Criminals have long known the value of personal information and they know recruitment agencies have lots of it. Agencies depend heavily upon their databases and email communications, making them particularly vulnerable to different forms of cybercrime, not least phishing.
WHAT IS PHISHING?
Phishing is the fraudulent attempt to gain personal, confidential or financial information, this is often passwords or bank account details, through seemingly genuine emails, phone calls or texts.
According to SAFERjobs, a non-profit organisation combatting crime in the recruitment sector, there has been a 300% increase in phishing expeditions in the last two years.
People like to think we could spot a scam but the truth is that criminals are getting away with it because they are becoming more sophisticated; they can make phishing messages look increasingly trustworthy.
HOW ARE RECRUITMENT AGENCIES ATTACKED BY CYBER CRIMINALS?
Criminals target an agency and its clients. Fake invoicing is a common trap, for example, recruiters buy monthly slots on a job advertising website, upon which they receive an email from its accounts department – warning they are about to exceed their monthly limit. The email will note ‘to secure an extra 10 slots for this month, enter your card details here.’ This is a classic case of a phishing scam.
Another phishing scam will consist of the criminals pretending to be clients offering a fee for candidates. Upon which they will ask the recruiter for their bank details to transfer the money, which will end in trouble as they have given them personal information they can now steal.
Your employees also have access to a lot of personal data which attracts many criminals. They will try to persuade them to pass on confidential information about an applicant, either by pretending to be that applicant or a potential employer.
In many cases, Phishing emails contain links to malware. Recruiters are particularly vulnerable to this because of the number of unsolicited emails with links to CVs they receive. Instead of a CV, that link or attachment could download software that tracks keyboard movements or shares your screen so passwords and sensitive data can be gathered.
There have also been some high-profile ransomware attacks on large institutions recently. The malware is inadvertently downloaded and spreads, infecting any networked machine. Computers crash, recruiters are locked out of their databases and they can’t contact anyone or track progress. They literally lose the ability to operate.
In around 20% of cases, even when victims pay their ransom, they don’t get their systems back, this is because the criminals don’t have the technical capability or they just don’t care once they have the money.
THE IMPACT OF PHISHING ON YOUR AGENCY
If you don’t have the right protection and staff training then you may not be meeting your legal obligations under GDPR. In that case, not only can a phishing attack cost individuals money, your company can receive a fine of up to four million Euros or up to 4% of your global turnover.
Other consequences of a phishing attack include:
- Damage to your organisation’s reputation
- Commercial loss while your business is offline
- Theft from individuals’ bank accounts
- Identity theft
HOW TO PROTECT YOUR AGENCY FROM PHISHING ATTACKS
Businesses have three main lines of defence against phishing attacks: technology, people and governance.
- Technology. Ensure you have the right software configured properly to protect your business and test it against simulated phishing attacks to see how it stands up. Ensure you keep your software up to date with a secure back-up solution to enable you to recover your information and systems in the event of an attack.
- People. According to a report from global risk brokers Willis Towers Watson, around 90% of cyberattacks result from human weakness. Your staff is on the frontline of cyber-attacks so ensure they’re aware of the risks and to remain vigilant on all emails they receive.
- Governance. Ensure you have the correct policies and procedures in place to help prevent attacks and to mitigate the effects of a breach on your business. Inform candidates about the nature of your interaction with them so they can better spot a phishing attempt if an email doesn’t seem right. Consider putting cyber insurance in place.
If you don’t have your own in-house IT security expertise, make sure your IT support provider is in a position to help protect your systems and has a recovery programme in place that will get you back online as soon as possible after an attack.
HOW WESSTEK CAN HELP YOUR RECRUITMENT BUSINESS FROM CYBER ATTACKS
TBOS works with a number of reputable service providers in the recruitment industry and we’re pleased to say Westtek Solutions is one of them. Due to their specialist cyber-security service and their decades experience in the recruitment sector, we are pleased to announce they have been added to our TBOS preferred supplier list. This means TBOS clients receive exclusive cyber-security discounts with Westtek.