When headhunters on LinkedIn are scammers

On August 29, 2016

In the August 30, 2016 Ask The Headhunter Newsletter, a reader cautions you to think twice before sending your information to “headhunters” you don’t know. They’re likely scammers.

Question

scammersI recently had an experience with a headhunter(?) I do not know who sent me an unsolicited pitch to look at a job listing in my field in my city. The pitch was sent via LinkedIn with an attachment. I do not open attachments from people I do not know. This brings up the issue of cyber security in dealing with any kind of pitch about a job.

To confirm who I was dealing with, I called the main office of the headhunter’s firm. I got an answering service. Then I called the number the headhunter posted on LinkedIn, but got a vanilla message which did not identify the headhunter or the firm.

A reputable headhunter:

  • will have a voicemail message that clearly identifies the office and the person.
  • will not send an unsolicited attachment via LinkedIn.


Social media has been used successfully by hackers and scammers to mimic real identities to get unsuspecting people to open attachments that contain malware. For high-tech firms, like the one I work at, these kinds of threats are well understood.

However, with the rise of ransom-ware and other forms of hacking for profit (e.g., stealing bank and credit card account information) the use of social media for social engineering is a real threat.

I suggest you post some advice for your readers about cyber security and how to avoid being taken in by scammers.

By the way: LinkedIn is a good vector for this type of social engineering attack because many people access it from work. If they open a malware-infested attachment, it could compromise a work computer along with its intellectual property secrets. So far, there has been no response to my voice mail replies to the headhunter, and I never touched the file attachment on LinkedIn.

Some headhunters who send unsolicited attachments might just be clueless. On the other hand, my experience is most recruiters send the job description after they’ve qualified the prospect as being interested, available, and a possible match for the job, not before. Do you agree?

Nick’s Reply

I agree, and you just wrote the warning you’ve asked me to give about e-mails soliciting you for anything. It’s all the more important when a scammer is connecting via LinkedIn to imply credibility.

Most likely, that’s not a headhunter at all, but a phishing expedition. It’s how scammers obtain personal information they can use to steal your identity. We can’t blame headhunters for something like this, because such scams routinely mimic anything that might lead a sucker to open an e-mail and an attachment.

(Let’s not leave the HR bogeyman out of this nightmare. See Big Brother & The Employment Industry: “All your employment are belong to us!”)

However, because the cost of entry to the headhunting business is virtually zero, we’re faced with loads of stupid, inept, and sometimes unsavory “headhunters.” I’d say 95% of those purporting to be headhunters are not. The most common among these are idiots dialing for dollars. (See Why do recruiters suck so bad?) They will solicit thousands of people they know nothing about via mailing lists. As you’ve noted, any good headhunter will know quite a bit about you prior to making first contact, or why would they bother spending their precious time?

2 rules of thumb

I think there are two cautionary notes here — call them rules of thumb to keep you out of trouble. First, assume any e-mail or attachment is a phishing tool. I think that’s a reasonable rule because most e-mail is junk of one sort or other. Very few mails constitute “signal.” Most are noise. So, be skeptical all the time and be very careful.

Second, if it’s a real headhunter, apply basic common sense and business standards. If the mail is from a headhunter you don’t know who clearly doesn’t know you, it’s probably a waste of time. Just because you really, really want a headhunter to find you a job doesn’t make it so. It just ups the odds that you’ll get suckered.

Drop this bomb on the headhunter

To test the sender, simply ask one of the many qualifying questions I list in How to Work With Headhunters… and how to make headhunters work for you. For example, drop this bomb:

“Please give me the names and contact information of 3 people you’ve placed and 3 managers who have hired through you.”

A good headhunter knows how to instantly defuse it by gaining your respect. He’ll ping you back to make sure you’re not going to waste his clients’ time — then he’ll give you his references. The rest aren’t worth dealing with — your question is like a bomb going off on their party. They know it’s all over.

