Hacker News new | past | comments | ask | show | jobs | submit login
How to Tell a Job Offer from an ID Theft Trap (krebsonsecurity.com)
200 points by etxm 66 days ago | hide | past | favorite | 80 comments



If you have fallen for one of these scams the worst thing you can do is ignore it out of embarrassment. There are people who can help before it goes too far.

In the USA you can contact: https://www.usa.gov/identity-theft

In the UK: https://www.actionfraud.police.uk/

Most countries will have a government organisation that can help you so don't disrepair.


*despair


Haha, sorry yes you’re quite right, should be “despair”. I’ll blame autocorrect but it’s still quite funny.


I for one feel that "don't disrepair" is a great fit for that sentence and will be adding it to my lexicon


EDIT: I just checked Wiktionary and seems that it's quite a legit usage :

Disrepair (noun) - The state of being in poor condition, in need of repair.

Disrepair (verb, intransitive, rare) To get into a state of disrepair.


The core part of that definition is “in need of repair”. It’s “in poor condition because it’s broken,” not “in poor condition because it’s depressed.”

The OP just made an honest typo, it shouldn’t detract from their post, let’s move along. :)

P.S. Personally, I also thought fakedang’s comment was fine. Just a helpful little note in case anyone was confused.)


Please don't make corrections that are not necessary for readers to understand the comment. This is one of the most annoying things about sites like Reddit.


The correction helped me understand the comment. There may also be non-native speakers or people using translators.


The meaning in this case would have come out to be roughly the same, as explored in another comment thread. Sometimes I'm sure it's helpful but most of the time it just adds noise.


I had a phone interview with a guy in India who was hiring for a company local to me in USA. He couldn't tell me anything whatsoever about the actual job, who'd be on the team, what I'd be doing. All he did was ask me complimentary questions and praise my qualifications.

Then at the end of this supposed screen, he asks for my DOB. "Uhm, why do you need that?" "It's not important, you can even give me a fake birthday". I ended the discussion there. He knew nothing and wanted my personal info and then told me I could even fake it. Wtf?


Not sure why they’d ask for a US applicant, but a lot of countries’ job application/interview processes make the US and Canada look very progressive. Maybe they hardcoded the DOB box.

Things that are common in various other countries: including a selfie with your application, DOB, marital status, citizenships.


That actually sounds pretty legit.


> Job postings appear on job boards, but not on the companies’ websites.

This is very common for legitimate job offers. And probably makes sense since many companies see almost no traffic from potential hires.


Additionally, many companies use third party recruiters or an outsourced recruiting department, where the email domain may not match the company domain. And often refer you to a different third party for identity/credential verification.

It's more like the industry has configured itself in such a way that it's indistinguishable from phishing. Like the insurance industry.


The endgame was to offer a job based on successful completion of background check which obviously requires entering personal information

If that isn’t the absolute final step to becoming an employee there is a huge problem. Contact the potential employer using contact information from their website and verify the legitimacy of the opportunity before submitting any personal information beyond a resume.


What's the point? Whether a background check is performed before or after an actual offer is basically just semantics. What's the difference between not getting an offer if you fail the check first, or having it rescinded if you fail the check immediately after?

It's pretty easy enough for a scammer to put together a fake offer letter to send over email.

Heck, some companies perform background checks before you can even interview, which saves time and effort on both sides. Nothing inherently wrong with that either.

The overarching point remains: any time you give out your identity info, verify whoever you're talking to is legit -- whether a bank, company, or recruiter.


> What's the difference between not getting an offer if you fail the check first, or having it rescinded if you fail the check immediately after?

The difference is that at some point you have to notify your current employer that you'll be leaving. You probably do that after receiving the offer letter, so if you never get one, at least you still get to keep your old job.


I've interviewed with a reputable company (mentioned on HN frequently) that performs background checks before interviewing you on-site


Unfortunately some companies have completely outsourced their hiring


As a bonus, these are also the telltale signs that you're being recruited into a pyramid scheme.

> -Interviews are not conducted in-person or through a secure video call.

> -Potential employers contact victims through non-company email domains and teleconference applications.

> -Potential employers require employees to purchase start-up equipment from the company.

> -Potential employers require employees to pay upfront for background investigations or screenings.

> -Potential employers request credit card information.

