Akamai Diversity

Akamai Security Intelligence
& Threat Research

How I Avoided A Recruiter Scam

Recruitment scams are a serious, but often overlooked risk to job seekers. Those responsible for these schemes often play on the victim's stress levels or professional ego, by using authority to offer something that could be life changing, often with large salaries. I've personally experienced a recruitment scam. In this post, we'll explore the scam that targeted me, and the steps I took that prevented me from becoming a victim.

According to the FBI, victims have reported employment scams since early 2019, with the average loss per victim coming out to about $3,000 USD, in addition to damage to their credit reports. Around the same time the FBI was collecting fraud data, the FTC issued an advisory to the public warning about recruitment scams - particularly executive recruitment scams, like the one I received.

Typical employment scams will consist of convincing a victim to pay advance fees for job placement or training materials. Similar recruitment scams might be the first step in a longer criminal game, where the victims are tricked into installing malware, sharing sensitive information or credentials.

Other job placement scams focus on "work-from-home" opportunities, where the victim is used in a money laundering scheme, or used to safely transport goods that have been stolen by acting as a shipping agent. Akamai discussed some of these scams last October, and a key piece of advice stood out:

"If a random person reaches out, if you're really interested in the offer, do some research on the company they claim to represent. Call them directly and verify the person is who they say they are." - Steve Ragan, Security Researcher, Akamai

The Letter:

It was a typical Tuesday, part of a shortened week due to the Independence Day holiday in the United States. An email arrived in my inbox from someone I've never spoken to before named "Brad", offering me "New Executive Level Opportunities" after an alleged referral from an "outside talent sourcing firm."

The message was well-written, but lacking some professional polish that would typically be seen with a form letter. For example, there were common punctuation errors, so this felt like an email written by a working-stiff like myself. There were a few immediate, not exactly red flags, but odd curiosities that sprang to mind as I read the email.

I hadn't placed my resume anywhere, and I've been happily employed at Akamai for six years at this point, so who was this outside talent sourcing firm? Also, why am I a good fit for this position? Considering the advice from the previous blogs on employment scams, these questions were enough for me to start doing some basic research on this firm. What I discovered made me thankful I didn't respond to them.

Vetting:

The first thing I did was do a whois search on the domain. A whois lookup will tell me a few things, such as where the website is hosted, and how long it's been registered for. In some cases, a whois will also tell me who owns the domain and how to contact them.

In this case, the domain referenced by the email was registered on May 8th, 2019 and updated a few days earlier on June 29th, so this was a brand-new domain. More established companies would have an older domain. Moreover, the technical and administrative contact details were hidden, a service people pay extra for when registering domains, but this seems odd for a legitimate business. Naturally there are some exceptions, and everyone has to start somewhere, but this was the first red flag for me.

Visiting the website directly raised additional red flags. For example, while attempting to load "Brad's" recruiter profile, the link returned a 404 error, meaning the page didn't exist. The same thing happened for the other three recruiters listed on the page. Why would a professional recruiting company have an incomplete website? For most people, this second red flag would be enough to prove this was a scam, but I kept digging. I was curious now.

 

A search for text from the email itself led me to a blog post about a completely different recruiting scam. Buried down in the blog's comment section, someone had posted a letter similar to mine, from a person representing the same recruiting company. Calls to the number listed on both emails (same number, different extensions) were automatically forwarded to voicemail. 

Moreover, that same comment section referenced two additional letters, with essentially the same script, only the recruiting firm's name was different. I say different, but not by much. t\hTe letter M in the firm's name on the letter sent to me was replaced with a K in the examples posted online. So now there were two websites pitching the same job offer.

Going back to the website referenced in my email, I conducted a reverse image search on "Brad". Reverse image searches where you can search with an image and see all the websites it appears on. I conducted my image search on Google and Bing.

Once the search was complete, I discovered "Brad's" image on another recruitment website - the one using a K that was mentioned in the additional example letters. 

It's possible that someone holds two jobs, but I checked it out anyway. Turns out, that website had the same 404 errors as the previous one, and the overall design was the same too, however this time "Brad" was known as "Patrick".

I was already sold on the notion the recruiting attempt was a scam, but these mirrored 404 errors, along with the cookie-cutter web designs, scripted emails, and domain names, convinced that something shady was happening.

Digging deeper, I conducted a reverse DNS search on Robtex. I won't get into all the technical aspects of DNS, but Robtex is a service that allows IT and security professionals to do a little extra digging on a domain or IP address. It's commonly used to discover spammers and other criminals.

After entering "Brad's" domain into Robtex I was quickly directed to the results page. An examination of domains sharing the same server IP revealed the domains representing "Brad" and "Patrick", as well as two other recruiting pages. In addition to the recruiting websites, there were two domains blocked by my security software: one due to phishing, and another due to malware activity. 

The Robtex search also revealed the domain of the person responsible for these websites. So, as it turns out, the recruiting firm that reached out to me wasn't in New York City as advertised, the people behind the emails and websites are 6,800 miles further east.

 

What's the point?

There is no telling where this particular recruiting scam would have gone. I never responded to the email, so the scammers didn't get to make any attempts to pull me in, so to speak. Based on the remarks left on the comment section where I discovered the alternate recruiting domain, as well as comments left by those reporting the phone number, this appears to be an information scam.

The information on resumes isn't something most people consider sensitive. People  searching for work, or hoping to land a promised high-figure executive position, wouldn't think twice about sharing a copy of their basic personal information and work history.

Yet, as noted by the aforementioned FBI alert, this information can be compiled, and then sold to marketing or sales firms. From there, the information is combined with other related data points and sold for lead generation or spam lists that target email, direct mail, or phone-based offers. The darker side to information scams will see the compiled personal information used for phishing or identity fraud, including financial identity theft, human trafficking, and forged travel and identification documents.

Protect Yourself

The vetting I performed, such as searching for elements from the offer letter, visiting the recruiting firm's website, attempting to call directly, and researching the company name, revealed several red flags. The more technical vetting unraveled the whole scam, but not everyone is comfortable with deep technical analysis.

Once I discovered the domain was only a few months old, and the professional website was missing critical information, I knew the offer was a sham. These elements alone are enough proof for almost anybody. I dug deeper to see if there was more to it, and in this case, there was. At the same time, remember this was the exception and not the rule, as lots of recruiting and employment scams are fly-by-night, existing only for brief periods.

Bottom line? Keeping yourself safe and avoiding scams like this starts by trusting your gut. If it feels like a scam, or looks too good to be true, then it is.

Leave a comment