If you’re considering doing something silly just because someone told you to — like clicking on an unknown attachment — ask yourself whether you’d do it in any other business context. If not, then don’t do it. (Would you hire a contractor to remodel your kitchen without checking some references first?)

Beware of fools

Of course, there’s another category of scoundrel — the naïve headhunter who doesn’t consider the risks she asks prospective candidates to take when she sends them solicitations. She’s not worth dealing with, either, because she’s the fool who will accidentally contact your current employer and present your resume for an open position — and possibly get you fired.

How to test for scammers

What you did to test for a scam is what I suggest in HTWWH:

  • Google the name of the person who solicited you. Is there evidence the person is affiliated with the firm?
  • Google the firm. Is the headhunter that contacted you listed on its roster?
  • On the firm’s website, look for names of the owners and for a bricks and mortar address.
  • Look up the individuals named, and find the address on Google Maps.

Then ask, does it all add up?

  • If there’s no connection between the headhunter and the firm evidenced online, don’t respond.
  • If the firm’s website does not list any names, or a street address, or any contact information that you can verify through an independent source, run. (If you do find an address on Google, there should be multiple references to it, or it’s probably phony.)
  • While some good headhunters work out of their homes and prefer not to list an address for privacy reasons, they should at least have a verifiable post office box.
  • Any real headhunter will have a verifiable phone number and friendly voicemail. Only a scammer doesn’t want to take your call!

referencesDid I say check references?

As you found, in most cases there’s no “there” there. If the headhunter fails these tests, checking those references is absolutely critical.

These tests are not sufficient, but they are necessary and they’re a good start when performing due diligence. It’s not hard to determine whether someone is legit, but it’s very easy to be gullible and to get suckered. In this case, a fraud has contacted you — but people should expect that most e-mail solicitations are frauds. The trouble is, most people rationalize: “Hey, I don’t want to miss an opportunity! Besides, this was through LinkedIn.”

Wishful thinking and the pain of job hunting turn people into suckers. (LinkedIn does not confer legitimacy.) “Headhunter” is just another mask scammers wear because they know you’d love a new job. And random job solicitations are just another sign of lousy headhunters that aren’t worth your time or consideration.

(For more on this topic, see How to work with headhunters.)

Did you ever get scammed by a headhunter? Was it even a real headhunter? How do you vet job solicitations?

: :

Back to Top

How employers help scammers steal your Social Security number

On August 11, 2014

It was inevitable: Scammers are stealing job seekers’ identities using over-the-top interview protocols established by employers to gather sensitive personal data. Have employers gone too far demanding too much of job applicants before they even need the information?

Great news! A well-known employer in your area sends you an e-mail saying it wants to interview you by phone — they found your resume online or your profile on LinkedIn. You answer the phone at the appointed time and have a job interview. Perhaps the interviewer makes an offer on the spot — your lucky day! He helps you complete the job application right there on the phone. What’s not to like?

steal-ssnHighmark, a BlueCross BlueShield healthcare company, warns on its website that the interview you think the company just conducted with you was a fraud — and someone stole your private information in the process:

Important Notice
Recently, Highmark has received several reports of possible fraudulent online activity in which an individual posing as a Highmark human resources representative contacts job seekers by e-mail or phone/text, conducts interviews and makes employment offers on behalf of the company. In most instances, those contacted have never applied for a position with Highmark. These false job offers are likely made in an attempt to gain access to your private information, such as your social security number.

— Warning posted on Highmark’s Careers page, detailed further in this notice

While fake online job postings are common and used to get you to fill out forms with personal information that can be used to steal your identity, this fraud is bold. Someone posing as a well-known employer actually calls you up and interviews you — and by the time it’s over you’ve got a phony job offer and the scammers have your very real social security number and other private information.

How can this happen?