> -Potential employers send an employment contract to physically sign asking for PII.

> -Job postings appear on job boards, but not on the companies’ websites.

> -Recruiters or managers do not have profiles on the job board, or the profiles do not seem to fit their roles.


Scroll all the way to the end for the short, bullet points answer to the question.

(The rest of the article is an anecdote. I kind of feel stupid for reading all of that now.)


As per the FBI:

"Here are some other telltale signs of a job scam, as per the FBI:

-Interviews are not conducted in-person or through a secure video call.

-Potential employers contact victims through non-company email domains and teleconference applications.

-Potential employers require employees to purchase start-up equipment from the company.

-Potential employers require employees to pay upfront for background investigations or screenings.

-Potential employers request credit card information.

-Potential employers send an employment contract to physically sign asking for PII.

-Job postings appear on job boards, but not on the companies’ websites.

-Recruiters or managers do not have profiles on the job board, or the profiles do not seem to fit their roles."


I’m always amazed that just slightly better grammar would increase the scammers success rate by miles.

There is no way I would read the correspondence as legit, but it’s not bad and given the return on the scam it’s wild that they don’t slightly improve that step.


I understand that it selects for the kind of the people who are more likely to be taken in by the whole thing. The scammers don't want to waste their time with people who will drop out of the process before handing over what the scammer wants, and if the number of people who will drop out is high enough, it becomes unprofitable; the scammer needs good leads who are more likely to be taken in.

Here's a piece from MS Research coming to that conclusion ("By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select")

https://www.microsoft.com/en-us/research/wp-content/uploads/...


Why would this not be correlation not causation.

I struggle to believe that most scammers in the world are that good that make deliberate mistakes in their letters to reduce false positive rate. More realistic solution is that the average scammer is not well educated, he makes mistakes unintentionally and out of pure luck it works well for him.

About why they say they are from Nigeria, I'd say that simpler the scam is, easier it is to pull. If you communicate via voice, it is hard to properly mask accents. If you are sending something via money transfer, destination address is obvious as well.


> I struggle to believe that most scammers in the world are that good that make deliberate mistakes in their letters to reduce false positive rate. More realistic solution is that the average scammer is not well educated, he makes mistakes unintentionally and out of pure luck it works well for him.

These people are doing it as their actual job.

The scammers are not kids who are having fun with a prank, or hobbyists who make mistakes because they do not spend enough time on the task. The scammers are smart human beings who do their jobs, as professionally as they can.

If they wanted a foolproof version of their text, they would be able to find an automated correction tool (e.g. on Gmail), or to ask someone to proof-read it. The fact that they do not is a hint that it is either a waste of time from their perspective, or detrimental to the efficiency of their jobs.


Yes. Many scam operations are full-fledged "companies" which operate out of commercial office space and have a payroll of employees who show up to work every day Monday to Friday and scam people as if it was a normal job.

This is a fascinating YouTube series from a guy who managed to hack into the IT system of an Indian scam operation (including gaining live access to their security camera footage!) It goes into a lot of detail about how this particular outfit operates:

https://m.youtube.com/watch?v=le71yVPh4uk


Tye scammers don't have to be that good, as this is Darwin in action: Scammers with bad strategies are more easy to catch and less likely to make money. Evolution predicts that, if being a worse speller makes you a better scammer, after a while the average scammer spells worse. Having a good brain is actually a disadvantage here


It seems it wouldn’t need to be an intentional strategy, but could be selection pressure.

If it is an effective strategy, then scammers who have better grammar may find their scams less profitable, and move on to other jobs. While scammers that have worse grammar end up being more successful, so decide to continue.

(I’m not saying this strategy is effective, or that this is the mechanism that explains the relationship, just offering one possible explanation)


Yeah, that urban legend is often repeated but it doesn't stand up to much scrutiny.


I wonder if there's something similar with apps and JS heavy websites.


This might be intentional. The better the grammar the harder they have to try throughout the entire process.

Getting grammar wrong likely attracts the level of sophistication required to make the scammers job easy.


That's seem to be the case [1]

"Therefore, it's in the scammers' best interest to minimize the number of false positives who cost them effort but never send them cash. By sending an initial email that's obvious in its shortcomings, the scammers are isolating the most gullible targets"

[1] https://www.businessinsider.com/why-nigerian-scam-emails-are...


