Although recruiters say that it is a hot job market, there are still some people I know of, even including myself that are still looking for a regular, time job. In my case, I have been pickier than normal, as I am trying to find a tech writing job out here in the Western burbs, and thus the market is narrower and the jobs of course will be more limited.
I am on the job boards every day, getting those resumes out the door. I usually hear back from recruiters via phone call, E-Mail, and even text message. I usually reply with E-Mail (if I know if the sender is legitimate or not), and will even answer a call, provided that it does not come up as “Unknown” “No Caller ID”.
I am leery of text messages. Why? Well, its harder to actually confirm the identity of the sender. True, you could do a reverse lookup in Google, and even dial back the number, but that often yields in nothing.
Because of that, this is the new venue that the Cyber attacker is now using to target their prey. They know that there are a lot of people out there looking for work, and in their eagerness, they are more apt to likely respond to a text than an E-Mail or a phone call. This kind of attack is known as “SMS Phishing”, and is gaining steam, especially in the recruitment industry.
I found an article with some screenshots that will walk you through the art of the SMS Phishing Attack. Let’s started.
First, the job seeker gets a text message with an actual screen as is illustrated below:
Of course, seeing somebody reach out to you with a position from Amazon will obviously perk your eyes wide open, as it would mine. This is the hook that the Cyber attacker tries to use in order to lure their victim into their trap. The other red flags which should raise your eyebrows: The new car, and a $5,000 per month salary with no experience? Too good to be true in my opinion.
After clicking on a button that further expresses your interest in the job, you are then asked to fill out a contact form, as depicted below:
As one can see, all the form asks for is your E-Mail and phone number. This could be an area where the Cyber attacker could trick the job seeker into logging into a phony website, thus, providing even more confidential information and data. But even with a phone and E-Mail, there is a lot of subtle damage that a Cyber attacker can actually do, such as launch a Voice Fraud campaign, or harvest the contact book in your E-Mail address in order to launch a Botnet style attack.
The use of a network sniffer by the Cyber security researcher who did this exercise shows the following results:
The one major item to be gleaned from this data is that after the job seeker has provided their E-Mail address and phone number, they are then taken to a phony Amazon website which looks legitimate enough, as illustrated below:
Note that the website does not ask for any more information and data, rather it is a generic looking “Thank you for submitting your details” page.
My thoughts on this?
To all job seekers, and even me included in this, be especially careful of any SMS text messages that you may get from a job board or a recruiter. As mentioned, they know that the probability of you responding to a text is much greater than opening up your E-Mail app or answering a phone call.
I keep getting these kinds of text messages all the time, and you know what? I just plain old delete them immediately. In fact, to be honest, I almost got hooked into one of these a couple of months ago. I responded to what looked like a legitimate SMS message from a recruiter, but after replying, I knew it was fake because they kept pressuring me to reply.
That is another huge red flag to look out for as well. There may not be a sense of urgency in the initial text message, but there will be as your communications with the phony recruiter deepens. So my best advice is to simply just delete these kinds of messages, especially where there is even an attachment involved. You just don’t how bad the malware might be if you download.
It could even render your entire Smartphone as useless.
As a means of further protection, you could even download a software package from a Cyber security vendor (probably for just a nominal cost) that will alert you of any malicious links that are prevalent in your text messages.
But the best line of defense in these cases: Go with your gut. If it is too good be to true, then it is .