An alert job seeker might recognize a phony e-mail address behind the official-sounding name of the company and the recruiter. But some won’t. Job seekers are understandably excited to get an e-mail asking for an interview and will quickly follow the “script” we’re all accustomed to — an e-mail expressing interest, a phone interview with a recruiter, and an intimidating demand for highly detailed “job application” information that includes private personal data that no employer really needs — but demands anyway.

Of course, not all victims will believe they just got a job offer on the phone without an in-person interview — but some will. And even if the “recruiter” doesn’t make an offer on the phone, he makes it awfully easy to “complete the application” on the phone while he does all the writing for you. He’ll even write down your social security number and your home address and phone number. What’s not to like?

How employers help scammers steal your SS#

Employers have programmed job seekers to quickly disclose private, confidential information — when there’s no real benefit to doing so, but lots of risk. Long before the employer decides you’re even a serious contender for a job, it demands your home address, your social security number, names and contact information of your references and permission to contact them, your salary history (which you should never disclose) and loads of other information that’s none of their business at this juncture and which they don’t even need. (When you fork over your references, you’re putting them at risk, too — probably not a good idea if you want good references!)

Why do HR departments routinely demand all this information? Simply because they can. You’ve been trained to  deliver “the required information” just to apply — while the employer hasn’t even checked your qualifications or indicated the slightest interest in talking with you much less hiring you. (See Does HR Go Too Far When Screening Candidates? — especially comments by HR manager Earl Rice. As you’ll note from the 2003 date on this article, this is not a new employer protocol.)

That’s why you become an easy target for scammers. Scammers exploit the intimidating “script” employers have taught you to follow. That’s how unreasonable, over-the-top job application requirements put you at risk. But it’s even worse.

Where’s your data?

Even a real, live employer that collects your private information puts you at risk. Many employers use third-party applicant tracking systems (ATSes) to log your application information and personal data. It all goes into “the cloud” — and good luck protecting it. When you complete that application, you’re usually asked to sign a waiver that gives the employer and its “agents” (translation: any third parties it deals with but that you don’t know about) permission to do with your data as they please.

You have no idea where your data goes, who has access to it, or how well (if at all) it is secured. Personal job application data is stored in unregulated, central repositories that even employers have no control over. Who controls these enormous databases? Companies like Oracle Taleo, Bullhorn, HRIS, IBM’s Kenexa, iCIMS, JobVite, HireBridge, JobScore, and ADP VirtualEdge among others. (For more about the applicant tracking system racket, see Employment In America: WTF is going on?)

Of course, to apply for a job you must provide basic information. But it’s up to you to be judicious about what you share and at what point in the recruiting process. Do they really need your social security number — when they haven’t even met you or given you any clear indication that they’re going to make a job offer? Most people today have already been brainwashed by the employment system to hand over anything and everything an employer says it “needs” to “process you.”

BAM! It’s that misconception that turns you into a sucker when a phony recruiter calls you and asks for all your data.

It’s time for employers to behave

It’s time for employers to stop demanding information they don’t need to recruit you. Today, HR departments ask for the kitchen sink simply because they have a database for kitchen sinks. “We’ll just get all the person’s data up front, so we don’t have to do it later.” More cynically, “We’ll get all their data before we even decide they’re viable candidates because then we can use a keyword scan to quickly reject people we haven’t even talked to yet.” (Less politely: Presumptuous Employers: Is this HR, or Proctology?)

When employers put some of their own skin in the game, then they can ask applicants to do the same. For example, what’s the salary range on the job? How much did you pay the last guy in that job and the one before that? What’s your Employer Identification Number? May I see some references from your customers, vendors and former employees? How about your credit rating? You’re privately held? I still need that information — I’m privately held, too. Are some of those questions over the top? Hmmm…

It’s also time for job seekers to stop being suckers. You are always free to politely but firmly decline to disclose any information you think is too private to share — until you think it’s warranted to process your job offer. Don’t be a sucker for either a legitimate employer who asks for too much — or for a scammer. See Fearless Job Hunting, Book 8: Play Hardball With Employers for tips about how to stay in control when you’re talking with an employer.

