Looking for a Job? Phishers Are Looking for You

By Annys Shin, Ylan Q. Mui, and Nancy Trejos

On Saturday, The Washington Post ran a story I wrote on a phishing scheme that targets job seekers who have posted their resumes on popular job sites such as Monster, Career Builder and Yahoo Hot Jobs.

This particular scam came with an Onion-esque flourish. One of the supposed employers, USAVoice.org, called itself “the world’s fastest growing news organization,” and lured aspiring journalists to give up personal information during the application prospect.

The news on the Web site, as one victim realized too late, doesn’t update as often as, say CNN.com does, and consists of stories with timely headlines such as “A History of Valentines Day.”

The scam came to the attention of the D.C. area Better Business Bureau because USA Voice uses a downtown Washington address, which turns out to be little more than a mail drop. A related site, Instant Human Resources, lists an address in Rockville, also a mail drop. Together, they’ve generated more than 8,000 inquiries since June.

While these particular Web sites are pretty slick, the phishing e-mails themselves are by no means the most sophisticated ever created. That honor, if you can call it that, belongs to the stream of official looking missives from financial firms, which are still the most popular ones to spoof among cyber criminals. After all, you’re more likely to give up valuable financial info that way.

In that sense, the personal info that appears on job sites may not be as lucrative. But even a name, e-mail, address and telephone number are worth something to scammers. They can turn around and sell those or use them to perpetrate “synthetic identity theft,” where a phony identity is created using bits of real people’s information.

In this particular case, the success of the scam relied on a two-pronged strategy. Not only did they advertise on the job sites, but they also contacted people who used them.

Job seekers who posted their resumes on Monster, Career Builder and Yahoo received e-mails from either USA Voice or Instant Human Resources, telling them that based on the their resumes they qualified for a promising sounding position. Those who didn’t smell a scam right away filled out online applications, in the process disclosing personal information.

Some get as far as entering a Social Security number. Many only get to name and address before backing out. At that point, job offers don’t come pouring in, but spam does.

The job sites have gotten wise to these schemes and, for the past several years, have been posting warnings on their Web sites in an effort to educate users before it’s too late. They also pre-screen job postings and monitor them daily. But it seems inevitable that scams will get through. Privacy expert Pam Dixon looked into how long USAVoice has been online; the site is about a year old. Most phishing sites don’t stay up for a week. So this one seems to have staying power, despite having their job postings removed from Monster and Career Builder.

The job seekers I interviewed for this story who said they were scammed by USAVoice and Instant Human Resources were not naive Internet surfers by any means. One has made a living in technology. But their normal scam radar was blocked by their desire for employment, which is what makes this particular scam so effective–and so lame!

For tips on how to spot a phishing scam, check out Gina Hughes’ tips.

Dixon’s World Privacy Forum has advice just for job seekers.

washingtonpost.com’s own Brian Krebs can also keep you up to date on the latest online security issues.

By Annys Shin | February 12, 2007; 7:00 AM ET Privacy