Your company’s talent is its lifeblood. Job postings for qualified individuals and other recruitment activities are vital to its operations. What happens, then, when scammers disrupt your business by conducting phishing schemes to trick individuals into applying for nonexistent jobs you did not post with the objective of stealing their personally identifiable information? In the age of remote work and virtual hiring, the impersonation of companies in job recruitment scams has become increasingly prevalent.
It can be difficult for job seekers to recognize a recruitment outreach as a scam, particularly when they’re highly interested in the opportunity. Therefore, it is incumbent upon companies to take steps to mitigate or stop the potential for harm. Leveraging company intellectual property is crucial to combating such schemes and to protecting both job seekers and the company’s good name.
Although scammers utilize different approaches to phish job seeker information, these schemes are typically rooted in the goodwill of reputable brands. If scammers can convince job seekers they are reaching out on behalf of a well-known, reputable company, they have their hook. One of the most common ways to impersonate companies is to register one or more domain names incorporating the company’s brands and send corresponding emails to unwitting prospects. For example, scammers frequently register domain names such as and create email addresses that appear related to job recruitment, such as hr@companycareer.com. Since the email address incorporates the company’s trademark, the email appears legitimate to prospects. Additionally, instead of creating their own dummy website at the domain name, scammers will often simply forward the fraudulent domain name to the company’s actual website to further legitimize their communications. In this manner, the scammer’s successful impersonation of a company is little more than a domain name registration away.
After the scammers have created a domain name and email address, they often scrape the text of the company’s legitimate job postings and republish them on other job websites. It is also common for someone from “human resources” to reach out to candidates directly, just as a company’s recruiting function typically does. This is often followed by an elaborate scheme of conducting an interview, often with the scammer impersonating human resources personnel found on company websites or LinkedIn and even using the company’s branding in the background of virtual meetings. The scammers then follow up on the interview with confirmation that the job seeker has, in fact, been hired. Once the email confirming employment has been sent, a link or document is forwarded requesting the “new employee’s” personally identifiable information, such as full name, address, email, bank account details, and social security number. Scammers sometimes even send checks or request upfront payments (e.g., for home office equipment) as part of the “hiring process.” Unfortunately, real victims suffer real losses through these schemes and oftentimes there is little law enforcement can do to recover lost funds.
With the above approaches in mind, below are seven steps your company can take to protect its recruitment process and reputation:
1. Report Fraudulent Job Postings.
Job websites typically have mechanisms for reporting job postings as fraudulent. Submitting a takedown notice may be your fastest, easiest, and cheapest way to take down an unauthorized job posting. That said, multiple follow ups and even outreach to in-house counsel at these websites may be required to complete removal.
2. Post Notices on the Career Pages of Company Websites.
Place a disclaimer on the career portion of your company’s job webpage to notify job applicants that scammers may try to contact them, and if they are not contacted through specified channels, such recruitment may not be legitimate. This is your company’s opportunity to speak directly to job applicants and warn them to be vigilant. We also recommend including an email address or form for job applicants to contact your company directly to confirm that a job posting, or communication is legitimate.
3. Send Notifications to Domain Name Registrants, Registrars, Privacy Shields, and website Hosts.
Scammers can cheaply register domain names using your company’s trademarks, and it is unrealistic for consumers to know all legitimate domains for your company. In addition to creating fake email addresses from fraudulent domains, scammers also sometimes create fraudulent websites to imitate the genuine brand owner’s website.
Either fraudulent email addresses or fake websites using your company’s trademarks can provide a basis for notifications to Registrants, Registrars, Privacy Shields, and website Hosts that the domain is unauthorized and incorporates the company’s protected intellectual property.
While scamming Registrants are unlikely to respond, the hope is that Registrars, Privacy Shields, and/or website Hosts will unmask the Registrants so you can locate the individuals behind the scam and communicate directly. Unfortunately, Registrars, Privacy Shields, and/or website Hosts are not under any legal obligation to voluntarily disclose the Registrants’ contact details and typically implement a balancing test to determine whether to release this information. Often, the response will be a denial coupled with a suggestion that the company instead file a complaint under the Uniform Domain Name Dispute-Resolution Policy (“UDRP”).
4. File a UDRP or Uniform Rapid Suspension (“URS”) Complaint with a domain name arbitrator, or initiate a lawsuit.
A UDRP complaint is a trademark-based domain-name dispute initiated before an arbitrator alleging the registrant has registered and uses in bad faith a domain incorporating the company’s trademark. If a company wins, the Registrar can cancel, suspend, or transfer the domain to the company. Alternatively, a company can use the URS system, a rights protection mechanism that complements the existing UDRP by offering a cheaper, faster path to relief for clear-cut infringement cases. The key difference between a UDRP and URS proceeding is that the former typically awards transfer of the domain registration outright, whereas the latter only suspends the domain for the remainder of its current registration.
Whereas even if a scammer loses a UDRP or URS proceeding it can easily register another domain name and recommence its scheme, by being aggressive a company puts scammers on notice that it will not tolerate such misuse of its trademarks and other intellectual property. In short, the company has made clear it’s a “hard target” and scammers should take their schemes elsewhere.
Alternatively, a company can initiate a lawsuit and tender the Registrar with a court order or subpoena requiring disclosure of the Registrant’s information. This can be an expensive approach, however, and most companies first attempt to deter scammers by arbitrating a UDRP or URS dispute.
5. Create and maintain internal policies and protocols.
Companies should keep track of where jobs are posted and periodically monitor the internet for the text of such job postings to ensure duplicates do not appear on other websites. Your communications team should have verbiage prepared should job seekers reach out to clarify whether a job posting is fraudulent, which communications should include requests for the scammer’s communications and methods (e.g., email, job website, other website, social media, mobile app, etc.) along with links for reporting the scam to the Federal Bureau of Investigation (“FBI”) and Federal Trade Commission (“FTC”).
Finally, the company should have procedures in place to report any potential scams to in-house or outside counsel so steps can be taken to combat the scams.
6. Order Domain Name watches and defensively register Domain Names.
Your company can avoid being blindsided by these scams. Numerous watch platforms allow companies to monitor new domain name registrations for the infringement of company trademarks. This can be a good way to identify an issue before scammers have the chance to contact unwitting job seekers.
In addition, companies can defensively register certain domain names to proactively block potential scams. Companies should consider securing various domain names across multiple top-level domains in different grammatical formats that could be leveraged for job scams – e.g., companycareer.com, companyjobs.com, company.jobs, company.careers, etc.
7. Submit details of the scam to the FBI and FTC.
If the scammers have successfully engaged a job seeker and obtained their personally identifiable information or payment, encourage victims to file reports with the FBI’s Internet Crime Complaint Center (IC3) and with the Federal Trade Commission on its fraud reporting page.
