The “Great Resignation” is still well underway, further impacting a cybersecurity industry with a historically low retention rate. According to a report published by Enterprise Strategy Group in partnership with Information Systems Security Association International, 76% of organisations say it is difficult to recruit and hire security professionals.
Combined with this is workers looking for new roles offering more money in response to the rise in the cost of living, both of which have created one of the busiest labor markets the cybersecurity industry has seen. In fact, according to Ponemon Institute, for every five analysts hired in 2021, three quit or were fired within one year.
The growing number of jobseekers has also created an unprecedented opportunity for threat actors to capitalise on their searches for employment, often through social engineering scams impersonating LinkedIn, Facebook and other social networking sites which advertise job opportunities.
The Current State of Job-Seeking Scams
Though hackers have always used social engineering to manipulate their targets into giving up credentials or access to data, LinkedIn is currently the vector of choice across North America and the UK. Over the past year, threat actors have taken to designing fraudulent LinkedIn login pages which they then send to targets via email, prompting unsuspecting LinkedIn users — likely job-seekers — to enter their passwords.
These phishing attempts often incorporate elements of a real LinkedIn profile, like the company logo and footer designs, to make them appear legitimate. Unfortunately, it appears to be working, as LinkedIn-related social engineering scams rose 232 percent according to UK-based Egress Software. Also, a study from Check Point found that 52 percent of all global phishing attacks during Q1 2022 were LinkedIn-focused scams.
How To Differentiate Between the Fakes and the Real Thing
As such, I have put together the best ways people can stay vigilant and secure against social engineering hackers when browsing for jobs online.
1. Know what to look for in a social engineering scam
While LinkedIn emails users about the latest job openings, new messages, connections, and profile visits, there’s a few easy ways to differentiate a legitimate LinkedIn email from a socially engineered one. Firstly, scammers will often copy LinkedIn’s stylised logos and email templates in phishing attempts, so cross-checking a potential phish against another, certifiably legitimate LinkedIn email can often reveal small errors, helping you determine fraudulent communication.
2. If it is too good to be true…
It probably is. LinkedIn and other social media platforms are a great way to meet new friends and network with industry peers. But, before you accept an invitation or engage with a new friend or connection, stop to consider whether it makes sense they have asked to connect. Sure, a profile which is entirely in Russian may have a job opportunity for you, but are you able to find any other information about the person behind the profile online? If not, there is a far greater chance the person is not who they appear to be and may be trying to take advantage of your willingness to network.
3. Do not overshare
The fun of LinkedIn and other social networking sites largely lies in sharing your accomplishments and life updates with a large group of people — most of whom are likely to congratulate you on an upcoming vacation or your new role overseeing an important part of the business.
But just as oversharing in person can lead to strained relationships, oversharing online can be a boon to scammers looking for insight into your personal life. For example, your password may be an amalgamation of birthdays, past schools and pet names, many of which people erroneously share online. Savvy scammers will pick up on those clues to potentially brute force their way into personal accounts which were otherwise protected.
Sharing information about your role, including projects you are working on or issues you are dealing with can arm scammers with information they can then engineer into a phishing email tailored for you.
The nature of scams is cyclical, meaning hackers may eventually jump ship from LinkedIn to another website in order to scam their targets. However, as long as there are people looking for jobs, there will be hackers trying to take advantage of them.
But they do not have to succeed. By practicing proper security awareness and heeding the aforementioned advice, you can stay safe while job seeking.
This article originally appeared in HRReview