in person, you get to know who a person is in real life. But when doing remote work and not needing to be onsite, you get to know people in a remote environment. It’s significantly easier to hide a real identity or operate under a fake identity online. There are lots of legitimate remote work jobs, but the right to work from anywhere does have side effects.

Job Scams Target Remote Work

Most job scams involve remote working arrangements. Once someone tells you that you need to come to an office, that could be a ploy, but most likely it isn’t. An employment scam that has an office set up would be a massive operation. And if someone spends the time and money to set up a whole fake office just for you, well, you must be an extremely appealing target.

“Phishing” scams are called phishing for a reason. If you want to catch a fish, you have to go where the fish are. When everyone’s working remotely, employment scammers are going to make scams that target remote workers. They frequently offer remote full-time jobs or jobs that can be done in addition to another full-time job, which is what remote workers generally want.

Job scams come in multiple formats with different goals. Unlike many scams, they may not be targeting you for money. Some job scams certainly are trying to make a quick buck off of you. But some are after something else entirely.

The Two Goals of Employment Scammers

Not every job scam is after your money. Some scams are what Mike calls “low attacks,” while others are what he calls “high attacks.” Whether the scam is a low attack or a high attack depends on what it is the scammers are after. It affects how the scam is run, and what you have to look for.

The Low Attack: Cash

These job scams are exactly what you think of when you think of a scam. They are done at scale, targeting hundreds or thousands of people with the same generic offer. It’s a smash-and-grab operation, in a way – they want to take your money once and move on to the next person. There is no customization. Mike gets frequent scam texts offering him jobs, but it’s very clear they have no idea what he does. That’s a low attack.

Low attacks will include tactics like making you pay for training or supplies for a job. Or they do the classic scam where they mail you a fake check and tell you to deposit it and then send the money somewhere else or buy something with it. No matter what method they use, the low attack wants to get at your money.

The High Attack: Connections

A high attack is much more sophisticated. They’re not here for your money – they’re here for the log game. A high attack job scam is looking for open-source intelligence on a person or an organization. They are identifying people in key positions, profiling them, and gathering background information. Mike is seeing more and more fake LinkedIn profiles that are bridges to building connections. It only takes two or three connections before the ball starts rolling and they can use those connections to connect with even more people. Once the scammer has a strong network of connections, they can use them to interact with a targeted person and offer a fake job. And if they can convince someone to apply for a fake job, they can get a lot of information.

Once you get a resume … think about how much intelligence you’ve gotten on that individual.

Mike Kiser

Think about how much information someone could get off your resume. Your home address, your phone number, your email, perhaps your alternate email, your entire job history that may not be on LinkedIn. They can use this information to assemble an organization map and determine who they want to target. The goal isn’t money, it’s information and networking. These job scams are more difficult to identify because the normal red flag of asking for money is absent.

How to Identify if a LinkedIn Request is Real or Spam

Some of the signs that a LinkedIn request is spam are true of any stranger interacting with you on the internet. Someone with no mutual connections is suspicious. So is someone who is model-pretty – there’s a high chance someone took the profile photo off a stock photo site.

Other than the obvious, it depends on your personality and point of view. Mike is a natural-born cynic and doubts all intentions until proven. Some people are willing to be a little more trusting, while others are determined to keep scammers out of their network. You will need to decide how willing you are to connect to people. But regardless of what you decide, always be suspicious of someone presenting a job opportunity.

Job scams using high attacks are going to be an ongoing challenge for company cybersecurity. Enterprises may need to start patrolling employees’ networks looking for profiles connected to multiple employees and claiming company connections that may not be legitimate. Generative AI will be a new challenge as well. A reverse image search used to be a nearly foolproof way of identifying fake opportunities. Now AI can create unique images that won’t come up in a reverse image search.

Reverse Job Scams

Businesses are not immune to job scams. Nobody is going to offer a business a job, but they can do the opposite – apply to a legitimate job posting as a fake or altered employee. Mike has several friends who work in HR who have seen a rise in reverse job scams in the form of fake and otherwise falsified job applicants.

Fake identities are more and more in play for different malicious use cases, not only job-related but as a whole.

