Phishing Scams and Finding a Job – The Importance of Constant Vigilance, Pt. 2

 Are you considering a job with Unbounce? Please check out our careers site here for a list of our current openings, and apply through our careers site directly.

A few days ago, I was packing up my laptop into my backpack and getting ready to head out into a typical Vancouver summer day (it was raining and grey). As I approached the door to leave, someone arrived looking for some help. I happily greeted them, eager to answer any questions and be of service, since it was almost 6pm and most Unbouncers had gone home for the day.

Luckily, he was inquiring about a job he had applied for. Perfect, I thought, as our Director of People & Culture, I can help him. He began explaining that he had received a job offer from someone on my team, and wanted to check-in on it since it had been a few days, and he hadn’t heard back from us. He was REALLY excited about the prospect of working at Unbounce, and I was REALLY confused.

His name hadn’t come up in my conversations with the recruitment team, and he mentioned an “Online Services Manager” job, a position we don’t (and have never) recruited for.

I asked him to show me the email, so he did on his phone. It was indeed from someone I’ve never heard of, relating to a job we don’t have at Unbounce, with benefits different to those we offer.  

“Michel Pierre” was impersonating an Unbounce employee, and trying to recruit unsuspecting and hopeful candidates for a (fake) remote position with Unbounce.  It became immediately clear to me that this candidate who had stopped by our office, and likely others, were the victims of a very creative phishing scam.

Back in October, 2015, our Director of Finance, Mike Tan wrote about Spear Phishing And The Importance of Constant Vigilance. At the time, Mike had been hit with a direct attack in an attempt to redirect Unbounce funds by impersonating our CEO. This is the most common type of phishing we see around here. This new scam had a level of detail and commitment beyond anything we’ve seen.

Fast forward a few days from learning about this, and we’ve had more reports of this happening through our Customer Support team, on Twitter, and with other candidates walking into our office asking about their application, and to sign the job offer they were sent.

Given the immensely sensitive personal information that’s exchanged over the course of the recruitment process and throughout an employment relationship between employees and employers, we take this attack on our potential candidates and on our candidate experience incredibly seriously.  We suspect this attack is targeting payroll information from candidates that would be necessary to compensate individuals for the job they believe they’ve accepted.

Here’s what you can do to avoid these types of attacks

1. Be Curious – do your research on any company that contacts you about a job:
   1. Check out their careers site, and ensure they’re in fact recruiting for the job in question
   2. Research the hiring team – Recruiters like to be visible, and you should be able to find them easily online. Use LinkedIn as a resource to reach out to recruiters at the company you’re applying for directly if you have concerns.
   3. Recruiter connections – is your recruitment contact at the company connected with others at the company online? If not, that’s a big flag. Recruiters live by their networks, and not being connected to others at the same organization would be extremely rare.
   4. Does the company have a “Meet the Team” page on their website? If so, is your contact on there?
2. Request a face-to-face interview/meeting in the office, and ask to speak with at least one or two more individuals at the company over video conference or in-person. If remote, ask for a video conference during office hours.
3. Visit the office (if you can), or even check out Google Maps Street View. Try contacting the building staff, or finding out if the address is legitimate (in this case it was)
4. Call the number listed on the company website, and proactively speak with someone there.

People are ingenious creatures, and these tips are by no means an exhaustive list guaranteed to prevent phishing attacks now, or in the future as new and sneaky ways to bamboozle unsuspecting candidates out of their information emerge. Our only true method of fighting the darkness of phishing scams is by staying educated, aware, and practicing CONSTANT VIGILANCE.

If for any reason you feel you have been a victim of this particular phishing scam, please email: people@unbounce.com.