Cybersecurity and the recruitment process
Cybersecurity is an important subject, especially nowadays, when some say that information is worth more than gold. Despite growing awareness, many of us, at least once in our lives, came across a phishing attempt on social media or received a suspicious e-mail. Furthermore, recruitment scams are still a thing. Scammers are publishing fake job advertisements offering attractive conditions, but with the only intention to get personal data from candidates. However, is recruitment fraud a concern just for the candidates? How can we all take care of Cybersecurity and protect ourselves from threats?
Conscious employees make a secure company
Each business has its specificity and should prepare an internal security policy in advance. The document will not only help in case of GDPR inspection but also facilitate building awareness of employees working with sensitive data. It is worth making the team aware of more than just regulations and procedures. Moreover, cybersecurity training for office workers can be an excellent supplement and attractive benefit too. At Transition Technologies PSC, we have recently participated in such training (conducted by Altkom Akademia), and it really got me thinking. I am pretty sure I was not the only one.
Usually, we rely on the IT department to take care of security. They implement a firewall or heuristic filtering and network traffic analysis to protect us from attacks and ensure cybersecurity. However, note that this does not guarantee 100% protection against data theft. It is still imperative that every employee is alert at any time. One of the organizational units exposed to attacks is the HR department, and especially recruiters. They publish their contact information on countless advertising portals or Facebook groups and send them in individual messages on LinkedIn. The truth is that the creativity of scammers is unlimited, and our recruiting deadlines can easily affect our vigilance.
We can encounter a fraud at every stage of the recruitment process.
In this paragraph, I present a few examples of hypothetical situations, and those that happened to me personally.
Essentially, the dangerous content sent to the recruiter’s e-mail is one of the most common situations. First, someone writes to the recruiter directly or using recruitment alias and submits the application. Yet they do not provide any information on the job that they are interested in or even the location. Finally, it encourages you to read the attachments with the CV or other documents.
Another example- you receive a message with a link that is supposed to redirect you to the application and documents. It can also be a ZIP file (with the password provided in the same e-mail). All of this can turn out to be a dangerous trap.
Of course, such a situation may occur not only during the first stage of recruitment but anytime. Let’s say that the candidate has gone through the whole process, but we did not interview him with the ID card in hand. Under the pretext of sending scans of documents necessary for an employment contract, he may once again send us an infected file.
Moreover, a message with dangerous content may also be an advertisement for training courses or recruitment websites, offering an attractive price.
Keep in mind:
A message with a perfectly crafted attachment is one of the most popular forms of distributing viruses and other dangerous software. They can look like PDF files, graphic files, or many others. Be mindful and never open any files of unknown origin. You cannot assess the credibility of the link after opening it – then it can be already too late. Always follow internal corporate security procedures to minimize risk. Check who the message sender is, and if you have any doubts, consult your local IT department.
Cybersecurity in real life
The fake candidate can easily prepare a CV (or LinkedIn profile) so that it perfectly meets the job requirements. Personal data from the CV does not have to be real either. The scammer usually does not even care about going through the recruitment process. Getting into the building can be enough. The market offers different kinds of spying devices that someone can easily install in a conference room. It takes just a few seconds. These devices can capture not only sounds but also images when connected to a projector or monitor.
A dangerous situation can happen if we leave the fraudster alone in a room, even for a while, to make our ‘candidate’ a coffee. By pretending to go to the toilet, he may also get access to other rooms and install spying devices there. Sometimes a glass of water just ‘accidentally’ tips over during the conversation and additional stress factor appears. Then we recruiters leave the room to get a napkin and save the situation.
Stay vigilant, stay safe
Not only specialized spying devices can be a danger. It can be any portable device, such as a flash drive, memory card, or even a USB hub, that we get at the job fairs as an innocent gadget.
Once, a candidate that I have asked to bring the documents, necessary for the employment process, only brought me a pendrive with their scans. Of course, I have decided not to connect it, and the final stage of recruitment had to be postponed. I could have lost a candidate then, but I could have lost a lot more too.
Keep in mind:
Never connect devices of unknown origin to the computer. Be alert to situations when someone outside your organization might do it. The virus can activate automatically when the device is connected. Even if the content does not look suspicious, your system may already be infected.
Awareness is the key to Cybersecurity
In conclusion, just like any private e-mail, your company mailbox may end up with a message with questionable content. We receive dozens of e-mails every day. Some of them may not really come from a “system administrator” or a supposed candidate interested in our job offer. Due to fatigue, it is easier for us to underestimate the threat, and scammers are counting on it. The lack of attention only makes it easier for them, and one-click can lead the company to huge losses.
If you want to know how we handle cybersecurity daily, in all processes, read this article.