Mike Kiser

The interesting thing about reverse job scams is that the people perpetuating it may not realize they’re trying to scam the company. But regardless of their intentions, that’s what’s happening. Reverse job scams tend to happen in one of three ways.

First, there are totally fabricated identities and resumes. These are scammers doing a high attack from the other direction. They are trying to get information on a company’s internal workings by going through the hiring process. Second, there are falsified backgrounds on real people’s resumes. As the job market has changed, different skills are in demand, and people looking for new jobs can falsify their resumes to apply to jobs they’re not qualified for. Third, there are people trying to take multiple jobs. There is nothing wrong with taking multiple jobs if you’re up front about it, but holding two remote full-time jobs simultaneously is inauthentic. Their employers aren’t getting what they thought they were getting when they were hired.

The Benefits of Cynicism to Avoid Job Scams

Mike has not been a victim of a scam that he’s aware of. As far as he knows, no one has taken his money or committed credit card fraud on his accounts. His information has been exposed in major breaches, but that’s personal info, not a scam. He is almost certain that he’s connected to people on LinkedIn that aren’t real, but he couldn’t tell you who they are. Thinking that fits with his cynical nature.

Mike is naturally cynical, which has protected him somewhat. He has gotten emails in the past asking him to do consulting and advising for large amounts of money, and he dismisses them immediately. Once, someone later told him that one of those opportunities was legitimate and he could have made a lot of money for a forty-five minute conversation. He freely admits that sometimes he can be overly cynical.

Because of his cynicism, though, many of Mike’s relatives ask him about things if they’re not sure if it’s a scam. One of his relatives got about halfway through changing her password with a caller who claimed to be from her bank. Then something in the back of her mind kicked in and she hung up the phone and called Mike.

Job seeking and hiring is basically matchmaking for a business. Job scams operate similarly to catfishing and dating scams. If a business has their heart set on a perfect employee, they want to overlook red flags when a candidate is too perfect. And if a job seeker finds a job that seems to good to be true, they naturally want to hope that it is true rather than investigate the warning signs. There’s an examination and thought process that has to take place in order to stop scams.

The Future of Jobs, Job Scams, and Identity

The pandemic shifted us all into the online world almost overnight. We may have gotten to this point in the future without the pandemic, but definitely not so fast. Online, identity is our key safeguard. We need to know who someone is, be able to authenticate them, and make sure they have the right connections and access. But when identities can be stolen, faked, or created wholesale, the very concept of identity is under attack.

Identity is under attack.

Mike Kiser

We have realized that long-term, identity is our best defense against job scams and any other kind of scam. Standards are coming out to help us control the information about our identity and share it with others in a provable, cryptographically-signed way. If you get a text or email from a random person, these standards should let that person prove they are who they say they are with a credential signed by a secondary authority. It’s one thing to be in person – you can pull out a driver’s license or another identity document to verify. Verifying and proving that authenticity in an online world will be key.

This also gives us an opportunity for additional identity privacy. Without standards, once you give someone your identity data, who knows where it’s going? We don’t have control. Legislation like GDPR and CCPA have given us some control over our data, but they’re not perfect. These standards can help improve our privacy as well. They don’t necessarily solve the problem on their own, but there is great potential.

Security Must Be Simple

The challenge for any of these standards and security practices is that they must be easy. If we’re not making being protected from scams, phishing, job scams, and everything else the easier choice, we will have failed. Mike doesn’t want people choosing protection because they’re afraid of the consequences. He wants them to choose it because it’s much easier than jumping through hoops to make a wrong choice.

People who live on busy streets and who have small children put fences around their front yards. It’s not going to completely prevent the child from climbing that fence and running out into traffic, but it is going to make it a lot harder than staying in the yard and playing with their toys. The fact that we can have biometric authentication by looking at our phones, which we were going to do anyway, is fantastic. Security shouldn’t require a bunch of extra effort and jumping through hoops. It should be guardrails to funnel people into choices that are both easier and more secure.

You can connect with Mike Kiser personally on LinkedIn – just look for the hat. You can also find him on his personal website mikekiser.org, where he blogs occasionally. Just prove you’re real, and he’s always happy to talk.