Interesting. You think it’s a deliberate verbal IQ filter implemented by the scammers?


IQ is not a meaningful shorthand for anything, but yes, they want to catch the "idiot in a hurry", not someone who's paying enough attention that they could be set off by some smaller mistake later into the process, wasting the scammer's time.


If IQ wasn’t a meaningful shorthand for anything it wouldn’t show positive returns for higher amounts at every level we’re aware of.

> Can You Ever Be Too Smart for Your Own Good? Comparing Linear and Nonlinear Effects of Cognitive Ability on Life Outcomes

> Despite a long-standing expert consensus about the importance of cognitive ability for life outcomes, contrary views continue to proliferate in scholarly and popular literature. This divergence of beliefs presents an obstacle for evidence- based policymaking and decision-making in a variety of settings. One commonly held idea is that greater cognitive ability does not matter or is actually harmful beyond a certain point (sometimes stated as > 100 or 120 IQ points). We empirically tested these notions using data from four longitudinal, representative cohort studies comprising 48,558 participants in the United States and United Kingdom from 1957 to the present. We found that ability measured in youth has a positive association with most occupational, educational, health, and social outcomes later in life. Most effects were characterized by a moderate to strong linear trend or a practically null effect (mean R2 range = .002–.256). Nearly all nonlinear effects were practically insignificant in magnitude (mean incremental R2 = .001) or were not replicated across cohorts or survey waves. We found no support for any downside to higher ability and no evidence for a threshold beyond which greater scores cease to be beneficial. Thus, greater cognitive ability is generally advantageous—and virtually never detrimental. https://www.gwern.net/docs/iq/2021-brown.pdf


IQ was literally invented by a believer in "race science" and has been used to discriminate against ethnic minorities. That's its original function and its limitations are why it has been discredited by many sociologists for a long time.

IQ measures how good people are at IQ tests. As much as some people like to pretend otherwise, it does not measure "intelligence" by any meaningful definition and certainly nothing inherent or genetic. If you improve socioeconomic factors, IQ rises almost automatically.

People who do well in life don't generally score higher in IQ tests, they score higher in IQ tests because they had the means (access to education, parental wealth, access to mentoring and care as a child, etc) to do well in life in the first place.

The paper you're citing is guilty of HN's favorite academic crime: Correlation does not imply causation.

Inversely we've see plenty of historical evidence of higher IQ scores in groups being directly influenced by socioeconomic factors in populations where these factors have changed. It has also been demonstrated that training for IQ tests (or growing up in an education system that routinely uses similar exercises) improves the scoring on those tests.

IQ is a shitty shorthand because there are far more reliable factors you can use instead (e.g. generational poverty) in most scenarios without bringing an arbitrary metric in that only exists because of one scientist's obsession with demonstrating the superiority of the White race (followed by post-hoc rationalizations about Asians actually being "too smart" and thus still inferior, because that's the kind of nonsense you end up with by narrowly hyperfocusing on one made up stat so you don't have to deal with the complexity of socioeconomics).


Seems like I recall reading an article that stated very high IQ corresponded to lower income and career success due to churn in their careers due to boredom factors. This makes intuitive sense as well.


who suggested that being intelligent was bad? the problem is that there's no "universal intelligence test" and reducing human intelligence to IQ testing is what those "race science" people do.


There's a lack of self-awareness about language ability deficiencies in certain countries where a coarse, pidgin-like "English" has developed without feedback from the rest of the English-speaking world.


I need a guide on how to tell if a job advertisement is legit and not just to stuff the drawer in case they do want to hire some day.


>...at a Gmail address...

That's a fairly big red flag these days, even if the company is actually using free email.


I've interacted with a bunch of legitimate recruiters, journalists, etc. who do business over a personal Gmail account. Even at major media organizations.

I don't know why, but unfortunately it's not actually a red flag at all. It's shockingly common.


> I don't know why

Makes it easier to take connections with you to the next job maybe?


Oh, you must be right. That's almost certainly it, since it applies to both recruiters and journalists, and both them them make a living off their connections.


So their tactic should be to offer jobs at Google.


If you're getting a job reference to work at google from a gmail address that should be an even redder flag.


totallyLegitRecruiter@mail.com


Luckily for me it's very obvious. I've had "job offers" on LinkedIn that were so obviously a scam it was hilarious.

