June 21, 2017

Hackers Posing as Job Candidates: What Employers Need to Know


The internet is no longer as safe as it once was, and it’s not just consumers and average Joes who need to worry. Employers, too, are now at risk.

Recently, hackers have been posing as job candidates in order to plant ransomware inside business networks. Do you know how to spot and avoid these scams?

How Hackers Are Using Fake Applications to Attack Employers

“Cybercriminals are posing as job applicants as part of a new campaign to infect victims in corporate human resources departments with GoldenEye ransomware – and they’re even providing covering letters in an effort to lull targets into a false sense of security,” writes senior ZDNet reporter Danny Palmer. “A variant of the Petya ransomware, GoldenEye targets human resources departments in an effort to exploit the fact that HR employees must often open emails and attachments from unknown sources.”

And GoldenEye may be only the start. Security experts expect other hackers to copy this tactic and create their own unique ransomware in the coming months.

Corporate email inboxes aren’t the only way hackers are trying to sneak their way into business networks. As many U.S. businesses catch on to ransomware schemes and set up defense mechanisms that prevent employees from downloading potentially threatening attachments, savvy hackers are taking another route through LinkedIn and other social media sites.

LinkedIn is a valuable recruiting tool for many companies. Few if any organizations block the site with network filters. Understanding this, hackers will set up fake profiles and use the popular social networking platform as an “in.”

“These attacks are becoming more common because it’s easy and inexpensive,” Chris Stephen, a channel engineer at security firm Cylance, told CSO. “Companies have placed a lot of money in their perimeter security and purchased products to find sites with poor reputations scores. LinkedIn circumvents both of these layers.”

How to Avoid Ransomware Scams

Businesses and HR departments cannot expect this issue to go away soon. The only way to ensure your company doesn’t fall victim to ransomware ploys is to be proactive about security. Here are a few tips:

hand1. Invest in Education

Employee education on the topic of cybersecurity is one of the most important investments you can make. According to a blog post from data-protection software firm Virtru, “No matter how good your security measures are, your employees still need to know how to be safe on the internet. Users should know how to avoid phishing scams by not clicking hyperlinks in emails (especially from unknown users) or typing any sensitive or personal information into pop-up windows.”

This may seem like obvious information, but never take for granted what your employees do and don’t know when it comes to cybersecurity best practices.

2. Trust Your Intuition

Let your employees know that they should trust their instincts when something tells them an applicant or link isn’t kosher. There are always alternative ways of collecting information from an applicant. You should never click something you aren’t comfortable clicking.

3. Always Back Up Your Data

The power of ransomware lies in the fact that it cuts off access to data you need. By always backing up your data in the cloud, you have a way out, should you ever be attacked.

It’s a shame that we have to be so skeptical when interacting with people online, but that’s the state of the world we live in. If you aren’t extra vigilant, you’ll most likely end up in a compromising situation at some point.

While defending your organization from Ransomware may mean investing a little more time and effort into vetting online job applicants, it’s best to look at this as an opportunity to strengthen your company’s hiring process. You’re going to get out of your vetting process exactly what you put into it.

Anna Johansson is the founder and CEO of Johansson Consulting. Follow her on Twitter and LinkedIn.

Read more in Job Applications

Anna is the founder and CEO of Johansson Consulting, where she works with businesses to create marketing and PR campaigns. Follow her on Twitter (@Number1AnnaJo) and LinkedIn.