Hiring bonus: your identity is pwned

This is the story of a particular devious phishing campaign that is currently ongoing. Names of organizations and individuals have been changed to protect the identities of those involved. I’m writing this to bring awareness to this method of phishing, and hopefully prevent others from falling victim to the same attack. At this point, we’ve only seen IT professionals targeted; the overall impacts may be much larger. The incidents we’ve seen have been reported to the relevant platforms, along with account details of both the actors and the victims.


Attackers are taking advantage of the massive increase in unemployment to target job seekers and harvest personal information (including signatures) that can be used for identity theft. They are doing this through impersonating individuals within large organizations, and running interviews and issuing fake offers.

Initial details

James was doing his due diligence; the promises, speed, and details of the offer seemed off.

Aaron [phisherman #1] had posted a job ad on a professional social network, and James had applied. Upon receiving a response, James scheduled an interview on Telegram (red flag #1 – why would an interview be performed via an OTR messaging platform). Aaron’s Telegram had a similar avatar as the profile on the social network’s avatar, and the name lined up in James’ research. James proceeded with the interview, and it went well.

Rachel [phisherman #2] reached out to James, and issued an offer. The name lined up, but there was no avatar to compare against the social network profile to confirm the identity visually. James still checked, and was a bit surprised to see that Rachel was part of the C-Suite (red flag #2 – why would a C-Suite member be sending employment offers). The offer letter requested a signature, and general information collection you’d expect for an employer to gather.

As part of the offer, Rachel mentioned James would start at part time and move up to full time after the probationary period, and the company would ship him an iMac. Things were starting to look off to James, and that’s when he reached out to Chris.

Moment of clarity

James messaged Chris a fairly straight forward question, just wanting clarity about what Chris’ hiring experience was as he felt something was amiss. The rapidity of his interview process to receiving an offer did not align with his previous experiences, and in his research, Aaron and Rachel were in unrelated job roles. He was looking for reassurance that this offer was legitimate.

Chris asked James for the names of who he was in contact with, and for the Telegram contact details. Chris checked the internal org chart and confirmed what he already knew; Aaron and Rachel are not related in any way. Aaron is in a completely different department headed by a different C-Suite member than Rachel. In addition, interviews aren’t ran via Telegram. To increase visibility, Chris forwarded the full social platform conversation and relevant screenshots to the head of infosec; this is a risk scenario that could impact the company’s reputation.

Greg in infosec confirmed they were aware of these attacks, and that the methods weren’t confined to just Telegram. The attackers had used Google Hangouts, Microsoft Teams, and other platforms for the interviews. They were gathering information on their victims (full names, addresses, phone numbers, etc), and also sending offer letters requiring signatures. The attackers are gathering all the necessary components for full identity theft; no telling the levels of fraud that could be committed with this information.

Chris notified James that he’d been the victim of a phishing attack. He was to report his experience to the relevant platforms, and cease all communications with the attackers. Chris advised James to file a credit freeze with the various credit bureaus, and if possible, take advantage of some identity theft monitoring.

Proceed with caution

These attackers are taking advantage of the crisis we’re currently in. By playing on people’s emotions, and targeting the massive populous of newly unemployed. They’re relying on your lack of diligence and desperation for financial security for their initial foothold. Please ensure you:

These attackers are using the basics of social engineering to successfully compromise their targets. Don’t fall victim. I understand the stress that comes from being unemployed; you will be ok and will find employment again. Don’t allow your emotions to be your fatal flaw; that’s what these attackers are relying on.

Stay safe. Stay vigilant.