Truth 24 Bogus background checks and job applications

You go online to one of the many job posting sites and find what could be the most perfect career opportunity ever. You meet all the job requirements and, more importantly, the pay looks great. You visit the company Web site and read up a little about what it does. Still excited, you submit your resume. After a few days, you receive a call expressing interest. However, before the company flies you in for an interview, it would like you to fill out an online questionnaire. You follow the provided link and answer a number of questions related to your skills. You feel that you have knocked this one out of the park.

Apparently the company agrees, since it calls you a couple days later and informs you that it is very interested in moving forward. It asks if you would be willing to take a drug test and allow the company to perform a background check. No problems there—you’re drug free and fairly certain that the fender bender last year won’t be held against you in the background check. The company asks you to go back to its Web site and fill out the online consent form. Once it’s complete, you will be contacted within a few days to schedule for someone to come by to perform a drug test. You fill out the consent form for the background check, which requires your name, address, social security number (SSN), and driver’s license number. A week later, you receive an email explaining that the position is no longer available and that your resume will be kept on record for open positions in the future.

Yes, of course, this entire process has been part of a high-tech identity theft attack. You have just given everything the identity thief would need to start his new life as you.

A number of these types of attacks have taken place all over the globe. Some are far less sophisticated attacks, in which the thief lists a simple online job posting. When the applicant replies, the thief asks for a SSN immediately. Some only use email to communicate. However, in every single case, the goal is the same—to take advantage of people while they are vulnerable and unsuspecting.

Most of the time, these attacks are aimed at nontechnical, yet high-paying jobs. Sales, marketing, and other nontechnical vocations make for prime targets. In addition, the thief pays for his bogus job posts and hosting fees using prepaid credit cards, making tracking nearly impossible. The setup of the Web site itself takes little or no time, since most are just copied from real organizations. The thief changes the company name to something bogus but leaves the majority of the site unchanged. If the site lists a toll-free number, chances are that it was purchased online by the identity thief, again with a prepaid credit card. The thief then generally has calls coming into that number forwarded to a cell phone.

As for the information that the applicant submits, it is generally forwarded via email to one of the hundreds of free email services available on the Internet. Since the thief can access these free and anonymous Web mail accounts from anywhere in the world, it, too, is largely untraceable.

Monster.com, Careerbuilder.com, and Hotjobs.com post warnings on their Web sites about these types of attacks. Yet, when I created my fake business and performed this type of attack, I found that of the 19 individuals who submitted resumes to me, 7 of them were willing to complete the online form, which included their driver’s license and SSNs.

When I asked my victims why they were so willing to give the information, they said that at previous jobs, they had agreed to background checks and were required to provide the same type of information. So it only seemed normal that my scam required them to submit the same confidential information. I pointed out that at those jobs they were already hired and probably had physically been to the organization’s location prior to being asked to part with such confidential personal information. But the victims of my attack said that the request to provide this kind of information just didn’t seem out of the ordinary. This is exactly what identity thieves are counting on.

When it comes to protecting your identity, each new situation requires you to reevaluate what is happening with your information. Background checks have become routine with many organizations. That doesn’t mean that you are required to just hand over your confidential information before you ever step foot into the facility. You have just as much right to find out who is going to have access to that information and how it’s going to be secured.

When applying for any job

Never submit your SSN, driver’s license number, or other personal information over the Internet.

Understand that a professional-looking Web site and toll-free number do not guarantee it’s a real company.

Never give credit card information to employers. Period.

If you feel you might have fallen victim to this type of attack, immediately file a fraud alert with one of the three credit reporting agencies. You can find more information about what to do if you are victimized in Part IX of this book, “The Truth About Putting a Stop to Identity Theft.”

While it is not realistic to expect the major job-posting sites to be able to guarantee that the company placing the ad is legitimate, if you come across a suspicious situation, you should notify the posting site immediately. Most sites have set up an area specifically related to security concerns.

Searching for a new job is hard enough without having to deal with someone stealing your identity during the process. As with most every identity theft attack, it all comes down to protecting your personal information.