Your company’s talent is its lifeblood. Job postings for qualified individuals and other recruitment activities are vital to its operations. What happens, then, when scammers conduct phishing schemes to trick individuals into applying for nonexistent jobs you didn’t post with the objective of stealing their personally identifiable information (PII)?
Gone Phishing
In the age of remote work and virtual hiring, the impersonation of companies in job recruitment scams has become increasingly prevalent. It can be difficult for jobseekers to recognize a recruitment outreach as a scam, particularly when they’re highly interested in the opportunity. So, it’s important for companies to take steps to mitigate or stop the potential for harm. Leveraging company intellectual property is crucial to combating such schemes and protecting both jobseekers and the company’s reputation.
Although scammers use different approaches to phish jobseeker information, these schemes are typically rooted in the goodwill of reputable brands. If scammers can convince jobseekers they’re reaching out on behalf of a well-known, reputable company, they have their hook.
One of the most common ways to impersonate companies is to register one or more domain names incorporating the company’s brands and send corresponding emails to unwitting prospects. For example, scammers frequently register domain names such as <companycareer.com> and create email addresses that appear related to job recruitment, such as hr@companycareer.com.
Because the email address incorporates the company’s trademark, it appears legitimate. Also, instead of creating their own dummy website at the domain name, scammers will often forward the fraudulent domain name to the company’s actual website to further legitimize their communications. In this manner, the scammer’s successful impersonation of a company is little more than a domain name registration away.
After the scammers have created a domain name and an email address, they often scrape the text of the company’s legitimate job postings and republish them on other job websites. It’s also common for someone from “HR” to reach out to candidates directly, which is often followed by an interview, often with the scammer impersonating the HR personnel on company websites or LinkedIn and even using the company’s branding in the background of virtual meetings.
The scammers then follow up on the interview to confirm that the jobseeker has been hired. Once the email confirming employment has been sent, a link or document is forwarded requesting the “new employee’s” PII, such as full name, address, email, bank account details, and Social Security number. Scammers sometimes even send checks or request upfront payments (e.g., for home office equipment) as part of the “hiring process.” Unfortunately, real victims suffer real losses through these schemes, and there’s often little law enforcement can do to recover lost funds.
Ensure Your Company Isn’t the ‘Catch of the Day’
Below are seven steps your company can take to protect its recruitment process and reputation:
Report fraudulent job postings. Job websites typically have mechanisms for reporting fraudulent job postings. Submitting a takedown notice may be your fastest, easiest, and cheapest way to take down an unauthorized job posting. That said, multiple follow-ups and even outreach to in-house counsel at these websites may be required to complete the removal.
Post notices on the career pages of company websites. Place a disclaimer on the career portion of your company’s job webpage to notify applicants that scammers may try to contact them, and if they aren’t contacted through specified channels, the recruitment may not be legitimate. This is your company’s opportunity to speak directly to job applicants and warn them to be vigilant.
You should also include an email address or a form so job applicants can contact your company directly to confirm that a job posting or communication is legitimate.
Send notifications to domain name registrants, registrars, privacy shields, and website hosts. Scammers can cheaply register domain names using your company’s trademarks, but consumers can’t know all your company’s legitimate domains. In addition to creating fake email addresses from fraudulent domains, scammers also sometimes create fraudulent websites to imitate the genuine brand owner’s site.
Either fraudulent email addresses or fake websites using your company’s trademarks can provide a basis for notifications to registrants, registrars, privacy shields, and website hosts that the domain is unauthorized and incorporates the company’s protected intellectual property.
While scamming registrants are unlikely to respond, the hope is that registrars, privacy shields, and/or website hosts will unmask the registrants so you can locate the individuals behind the scam. Unfortunately, registrars, privacy shields, and/or website hosts aren’t obligated to disclose the registrants’ contact details and typically implement a balancing test to determine whether to release this information. Often, the response will be a denial coupled with a suggestion that the company instead file a complaint under the Uniform Domain Name Dispute-Resolution Policy (UDRP).
File a UDRP or Uniform Rapid Suspension (URS) complaint with a domain name arbitrator, or file a lawsuit. A UDRP complaint is a trademark-based domain name dispute initiated before an arbitrator alleging the registrant has registered and uses in bad faith a domain incorporating the company’s trademark. If a company wins, the registrar can cancel, suspend, or transfer the domain to the company.
Alternatively, a company can use the URS system, a rights protection mechanism that complements the existing UDRP by offering a cheaper, faster path to relief for clear-cut infringement cases. The key difference between a UDRP and a URS proceeding is that the former typically awards transfer of the domain registration outright, whereas the latter only suspends the domain for the remainder of its current registration.
Even if a scammer loses a UDRP or URS proceeding, it can easily register another domain name and continue its scheme, but by being aggressive, companies put scammers on notice that they won’t tolerate such misuse of its trademarks and other intellectual property.
Or, a company can file a lawsuit and tender the registrar with a court order or subpoena requiring disclosure of the registrant’s information, but this can be expensive.
Create and maintain internal policies and protocols. Companies should keep track of where jobs are posted and periodically monitor the Internet to ensure duplicates don’t appear on other websites. Your communications team should have verbiage prepared should jobseekers reach out to clarify whether a job posting is fraudulent, which communications should include requests for the scammer’s communications and methods (e.g., email, job website, other website, social media, mobile app, etc.), and what links to use to report the scam to the Federal Bureau of Investigation (FBI) and Federal Trade Commission (FTC).
Finally, the company should have procedures to report any potential scams to in-house or outside counsel so further steps can be taken.
Order domain name watches, and defensively register domain names. Numerous watch platforms allow companies to monitor new domain name registrations for company trademark infringement. This can be a good way to identify an issue before scammers have the chance to contact unwitting jobseekers.
In addition, companies can register certain domain names to proactively block potential scams. Companies should consider securing various domain names across multiple top-level domains in different grammatical formats that could be leveraged for job scams.
Submit details of the scam to the FBI and FTC. If the scammers have successfully engaged jobseekers and obtained their PII or payment, encourage them to file reports with the FBI’s Internet Crime Complaint Center (IC3) and on the FTC’s fraud reporting page.
Olivia M. Clavio is of counsel and James J. Saul is a partner at Faegre Drinker and can be reached at olivia.clavio@faegredrinker.com and james.saul@faegredrinker.com, respectively.