(For more on this story, see the Pittsburgh Post-Gazette, which interviewed me about the scam: Insurer says swindler posing as Highmark job recruiter.)

Where do you draw the line when disclosing private information to apply for a job? Do employers ask for too much, too soon? How do you apply for jobs while protecting your private information?

: :

Back to Top

Big Brother & The Employment Industry: “All your employment are belong to us!”

On November 2, 2011

Suppose that every time you applied for a job, some guy in a little room checked an Excel spreadsheet and notified the employer: “No interview for this guy. He’s a bum.”

It’s already happening.

Several years ago I published a series of articles about identity theft via job boards, including a report about Monster.com’s troubling practices by Pam Dixon from the World Privacy Forum (Click, You’re Hired. Or Tracked). Later, I published a newsletter titled Does HR go too far when screening candidates? in which HR consultant Earl Rice warned that:

“…in their zeal to protect themselves and their companies, HR departments may be covering up illegitimate and possibly illegal practices. When HR outsources background checks and investigations of candidates, is HR doing its job, or is it ensuring plausible deniability while letting loose an investigative demon that systematically violates people’s privacy and feeds the specter of identify theft?”

Trading privacy for Big Brother’s social initiative

It’s a world where Facebook routinely collects and profits from massive amounts of personal information. It’s a world where people enjoy the benefits of “social networking” and just want to keep up with their friends minute-by-minute. It’s a world where Big Brother has taught people to shrug and say, “Privacy? There’s no privacy any more. My information is in lots of databases and it’s not worth worrying about it!”

It’s a world where corporate employers are covering their legal asses while you get rejected for jobs that have long been vacant because “there’s a talent shortage.”

It’s also a world where opening a financial account in your name doesn’t take much more than your name, address, social security number (SSN), and a signature — any signature. But in today’s economy, the permissions you grant to employers when you apply for a job can continue to cost you lots of jobs — and you’ll never know it.

Let’s go back to what HR consultant Rice said back in 2003:

“If you have signed one disclosure for one employer, the investigations company that did the checks will keep the information about you in their database and then just re-sell the results to their next client.”

How does this happen? HR outsources the investigations, and the third party investigations company owns the information it gathers about you. The next employer rejects you for the same reasons the last one did. Were those reasons legit?

“This total invasion of privacy beyond your wildest dreams (actually, nightmares) is outsourced. The worst part is that much of the data and information these outsourced security agents collect is erroneous.”

You sacrifice privacy; employers buy legal protection

But while you’re giving up your privacy for certain “social” benefits (like the ability to apply for a job), employers are capitalizing on the holes you just punched in your life. Then, those same employers are buying legal protection in case you sue them for peeking through the holes. Rice reiterated that the quality of information about you in those databases isn’t the issue; insulation of employers from legal liability is the issue. Rice warned warned that an employer’s intentions could be far more complex:

“This is an industry that is almost totally unregulated. The multiple levels of outsourcing and subcontracting yield enough plausible deniability to the companies themselves,  and their clients, that abuses run rampant.”

Are employers using third parties to distance themselves from legal liability when checking you out? Who’s responsible for auditing and tracking the use and security of personal information an employer gathers about you?

Like many people, I put all this aside and chalked it up to Big Brother’s ubiquitous presence in our lives… the Internet, after all, is the Big Brother we’ve invited into our lives, choosing to accept the quirks of his behavior in exchange for all the social gifts he bears.

The little man who controls your career

That’s how I compartmentalized it all, until a reader sent me the story of his recent experience with a major American corporation with operations around the world. The reader is a 20-year veteran of the information technology field, and has more than a passing knowledge about security. Read it and decide how worthy a trade we’re making — some of our privacy, in exchange for the wonderful social gifts Big Brother delivers into our lives.

During Q4/2010, I was being considered for a position with [Company X]. Before I could be submitted for consideration to the hiring manager, the recruiting agency required my name and full SSN so that it could be checked against a database of Company X’s former employees. I decided to dig into their process.

