Earlier this month, two major pharmaceutical giants issued warnings about phishing emails targeting job hunters.
GlaxoSmithKline and AstraZeneca say they are victims of recruitment scams, in which crooks create fake job adverts to obtain people’s personal and financial details. The bogus ads can be hard to spot, because they use legitimate logos and material, and hide the scammers’ email addresses effectively.
How the scam works
Based on AstraZeneca and GlaxoSmithKline’s statements, this is a fairly standard case of recruitment fraud. Job seekers find the fake advert on a recruitment site and provide their CV, which will typically include the applicant’s name, email address, current employer and other personal details.
The scammers will then email the applicant to say they are being considered, before offering them a job. At this point, one of two things will happen.
The scammers might refer the victim to an employment agent (also fake), who will ask for money to complete registration fees. Alternatively, the victim might report directly to the HR department of the bogus employer.
Either way, the final step of the crooks’ plan is to ask for financial details to pay the employee’s salary into. They will instead use the details to steal money, before cutting all ties with the victim.
Why it’s so successful
Recruitment fraud seems like one of the more obvious scams to spot. How could anyone’s alarm not be raised if they are offered a job without an interview?
Unfortunately, red flags like that are ignored in all kinds of phishing scams, and this scheme is a perfect example of why that happens. Most of us know how disheartening it is to send off application after application knowing that you probably won’t ever hear anything back. It’s therefore completely understandable that curiosity and/or hope might get the better of you when you hear that you’re not only in consideration but have also been offered a job.
Sure, you’re likely to be a little suspicious, but it’s a highly respected organisation like GlaxoSmithKline or AstraZeneca, so it must be legitimate, right?
It’s only in retrospect that you see all the clues that should’ve confirmed your suspicions.
What should you be looking for?
GlaxoSmithKline says job hunters can determine the legitimacy of an advert by asking:
- Are there major spelling or grammatical errors in the communication?
- What is the sender’s email address? Does this seem consistent with previous communications?
- Who is sending the email? Search the name online to determine whether it’s a real employee and whether they are the appropriate person to be managing the application process.
It adds that an advert posted by a third party isn’t necessarily fraudulent, but recommends that job hunters research the company to see if they represent the organisation.
It’s not the end of the world if you don’t spot a scam during the application process. The crooks will have your contact details and any other information on your CV, but at least they won’t have your financial details. Preventing that from happening is simple, provided you remain cautious.
AstraZeneca and GlaxoSmithKline remind job hunters that they never ask for money during the recruitment process (no legitimate organisation would). The latter adds that:
If you receive a genuine job offer of a job with us, whether the offer is made directly by us or through an agency, you will not be required to pay any money towards administration fees.
We also recommend that you do not disclose personal or financial details to anyone you do not know.
As is standard, GlaxoSmithKline says that interviewees or those who have been offered jobs might be asked to provide passport information or other personal identification, such as a National Insurance number.
If you receive and accept a job offer, you will obviously have to provide financial information; this will typically be at the same time as you sign your employee contract. However, you should only be asked for account information, which is used to deposit funds, rather than the card number, which is used to withdraw funds.
Can you spot a phishing scam?
The warnings issued by AstraZeneca and GlaxoSmithKline show just how big of a threat phishing poses. The methods for spotting and preventing it are the same no matter what form the scam takes, yet millions of people fall victim in both personal and work environments.
When it comes to recruitment scams, it’s up to individuals to protect their own data, but organisations have a lot more at stake. An employee who can’t spot a malicious email is liable to hand over vast amounts of sensitive information or expose the organisation to further threats. For example, most ransomware attacks are spread via phishing emails.
Organisations can tackle that threat with our Phishing and Ransomware – Human patch e-learning course.
This ten-minute course explains the basics of email-based threats, showing staff how to spot and avoid phishing scams and ransomware.