You are currently viewing Global threat actors are using the ‘Great Resignation’ to target job seekers

Global threat actors are using the ‘Great Resignation’ to target job seekers

If a job posting sounds too good or too weird to be true, it probably is. Global threat actors are taking advantage of “the great resignation” and targeting online job seekers with phishing links. At a Black Hat briefing this week, security experts explained where the hackers came from and how they were successful with their schemes.

PwC’s Global Threat Intelligence team has identified nation-state threat actors in Iran and North Korea as the primary culprits of phishing scams. According to Sveva Vittoria Scenarelli, senior cyber threat intelligence analyst at PwC, and Allison Wikoff, director of global threat intelligence at PwC, malicious groups are using email, social media and messaging apps to attract current employees. in leading companies.

The groups are also flooding job sites such as and LinkedIn with posts and messages describing lucrative opportunities for remote workers. But the posts and messages usually contain links to spoofed websites that install malware on your computer or mobile device.

What do hacker groups want?

Many of the threat actors behind post-employment phishing schemes have a long history of online crimes. Some groups are motivated by money, some want trade secrets and others seek to commit identity theft.

North Korean Black Alicanto is known in the cybersecurity community for targeting big players in the cryptocurrency market. Charming Kitten, an Iran-based group, targets journalists with phishing links in emails. Another Iran-based group, Yellow Liderc, targets American veterans looking for new jobs online.

Yellow Dev 13 is another Iranian group, and PwC presenters say the collective appears to be driven by espionage. The group creates websites for non-existent companies with fake recruiters and trainers. Yellow Dev 13 also posts elaborate profiles with AI-generated photos on social media sites claiming to be employee impersonations. These fake profiles can make it difficult for job seekers to verify that the recruiter contacting them is a real human offering them a legitimate job opportunity.

How to avoid job posting phishing scams

The most common tactic among threat actors is to send malicious links and attachments to their targets via emails or messages. To avoid being duped when looking for a job, Black Hat presenters recommended hovering your cursor over a link in an email to see if the web address looks legitimate. The problem with this advice is that it’s not hard to spoof the address of a legitimate website well enough to trick people into clicking on it.

Pop quiz, hotshot: Without entering these addresses into your search bar, what is the correct web address for the popular job search site Indeed?




The answer is B. If you do a Google search with the term “Indeed Jobs”, the results reveal that the first and second addresses listed above are for legitimate websites. is a site for people who want to work at Indeed, the job posting company. is for job seekers looking for jobs from other companies. is a fake address, and I advise you not to visit it, even out of curiosity.

I don’t recommend clicking on links or attachments in your emails or in LinkedIn messages you receive from senders you don’t recognize. This advice is doubly important when you are at work. Explaining to your manager that you infected the company’s network with malware because you opened a link to an amazing job opportunity at another company is not a good idea.

Recommended by our editors

Spotting a fake profile or job posting on LinkedIn

PwC presenters also said threat actors use social engineering methods to pressure victims into clicking on malicious links or opening attachments. Criminals can message their targets on WhatsApp or engage their victims on social media platforms such as Twitter and Facebook.

The presenters presented several screenshots showing AI-generated profile photos accompanying fake LinkedIn profiles. The presenters didn’t outline the specific characteristics to look for when determining if a profile picture contains an image of a real human, but urged Black Hat participants not to respond to posts from profiles that seem “a little off “.

Here are some red flags to watch out for when someone contacts you about a job on LinkedIn.

  • Look for grammar and spelling errors on the LinkedIn profile or job description. A wrong typo is not an indication of a fake post, but a job post riddled with weird colloquialisms and misspellings is one post to avoid.

  • Examine the professional history of the so-called recruiter. If he was an assistant baker at Publix three months ago, but his current title implies that he’s director of human resources at Google, don’t get involved.

  • Consider the interviewer’s conversational style. Currently, threat groups use very informal language when discussing with potential targets. The hiring manager at Meta probably won’t send you a direct message that just says “Hey.”

  • Pressure to respond in a short time. If the person messaging you says you need to click on the link they sent you in a few minutes or hours, or you’ll miss the opportunity, don’t respond.

If you encounter any of these warning signs while exchanging messages on LinkedIn, simply block the profile and move on. Don’t keep talking with scammers. They can extract valuable personal information from you via chat messages, even if you manage to avoid clicking on malicious links.

see something, say something

Finally, presenters called on employers to foster a climate of trust in the workplace. Understandably, most employees don’t feel comfortable telling their superiors that they think they’ve compromised the workplace by answering a question about a job opportunity. However, if the employee reports the phishing scam quickly, the company’s security team has a chance to mitigate the damage caused by the malware.

At PCMag, we’ve covered different ways to protect yourself from phishing scams, so check out our articles instead of clicking on a link from someone you don’t know.

Do you like what you read ?

Register for Security Watch newsletter for our top privacy and security stories delivered straight to your inbox.

This newsletter may contain advertisements, offers or affiliate links. Signing up for a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.

Leave a Reply