I'm from a small town of about 50,000 people but 45 minutes away is a small fishing village of about 100 people. The scammers say they are from large tech companies based in that town. Yes based in that town of 100 people, maybe they catch fish on the side? That town was and is somehow always picked by scammers. I've seen "hot girls in your area" ads pick the same town.

If it had been my town, a profile more believable maybe mix up the ethnicity of the profiles more, and be more not be so incredibly obviously a scam they may have got me.


What can we to protect our companies' names from being exploited this way? Social media monitoring?


Alternatively to the GPG route, maybe just post the domains which approved recruiters would ever be messaging candidates from. This would go a long way in countering scammers that don't have access to a compromised recruiter account, for example.


Honestly I don't think there's anything you can do.

In the same way you should call banks back when they call you and need a PIN or something, you need to similarly contact companies directly when they ask for an SSN or something.

As a general rule, companies can't protect individuals from being scammed in the name of the company (except for basic things like HTTPS, etc.). It's up to individuals.


Sign all emails with GPG. Display public keys of each recruiter on website.


.. after sending each recruiter to a week-long GPG training class.


Most recruiters who call me have a pretty poor command of the language and very few even speak clearly on the phone because they've left the same message 1000 times already. Expecting them to sign emails is expecting far too much.


I had someone claiming to be a recruiter contact me on imessage. He wanted a software engineer for NordVPN ASAP WITH REALLY HIGH SALARY.

His sense of urgency, the emphasis on high salary AND contact channel screamed scam.

(Instablocked)


step 1: did you apply for it...? yes / no > yes: it's more than likely real, but remember with anything always go directly to the source and don't click links willy nilly.

> no: then its 99.9% fake / phishing.

Surprisingly these attacks and other forms of phishing are on the rise ever since that facebook leak... coincidence? that joincidence with a c! ;)


In IT I get "cold" offers all the time. If you have a decent LinkedIn page, you'll get approaches from recruiters all the time.


My biggest annoyance is with the company General Motors who requires your entire social security number to be interviewed contract.

This means giving your SSN to a random person calling. Every GM recruiting house has to do this.

Not even worth it, the other auto companies pay just as good(minus Tesla)


Tons of organizations require your SSN to "put you in the system", including most higher ed institutions. And if you're hired, they'll need it legitimately anyways.

So while not ideal, this doesn't feel particularly egregrious to me. Of course, like any time you give out your SSN, you need to verify you're entering it on a legitimate site, or that you're dealing with a legitimate recruiter.

Pretty much every recruiting process at any large company has dumb policies, sadly. If something this small makes it "not worth it", I doubt any of the other companies would be "worth it" for you either.


I never give out my SSN to anybody who isn’t a bank, current employer, or government agency, except in really special circumstances.

Doctors tend to be major offenders here - their forms always ask for SSN. I never fill it in and they often don’t even ask a follow-up. But when they do, I’ve almost always been able to still get out of it by telling them that I don’t give it out to anyone ever. Or I don’t remember it.


Unless I am legally required to give my correct SSN, I just fill it in with one digit off. If they catch it, then they obviously were able to learn my SSN by another method. Otherwise, I'm doing my part to salt my public records with disinformation.


So what do you do when your background check comes back empty and you can't rent an apartment because the landlord won't offer you a lease without it?


That "background check" service would be a joke, and out of business almost immediately. Let's say it was a lease application. I certainly am giving my real name, previous addresses, real phone number, real email address, real age, etc. So I enter my SSN with an off by one digit (human typing error, oh my) and this "service" doesn't know my real SSN, a list of every other SSN I ever entered, and 300 other data points about me, in a few milliseconds? That is a rather naive view of the personal data industry, at least in the US. Just the targetable list of items Facebook knows about you (whether you have an account or not, shadow accounts and all that) is rather impressive. The shadow data aggregation industry knows tons more, because all the websites and Visa and everybody is sharing behind the scenes. I'm trying to imagine any adult in the US today coming back with an "empty" background check. Maybe the Unabomber, living in a cabin. Normal people, not so much.


Apply for an apartment that isn't running a background check on its applicants.

Is that actually a thing in America?


Of course. Landlords select tenants who are more likely to pay their bills and not run a meth lab -- with a better credit score, less debt, no criminal record, that sort of thing.

