Headshot of Chris White

Anatomy of Job Scams - Red Flags and Trusting Your Instincts

Estimated read time: 7 min

I woke up to an email from a recruiter at a legitimate agency. The offer: an IT Manager role. I was immediately suspicious and shared the tea with my wife. I expected a laugh, but her response perplexed me. She thought the job offer was real. She's highly intelligent and a licensed professional, but she would have likely entertained this scam without a second thought.

Case Study: The IT Manager Job Offer

Job scams are a classic form of social engineering attack that occur in four stages:

Stage 1 - Target Identification:

This phase is sometimes known as reconnassaince. The amount of reconnassaince an attacker will perform varies based on the type of attack. Job scams are relatively simple and require very little reconnassaince due to the information rich resumes we're required to share online. This attacker found my resume on a government job board where scams are so common that users are actually warned about the dangers.

Stage 2 - Hook/Deception:

The email came from the compromised account of a former employee at a legitimate recruiting agency. This adds a powerful layer of legitimacy to the scam and helps set the hook.

Stage 3 - Exploitation:

Attackers are unlikely to get much traction via email so their goal is to shift platforms. This attacker requested that I connect via Microsoft Teams. From Teams they started to engage in tactics to build trust, rapport, and buy-in.

Stage 4 - Disengagement/Exit:

At this stage the attack is complete and the attacker disengages and covers their tracks.

The Email

From: t******@*****recruiting.com

Dear,

I hope this email finds you well. We were impressed by your resume and would like to extend a job offer to you for the IT Manager at ***** Recruiting. We believe your skills and experience make you an ideal fit for our team.

Below are the details of the job offer:

Job Title:IT Manager Job Offer

Remote, 38.75/hr

Reply if interested

Red Flags

Greeting: My name is missing from the greeting. Legitimate recruiters take their jobs very seriously. They're likely terrified of offending a candidate so they'll double or triple check.

Email Structure: The first half of this email starts off strong. This is something I would expect from a legitimate recruiter. However, the second half is vague and lacks detail. Legitimate recruiters provide clear job descriptions.

Language: A recruiter's job blends HR with sales and requires detail oriented language selection. I can't imagine any legitimate recruiter using the term, "Job Offer" in an initial contact. This sort of language in this context opens the door to potential legal problems if a candidate is rejected.

Compensation: The pay rate is suspiciously low for an IT Manager role.

Sign-off: The attacker chose to sign off with "Reply if interested." I can see lazy or overworked recruiters using this language, but it’s a red flag nonetheless.

Setting the Hook

My initial instinct informed me that this email was a scam. I decided to play along and gather evidence for case study. Here's my response:

Good morning T*****,

Thanks for reaching out. I’m interested in hearing more. Can we set up a call to discuss further?

Many thanks,

Chris

The attacker followed up requesting that I connect via Microsoft Teams. Here's that email:

Our hiring manager will brief you on the job description and company policies on Microsoft Teams. please reach out to Maria our hiring manager on Microsoft teams. Her username is mariah@*****recruiting.com

The follow-up carries clear indicators that this is a scam:

First, the attacker immediately switched from a somewhat formal style to an informal style that totally disregards professional conventions.

Second, the attacker requested that we move to Teams without mentioning the phone call I requested. Legitimate recruiters will immediately pick up the phone or at least schedule a time to review.

Finally, the username is glaringly suspicious. I redacted a portion of the email to protect the identity of the agency, but there are still clear indicators that this is a scam. A legitimate business would never use an employees email address as a username. This was done to pretext legitimacy that this is a real employee and an official communication channel.

The attacker attempts to build trust, rapport, and buy-in:

I connected with the attacker on Teams. They sent me a list of interview questions to answer. I responded with a few thoughtful answers, but I was careful to avoid sharing any personal information. I was told they needed time to review my answers and would get back to me.

Here's a screenshot of their response about an hour later:

Chat between Chris White and an attacker attempting to scam him. Red Flags Have Entered the Chat:

This is where the red flags really started to pile up. The attacker makes an informal offer after having only reviewed my resume and a few written responses to their questions. There was no in person interview, no technical assessment, and certainly nothing rigorous to benchmark my capabilities.

Mariah goes into sales mode and starts to pitch the company. This is a classic sign of a scam. Any legitimate recruiter would have sold you on the opportunity up front, not after the offer. The sales pitch is followed by a bid for loyalty and demonstration of commitment. These requests are designed to instill a sense of buy-in. This attack exploits the sunk cost fallacy, where the victim feels they've invested time and effort and are less likely to walk away.

Trusting Your Instinct and Taking Action:

At this point I had seen enough. I disengaged from the scam and found the recruiting agency's phone number via Google search. I called to confirm that this was a scam. The agency explained that the email in use belonged to a former employee and that they were not hiring for any IT Manager roles.

There are some lessons to be learned here:

  1. Owners and managers of small businesses often fail to clean up their previous employees digital footprint. I'm sure they're super busy and it’s easy to overlook, but failing to properly process your employee assets on exit can lead to unintended exploitation of your infrastructure.

  2. Even if your initial instinct fails to signal danger you should always be on the lookout for red flags. Identifying the red flags saved me from a dangerous situation where I would have likely taken financial losses or worse.

  3. People who are searching for a job are often desperate because they need money. This pain point makes them more susceptible to this type of scam. It's important to be extra vigilant if you're in a vulnerable position. It might feel counterintuitive to raise an eyebrow at opportunities coming your way, but it’s a necessary precaution to prevent your situation from worsening.

Conclusion:

I didn't let this attack escalate to the point of requesting sensitive information or money, but rest assured, that was on the way. Here are a few tips to stay safe:

  1. Always verify the legitimacy of job offers by researching the company and reaching out to someone directly. If they're upset that you called to verify then you probably don't want to work there.

  2. Check the email sender to see if the email is spoofed or legitimate. Even legitimate emails can be compromised, but attackers often use free email services or misspellings in the domain.

  3. Professional jobs require a thorough review of your skills and background. It's likely a scam if you’re offered a job without a rigorous interview process.

Check out my blog series called Digital Security Awareness for Non-Technical Professionals if you're interested in learning more about cyber threats and online security.