If you get an email from a big company saying you’re a match for a job, and then asks you to log in using Facebook, you’re staring down the barrel of a scam.
There’s a new scam every day, it seems, and while many look different, they all share something in common: urgency.
Whether it’s an urgent plea for money or an urgent cry out for your attention, scammers get your look in by grabbing you in the feels and screaming for your attention. on supposedly important matters. Your password has been used, your details have been breached, someone has stolen your credit card and you need to check with the company, and so on and so on.
Jobs and employment are yet another approach scammers can try, and based on what we’re seeing, it’s one that could lead you to lose your Facebook access, and possibly a lot more.
Scammers purporting to be big hotel chains are sending out emails en masse, with Salesforce the platform of choice for a scam that popped up this week. The email is a bit of a lure, advising people their background has been reviewed and some jobs are available, with a shiny “Get Started” button waiting to be pressed.
Click that, however, and you’ll be drawn into a scam, as your details are captured for an interview. What’s going on?
What is a fake job scam?
A great job out of the blue seems too good to be true, and in this economy, it definitely is.
While you could always be head-hunted for your next role, it’s unlikely that a large company is going to come along and swoop you up without you being aware that it’s happening. This isn’t The Simpsons; Hank Scorpio isn’t eyeing you for a position at Cypress Creek.
However, that doesn’t stop people from believing, particularly if there’s a possibility of a more lucrative higher paying job at the end of the rainbow.
Scams built around employment are going to make you give up your hopes, but that’s not all. Criminals can’t get rich off your hopes and dreams being dashed, and there’s typically a totally different reason for pulling you in: your details.
Your email address. Your password. Your login details for big services, particularly when there’s a possibility they’ll be shared with a variety of services.
Scammers want your details to break into your accounts. Once they have those details, it’s open slather on your information, and potentially your bank account and other forms of ID. And even if you bank details aren’t attached, your social can be used to spread this attack to your friends, opening the possibilities of the attack to more people you know.
“While not new, these [employment] schemes have evolved rapidly, fuelled by the digital shift to online job hunting, remote work, and advances in AI,” said Tyler McGee, Head of the Asia Pacific region for McAfee.
“It’s never been easier for scammers to generate convincing, large-scale phishing emails, making it harder for job seekers to tell legitimate opportunities from fraud,” he said.
How to tell a scam employment job ad
Every scam has its tell because it is just that: a scam.
And fake job emails typically have a combination of tells because of the type of scam that they are: email and web.
You see scammers can’t just use the domain of a large company, the www-dot-whatever represented by an official company. Those belong to the real companies, and scammers don’t have access, so like in phishing websites how they’ll often use something similar or incredibly outlandish, the same happens with emails.
When you get a random job advertisement email purporting to be from a major company, looking at the sender email address is your first sign of a scam.
In this example, the “Marriott International” email didn’t come from Marriott, but rather an automated bunch of variables from the Salesforce system. Even if Marriott used the Salesforce platform, we’d be surprised if the company didn’t have a proper domain set up.
Next is the link in the button on the form.
Again, scammers can’t host their scams on the real website, and have to use something similar or outlandish. Both of those are in play here.
The link you’re being asked to click on is outlandish because it’s a redirection system and a tracker, while the site you’re being directed to is a small site a scammer has made on the app and microsite building platform Vercel. That’s not Vercel’s problem; it’s just being used by scammers for a scam.
It’s here that the scam gets murky, but still offers some clear tells scammers almost never flesh out.
The scam is a deliberate attempt to get you to log in to Facebook by loading a fake version of Facebook. Apparently for this job advertisement to work, Marriott needs access to your Facebook, even though nothing about that makes sense.
It’s a phishing site, or more specifically, an phishing version of Facebook.
What you should do is look for details, such as clicking any of the Privacy Policy or Terms of Service links, which go nowhere on this scam.
And then, if you click deep enough to be told to log in to Facebook, you’ll find your email and password logins don’t automatically load.
That’s because you’re not actually at Facebook. You only need to glance at the URL at the top of the browser to see it’s not Facebook up there. This is a lookalike site designed to scam you, waiting for you to enter your details and give them to a scammer.
“By replicating the look and feel of well-known companies and directing users to fraudulent Facebook screens, these attackers aim to steal passwords and account details,” said McGee.
“Once credentials are entered, scammers gain access to the victim’s account, often using it to send malicious links to their contacts and further spread the scam,” he said.
“Their ultimate goal: harvesting sensitive information for financial gain, identity theft, or exploiting the victim’s social network.”
The clearest tip to winning against scammers
To avoid falling into the scammer’s trap, don’t just enter your information blindly. Check where you are, and ask yourself, “does this look legit?”
Scammers prey on a sense of urgency, and a hope that you won’t look at the details. Specific details, such as the website, the wording, and the way the whole experience looks and feel.
While AI has helped criminals improve the last two, they’ll never get the former right because they can’t.
Criminals can’t just occupy a major company’s website, but many also know that regular people don’t know that. Fortunately, you can prove them wrong.
Always check the website’s URL and the email address of something you’re sent, especially when you’re not sure about it.
Ensure you check the website you visit and the domain where you’re at, and you’ll quickly find out where you are. Scammers can’t fake the real site, and your browser and its archive of saved passwords (or your password manager) knows the difference because of that difference.