When it can take many months to evict a tenant who stops paying their bills, all of which is lost income plus then the cost of finding a new tenant, minimizing the probability of that is a landlord's top priority. Frankly, they'd be insane not to.

It's pretty standard to require a year or two of the first couple pages of your tax returns, and 2-3 months of bank statements, to prove your income as well, since standard background/credit checks don't have that.

Why, where do you live? Do landlords not require all this there?


Both Australia and the UK ,the most I've needed is a proof of having a job (first page of a work contract).

Yes it takes a while to evict people and agents have a shared blacklist of tenants who didn't pay their bills but it is expected that the house owner has insurance to cover damages and loss of income, just a part of being a landlord.

Australia has a specific magistrates court for dealing with those issues and unscrupulous landlords or tenants for example


Very interesting, thanks!

I'm actually quite curious then -- if a landlord has, say, 5 different prospective tenants then how do choose?

Because in NYC the landlord will take offers from those 5 tenants, run checks, and then pick the one who seems least likely to default.

In Australia and the UK is it the same, but they just go with more of their gut feeling or something, rather than hard data? Or is it primarily income listed on the work contract but they can't find out about debts?


In Australia you may also be asked to provide a copy of your rent payment history.

Edit:

>It's pretty standard to require a year or two of the first couple pages of your tax returns, and 2-3 months of bank statements, to prove your income as well, since standard background/credit checks don't have that.

That sounds insane to me.


In Seattle hand-picking like this is explicitly illegal; selection criteria have to be published beforehand and the first qualifying applicant accepted.


They ask questions about your income in applications to make sure you can afford the rent.

I obviously can't speak for how they pick, but I think it's usually a case of first application that meets the affordability criteria and has rental history or reference s.

They take offers on higher rent in a hot market.

Or maybe Ive just been very lucky and had kind agents


In Canada, I’ve never once had to give over a ssn or do a credit check. The American landlords are being abusive and invasive


It has to be done because of anti-discrimination laws.

Refuse to rent to someone who you met in person and is an obvious meth head who will totally trash the apartment they second they acquire it; who obviously has no job and will never pay rent? Well you "must" have learned of some protected characteristic too and therefore you just discriminated against them.

Refuse to rent to someone because "computer says no"? You're fine.


That's fair enough with small doctor's offices.

I'm just saying, if you're dealing with recruiting at a large corporation and they need an SSN to start the process, that seems like one of those special circumstances it makes sense to make an exception for.


>My biggest annoyance is with the company General Motors who requires your entire social security number to be interviewed contract.

When did you experience this? Was it recent? I've interviewed for multiple jobs at GM over the years (multiple locations, not just Detroit) and I've never been asked for my SSN. The last one was in 2016, and I even got an offer (that I turned down) - they never asked for my SSN but did say it was needed for the background check if I had accepted the offer.

At a previous job I worked for a GM vendor. So I interacted with a lot of GM folks and did some of their required virtual training associated with the ignition switch scandal and being able to communicate those types of violations up the chain. It really seemed to me that GM is very careful about any type of situation that could result in lawsuit.

If they are asking for SSN's now as part of the recruiting process, that strikes me as really strange.


It was 2019


Not just for interviewing.

When I bought my first Car, a fraternity brother of mine was able to get me a GM Friends and Family Discount. He wound up having to get my SSN to give to his Father so that his father could get it put 'in the system'. Which at the time (2006) may or may not have involved others handling that info in the process.

Not gonna lie, if it wasn't for how long I'd known him etc, I would not have believed that GM would use such a thing.


2006 was back when GMAC (now Ally) was the company's biggest profit center. I'm sure they checked credit and made an effort to finance your purchase.

Also, those programs have limits on how many times and how frequently an individual can take advantage of them. They may have used your SSN as the unique identifier to ensure you aren't exceeding the program limits. Not ideal obviously but really not all that unusual.


Doesn't Tesla pay more than GM?


The only way I can see that being possible is if you got a stock option and survived long enough for it to vest.

But that's extremely high risk to take a 30-50k pay cut and move from highly affordable Michigan to Cali. All to bet it on stocks.

Source- 2017 recruiter was offering 80k, I was making 120k(40hr/week). Bonus points for the recruiter harassing me multiple times about "not changing the world" until I finally told him that I need to hang up.




Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: