Proofpoint, Inc., a leading cybersecurity and compliance company, has identified a threat, called employment fraud, which is heavily impacting higher education organizations. Proofpoint researchers regularly identify and block employment fraud threats that attempt to entice victims with an easy, work-from-home job.
COVID-19 has exacerbated this threat as many employers have shifted to remote work, and the concept of working from home is increasingly expected and desirable. 76% of CISOs in the UAE have seen the biggest increase in targeted attacks since switching to widespread remote working. In fact, some identified threats will reference COVID-19 as part of the job description or reason for being remote.
Of the job themed threats recently identified by Proofpoint, nearly 95% are targeted to educational institutions, mainly colleges and universities. Worryingly, according to Proofpoint’s 2021 Voice of the CISO report, 50% of UAE CISOs in the education sector believe that human error is their organisation’s biggest cyber vulnerability, and as these threats are targeting people, the attack surface is widened.
“These threats can cause people to lose their life savings or be tricked into participating in a criminal operation unknowingly. They are very concerning for universities especially, and Proofpoint detects and blocks thousands of employment fraud threats weekly that could harm their students and faculty.” said Sherrod DeGrippo, Vice President of Threat Research and Detection at Proofpoint.
An employment fraud threat occurs when a threat actor attempts to recruit someone under the premise of a legitimate job offer. Threat actors will craft fraudulent job offers hoping to steal money, personal information, or to recruit an individual to unknowingly comply with illegal activities such as money laundering. Threat actors will typically pose as recruiters or employers and try to entice victims with a variety of opportunities.
There are many variations of this threat including job offers as caregivers, mystery shoppers, administrative assistants, models, or rebate processors. Employment fraud is differentiated from other threats such as Advanced Fee Fraud (AFF) due to the job theme and ultimate end result or goal of the attacker. A recipient may end up getting “hired” for a job, role, or function aiding the attacker.
With AFF the attacker is hoping to get a small amount money upfront by promising big money later. Employment fraud collects information and recruits unknowing participants into a criminal network. Some may initially start by collecting money allegedly for administrative fees or passport services, but that’s typically done to weed out applicants and is not usually the end goal. Additionally, participation in these schemes could result in a victim facing criminal charges for working as a money mule.
Threat actors may target universities for a variety of reasons. Students are likely more open to flexible, remote work opportunities; international students may not recognize tell-tale signs of fraudulent emails as well as native English speakers; and rising inflation and cost of education is putting the pinch on students’ finances, making the promise of quick cash more attractive.
The apparent legitimacy of emails and job opportunities varies – some threat actors use legitimate branding, proper spelling and grammar, and real roles at spoofed organizations. Additionally, the threat actor may use spoofed or compromised email addresses to send the fake recruitment email, especially posing as university career centres or job placement facilitators.
Users should be aware of these types of threats, especially job hunters and students and faculty at post-secondary educational institutions. Legitimate employers will never send pay checks before an employee’s first day of work, nor will they ask employees to send money to purchase items prior to work beginning.
Key components of fraudulent job offers may include:
- An unexpected job offer received from a free mail account such as Gmail or Hotmail, spoofing a legitimate organization
- Nonexistent or overly simplistic interview questions with little to no information about the job duties
- Receiving a “paycheck” almost immediately after beginning a discussion with a sender
- A sender encouraging a recipient to switch to a personal email or chat account to discuss the job opportunity
- Language such as requesting a “quick task” be completed, especially if it involves sending money via mobile applications or Bitcoin addresses