Each agency was collecting names and SSNs within their offices in a spreadsheet, then submitting them periodically to a third-party agency via unencrypted e-mail attachment (Excel file). I went as far as to contact the individual at the third-party agency who was receiving and processing the queries.

He told me that he logged into a Company X mainframe application to enter the names and SSNs, then returned the spreadsheets to the agencies with a Yes or No indication for whether the candidates were acceptable to Company X on the basis of when and how they may have might have been terminated, or if his check could verify that they had never worked for Company X. He then combined each of the spreadsheets into one of his own so that he could independently track and verify the names and numbers he had already processed.

Me: “Where do you keep that spreadsheet?”

Him: “In my in-box in Outlook.”

Me: “Do you see any security risk in that?”

Him: “No, it’s just on my desktop.”

I was shocked.  That was when I decided to pass on the opportunity. I also informed the agency rep who had contacted me about the job that this was how it was being done, and while he agreed that it wasn’t very good, he had no way to change the process put in place by Company X.

All your career are belong to us

You worry that you’re too old, or that you lack the proper college degree or skills. But employers are rejecting you before they check any of your work credentials. Your career is subject to “judgments” far more stupid and unsophisticated than you could imagine — judgments that could well be incorrect, and over which you have no right of appeal.

In 1991, a poorly-translated warning appeared in a popular video game: “All your base are belong to us.” Today, the game ends for many job applicants before it even starts.  Your career belongs to the little man with the spreadsheet, who operates at legal arm’s length from the employer that rejected you. He works for an agency that is contracted by lots of employers to handle candidate investigations, and to notify employers whether you should be interviewed.

But, the business is not about hiring; it’s about selling and re-selling data about you whose accuracy you cannot confirm.

“The larger outsourced security/investigative companies have started keeping databases of their own. One advertises they have a database of over 1.5 million people for employers to run their candidates against.”

At the time Earl Rice contributed his commments to Ask The Headhunter, he was working for a major employer that outsourced background investigations to third parties that weren’t even in the United States. They were based in what we used to affectionately refer to as Iron Curtain Countries.

“They start with a name and phone number and e-mail address from a resume or application. Then, they cross-reference information until they get a date of birth or social security  number and go from there. When an applicant walks into HR for that first  meeting, they already may have been investigated. Never mind that much of the  data gathered may be erroneous. The ‘data’ was gathered at arm’s length, but the  employer will treat it as absolute fact.”

Advantage Employment Industry

Employers are ultimately responsible for the way job applicants are treated, no matter how carefully they’ve instituted legal protections by outsourcing candidate rejection. But the problem job hunters face is a systemic one. There’s an entire employment industry that now relies on Big Brother and the holes you permit in your personal privacy. Privacy expert Pam Dixon boils it down:

“The business of searching for jobs online has grown from a market niche to a multi-billion-dollar, rapidly consolidating industry that relies on the eager search activities — and employment dreams — of millions of job seekers.”

Every time a job hunter submits an application through the rote channels established by corporate HR departments, the employment industry gets paid — whether a match is made or not. The job hunter loses, and the hiring manager cries about the talent shortage. Employers give the advantage to the employment industry — a mafia of consultants and contractors who bear no responsibility, because they just manage that spreadsheet.

Every time a job hunter agrees to apply for a job via Big Brother methods, rather than through a personal contact with a hiring manager, the job hunter sets in motion the wheels of an entire data industry designed to make money — not to match people with jobs. Most of the time, the job hunter gets taken down in a drive-by data attack. The little man with the spreadsheet wears a hood, and even the employer has no idea who’s driving the data base. Or where the keys are.

The IT manager who shared the story above decided to skip the little middle man — and Big Brother. His next contact with an employer was direct, and he hasn’t submitted to a strip search of his personal information. His job search isn’t easy, but he still owns his career.

: :

Back to Top