Last week, one of our clients experienced an interesting phishing scam. Our client was not the “target” – in fact, the scam targeted job applicants seeking a position at our client’s company. And the scam was perpetrated using publicly-available information – no security compromise occurred.
Here’s what happened:
- Bad actors accessed our client’s public LinkedIn profile.
- Using the information they found on his LinkedIn profile, they created a fake Facebook Page
- The bad actors began advertising “Data Entry” positions through the fake Facebook Page they created.
- When a would-be applicant expressed interest in the position, the bad actors contacted them, using the fake Facebook Page, through Facebook Messenger. They asked for personal information such as social security numbers, driver’s license information, address, etc.
- Our client discovered the scam when applicants reached out via email, concerned that they were being phished.
- Upon discovering the scam, we helped our client to “report” the fake Facebook Page to the Facebook security team as fraudulent.
As you can see, this all happened without our client’s network being compromised in any way. It was 100% based on publicly-available information. And it played on prospective job applicants who were looking for employment and thus more susceptible to sharing their private information than they otherwise would have been.
Unfortunately, that means there is nothing that any business can do to prevent such a scam from taking place. There’s no way to prevent a bad actor from pulling publicly-available information from a website or social media profile.
Preventing a scam like this from working successfully requires vigilance from the individuals being targeted – in this case, prospective job applicants. Fortunately, several of them found the activity suspicious and reached-out to our client, which enabled us to identify the fraud and report it to Facebook.
The lesson, as always: guard your personal information carefully. Don’t share sensitive information through communication channels that aren’t 100% secure. And if you encounter a situation that feels suspicious, trust your instincts and don’t share sensitive information. Reach-out to the individual you’re intending to communicate with through a different channel and verify that it’s legitimate before you do anything further.
Stay alert, and please don’t hesitate to reach out to our team if you’d like our help.
Dedicated to IT security and productivity,
– Steve
About Steve Kennen
Steve Kennen is the President of Proactive IT and an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for businesses. A seasoned entrepreneur and technology veteran with over 25 years of experience, Steve leads the team that keeps our clients secure and their business operations running smoothly.