'Tis the season for shopping, time spent with friends and family, and preparations to celebrate the holidays. As most of us plan for the coming season, cyber criminals are looking for opportunities to catch victims off guard and steal valuable personal information. People looking to supplement their gift-giving budget with a seasonal holiday job should take a close look at job listings before pursuing offers found online or in their email inboxes. Job scams target those looking for part-time holiday work, specifically aiming to steal personally identifiable information that is often requested on applications for employment. We have observed mass spam email-based job scams using branding from well-known retailers such as Target and Walmart that commonly offer seasonal employment.
These scam campaigns often hook eager job seekers with subject lines like Job Opportunity to fool the reader into thinking a great opportunity has landed right in his or her inbox. Current samples that we have observed this year, like the one shown below, use Target branding to dupe victims into divulging sensitive information that can be used for future crimes. Once the applicant supplies the cyber criminal with their full name, date of birth, address, social security number, and possibly even financial information, the scammer will likely go on to sell the valuable data for the purpose of identity fraud and other criminal activities.
Figure 1. Job scam lure utilizing Target branding
To lend legitimacy to this Target job scam, the scammer has spoofed the sender address, “email@example.com,” to make it look like it came from Target. The hyperlink at the bottom points to hxxp://18.104.22.168/site/signup.html which is flagged by Google as a phishing site. At the time of writing this blog post, the site appears to be offline.
While many email-based scams require the victim to click on a link or open an attachment, some of them simply require a reply to be successful. Take a look at the example below for a mystery shopper holiday job offering. Sounds like a fun opportunity. But when you look closely, like so many phishing emails, there are several glaring mistakes that hint of malicious intent. These red flags include the super-sketchy sender address, the to and cc addresses being a GMX account, terrible grammar, and the over-reaching promise of payment (up to $600) that far exceeds what would be considered reasonable.
Figure 2. Mystery shopper job scam email lure
Another holiday-themed job scam making the rounds is the car wrap scam. These don’t typically come to mind when thinking about job scams, but it is yet another example of how cyber criminals can appear in unsuspecting places to catch victims off guard. Essentially the victim receives an email asking them to put a branded car wrap or large decal on their car promoting a certain business or product. The example below is for the Cadbury company (you know, the ones with the cute Easter commercial for Cadbury eggs). The scam offers a weekly payment in exchange for placing the branded car wrap on the employee’s car. In reality this is a check cashing/money laundering scam. It can be a rather enticing offer for those looking for some extra cash with little to no work involved. As with previous examples, the glaring grammatical errors and sketchy email addresses are dead giveaways that not all is what it seems, and that the reader should slow down and certainly not respond to the email.
Figure 3. Car wrap job scam email lure
Job scams represent only one of the many techniques deployed by criminals, who are growing increasingly creative and sophisticated in luring their victims. During the holiday season, be aware of the following red flags that could signal a scam:
- Suspicious emails warning that an account has been locked
- Offers or deals that seem too good to be true
- Untrusted sites offering hard-to-find items
- Gift cards sold on auction sites or discount sites, or offered in bulk
- Malicious mobile apps targeting holiday deals or games
As always, do your research. Scammers are counting on you to take the bait. If the deal is too good to be true, it probably is. You only have to make a mistake once and your valuable personally identifiable information is now in the hands of cyber criminals. Phishing season is in full swing, don’t get caught.
If you're concerned that your employees may be susceptible to phishing attacks, feel free to request a demo of PhishLabs can help protect against phishing attacks.