Why hackers target
new hires

The article discusses how cyber-criminals are increasingly targeting new hires and companies soon after public announcements, such as new job postings or notable achievements. Scammers often use information shared on social media platforms like LinkedIn to quickly deceive newcomers through various tactics, including sending malware-laden links and impersonating company executives.

Stephen Osler, co-founder and business development director at Nclose, recounts specific incidents where scammers impersonated him and targeted employees with fraudulent requests. The article emphasizes the importance of security awareness and training within organisations to protect against these attacks. Osler suggests implementing security measures and awareness programs even before new employees join, and advises that HR and social media teams should be vigilant about potential threats.

Beware: Cyber-criminals now target new company hires with swift strikes

Cyber-criminals have become so vigilant that they now launch attacks on companies and their employees within minutes of a new hire or big company news going public.

The first attacks came right after the announcement. No sooner had a new team member shared their excitement on LinkedIn about starting their new job, the floodgates opened with emails from scammers. “These criminals target newcomers, seizing the opportunity to deceive them immediately – whether by sending malware-laden links or posing as company executives,” says Stephen Osler, co-founder and business development director at Nclose.

“When Nclose made headlines for being listed among the Financial Times’ 100 Fastest Growing Companies in Africa, our staff faced a deluge of emails from scammers pretending to be me immediately after the news broke online, and this continued for a full day.”

In other instances, scammers pretending to be Osler asked employees to buy iTunes vouchers on behalf of the company, with the promise of being paid back later. “Then, the scammers ask the employees to send them the voucher codes, which essentially means that the money is sent to an untraceable location.”

Osler believes that targeted attacks like these are on the rise, driven by organised cyber-crime syndicates who prioritise social media reconnaissance in their open-source intelligence (OSINT) efforts. These criminals not only exhibit sophistication and organisation but also leverage lead-generation tools that provide access to individuals’ personal email addresses and phone numbers.

“The scammers even send emails to the recruits’ Gmail addresses. Sometimes, they’re sending emails from the compromised business address of another company. At Nclose, we openly discuss these attempts to increase awareness and lower the chances of our staff falling prey to fraudsters.”

Mitigating the risk does not require avoiding social media or staying out of the news.

“It can be tricky because, as a business or an individual, you naturally want to share your successes on social media,” says Osler. “However, it’s crucial to always prioritise security awareness within the organisation. Remind your staff that cyber-criminals are monitoring the company.”

He recommends companies consider starting training and awareness programs with a security warning even before new employees join. 

“This way, companies can inform new employees from the start about potential targeting and tactics used by cyber-criminals.”

Before deploying new laptops to recruits and remote workers in the field, organisations also need to make sure that they install all their internal security controls.

To reduce the risk of criminals exploiting job postings to target the company, HR and social media teams should undergo training to be extra vigilant. 

“There is a risk of receiving malware hidden in a CV, for instance. Our advice is to create sandboxed environments and scan all attachments diligently to prevent any malicious content from entering the system.

“Sharing our achievements on social media is essential, but safeguarding against cyber threats is paramount. Stay vigilant, remind your team of the lurking dangers, and fortify your defences. A proactive approach to security is key in today’s digital landscape.”