Cybercrooks target students with fake job opportunities
Legit employers don't normally send a check before you've started – or ask you to send money to a Bitcoin address
Scammers appear to be targeting university students looking to kickstart their careers, according to research from cybersecurity biz Proofpoint.
From the department of "if it's too good to be true, it probably is" comes a study in which Proofpoint staffers responded to enticement emails to see what would happen.
This particular threat comes in the wake of COVID-19, with people open to working from home and so perhaps more susceptible. "Threat actors use the promise of easy money working from home to collect personal data, steal money, or convince victims to unwillingly participate in illegal activities, such as money laundering," the researchers said.
"The threat, called employment fraud, almost exclusively impacts higher education."
Employment fraud has many forms, where victims are presented with what looks like a legitimate offer and end up handing over all manner of confidential information. Researchers found potential roles including mystery shoppers, caregivers, personal assistants, and so on. In some instances, victims ended up unwittingly committing crimes.
There was also evidence of Advanced Fee Fraud (AFF), where an attacker seeks to extract a relatively small amount of cash from the victim in exchange for the promise of a big payout later.
Researchers found that the threats disproportionately affected students at colleges and universities (although staff at the institutions were also targeted). The majority of targets were based in the US, although European and Australian institutions did not evade the attention of miscreants.
Why universities? Proofpoint pointed to students being more open to remote opportunities and international students not being as quick to spot some of the telltale signs of a fraudulent email as a native English speaker. Rising costs are also making the lure of easy money all the more tempting.
- IcedID malware, in the hijacked email thread, with the insecure Exchange servers
- Sophos fixes critical hijack flaw in firewall offering
- Google Chrome, Microsoft Edge patched in race against exploitation
- China APT group using Russia invasion, COVID-19 in phishing attacks
The researchers took one for the team and responded to a pair of emails to see what would happen. One that purported be from UNICEF for an Executive Personal Assistant and another for a modeling assignment.
In both cases, the interactions were impressively sophisticated.
For the UNICEF scam, victims were sent to a Google Form where personal data was collected. A scammer then contacted the victim, asking for more information and giving details on the fake position itself, including "buying and distributing toys for 'orphanage homes.'"
The researcher was sent a fake cashier's check for $950 followed by a bigger fraudulent check for $1,950. They were then asked (after a balance check) to send $1,000 to one of the supported "orphanages" with a Bitcoin address used for follow-up payments. The fake checks meant the victim would be sending their own money, Proofpoint said.
While UNICEF is aware of scams in its name and has put out an advisory on the matter, miscreants have a variety of weapons in their armory, as evidenced by the modeling assignment to which a Proofpoint researcher responded.
This time a threat actor pretended to be from an agency seeking models for a Los Angeles shoot. A fake check for $4,950 was emailed as a fee, and $100 in cryptocurrency was requested in order to cover the "shipping" of items needed for the photoshoot.
While dodging scams seems straightforward (employers don't usually send out checks before the first day of work and legitimate organisations rarely make use of freebie email accounts to send out unsolicited offers), the victims being targeted might be blinded by the fake opportunity. ®