CYBERSECURITY JOB HUNTING GUIDE
A SUSPICIOUS job offer
Author: Stefan Waldvogel
Editor: August Samples
Editor: August Samples
How can you detect a job scam?
Looking for a job can be a daunting task, and sometimes you get messages like this:
This looks fantastic, but is this message legit, or not? Let us go through it.
Netcraft is a useful browser extension and can tell us more:
- This message was sent by a “President”. Sounds powerful, but if you check LinkedIn, this company has about 10 employees. The second thing is, I have over 8000 connections, but only three shared connections? This is suspicious.
- In my name, I use a lock, because LinkedIn’s spam tools just take the first name and add it to the message. No human would write like this. This is spam.
- Everyone wants to work remotely, but here it is more like a fishing net. You can work remotely from any city.
- The salary is very high and specific. This company does not even use my name and wants to pay $90 an hour ($180,000 yearly)? That is a big red flag.
Netcraft is a useful browser extension and can tell us more:
We have a risk rating, the web page is relatively new, the tile is very weird and with VirusTotal we see this:
We dig a bit deeper with the Wappalyzer browser extension:
If you google for these versions, they are outdated and it is a bad idea to show all the version numbers.
Small companies might not have the money to fix all the things. Here, I would say it is a scam, but I am not 100% sure. If you work for such a company, you can use your findings if you get an interview. You stand out because you are helping the company.
Do not dig a lot deeper, never target the web page with active tools. You can use SHODAN to find more (it is passive), but never actively attack a company or a person without written permission!
LinkedIn can give us more details. We can open the company page, go to people and we see this:
Small companies might not have the money to fix all the things. Here, I would say it is a scam, but I am not 100% sure. If you work for such a company, you can use your findings if you get an interview. You stand out because you are helping the company.
Do not dig a lot deeper, never target the web page with active tools. You can use SHODAN to find more (it is passive), but never actively attack a company or a person without written permission!
LinkedIn can give us more details. We can open the company page, go to people and we see this:
All red people have the same last name. It is a family company, but the name Austin and the same picture are double in this list. That is weird because both have Premium and that is expensive. Why should they do that? Maybe this company is a victim, too, and some of these employees are fake and do not work here.
What else can you do to protect your personal data?
A lot of fraud is identity theft. They want your data and use it later. If you send emails, pay attention to the actual email. If it is a Gmail, Hotmail, etc, and not a real company address, it might be a fraud. You are unsure? Use tools like https://mxtoolbox.com/EmailHeaders.aspx to find more.
Call the person and the company. Many companies have a number, try to ask someone else. If you have an extensive network, you have people to ask. Do you get an email with an attachment? Use VirusTotal, any.run, cuckoo sandbox, or something similar to check the file.
Be aware of scams. Let us say you get hired and you can buy a very expensive PC for work? You get a check to buy this? Big no no… a check can bounce and it can take up to 10 business days. Usually, you see the money on your bank account instantly, but if this is related to fraud, the bank takes the money back… you have to wait full two weeks to see if the check is real or not! In the US, the system is fraud-friendly; it is too easy for the bad guys.
Other forms of scams
What else can you do to protect your personal data?
A lot of fraud is identity theft. They want your data and use it later. If you send emails, pay attention to the actual email. If it is a Gmail, Hotmail, etc, and not a real company address, it might be a fraud. You are unsure? Use tools like https://mxtoolbox.com/EmailHeaders.aspx to find more.
Call the person and the company. Many companies have a number, try to ask someone else. If you have an extensive network, you have people to ask. Do you get an email with an attachment? Use VirusTotal, any.run, cuckoo sandbox, or something similar to check the file.
Be aware of scams. Let us say you get hired and you can buy a very expensive PC for work? You get a check to buy this? Big no no… a check can bounce and it can take up to 10 business days. Usually, you see the money on your bank account instantly, but if this is related to fraud, the bank takes the money back… you have to wait full two weeks to see if the check is real or not! In the US, the system is fraud-friendly; it is too easy for the bad guys.
Other forms of scams
This is a typical example for a different scam. It could be related to write fake reviews, or fake 5 star reviews or maybe money laundry. You get money for free? Think about the related risk.
A quick reverse google lookup:
A quick reverse google lookup:
Not much to add...
© 2021. This work is licensed under a CC BY-SA 4.0 license