You’re out of work. You want a job. Or you have a job, but you want a better one. So you do what I did — what millions of people do each year. You submit your resumé online. But did you know that just by posting your resumé, you become a target for criminals and lawyers to use your information?
Monster Reveals Its Own Monsters Online
Recently, I received an email notification from Monster. Here are two snippets from the letter:
“… As is the case with many companies that maintain large databases of information, Monster is from time to time subject to attempts to illegally extract information from its database.
As you may be aware, the Monster resume database was recently the target of malicious activity that involved the illegal downloading of information such as names, addresses, phone numbers, and email addresses for some of our job seekers with resumes posted on Monster sites. “
Scared much yet?
“The Company has determined that this incident is not the first time [emphasis added] Monster’s database has been the target of criminal activity.“
So it’s happened before! Apparently, at least in this instance, Monster job seekers were contacted by crimminals trying various phishing schemes. Monster in its letter included a link on internet safety.
Who was really attacked?
Jon Molesa thoughtfully points out that it wasn’t really Monster that was attacked — it was the users! Monster hasn’t suffered any direct damage. It’s the job seekers who received phishing emails — that some of them must have fallen for.
How did the criminals do it?
According to Syd Tash in his Daily Computer Security Tips,
“…the personal details were used to create individualized phishing emails that tricked the recipient into clicking links in the email and signing into fake sites, thus revealing their passwords. At the same time, malicious software was downloaded onto the user’s computer.”
In other words, because the criminals knew where you used to work or had the name of one of your references or where you went to school or were accredited — they used those pieces of personal information to tailor their emails to make it seem as if they could be trusted. After all, if they knew where you work and where you went to school, then maybe they do need your social security number to identify you to give you access to an account or confirm an alumni subscription.
How schools & public services may contribute to phising
The student identification number, in particular, is a bone of contention for me. Schools routinely ask for them on college application forms. The schools need unique identification numbers and rather than create one for you themselves, they ask you to give you an identification number you already have that’s unique — your social security number.
When I applied to colleges, I didn’t give them my social security number. My school made one up for me. When I went to other campuses for summer school, I received additional ID numbers in the same xxx-xx-xxxx format.
For graduate school, when I had to stake student loans, my financial aid was difficult every semester because I refused to have my social security number be the same number as my student ID. At USC, a student ID card could be used at the campus Carl’s Junior. Would you give your social security number to someone just to buy fries or a burger between classes?
Schools (and the DMV and many other public services) debase our right to privacy with our account number with the US government. It’s no wonder people fall for the phishing scams.
How other nosy people can find your resumé — on any job site
But wait, there’s more! You also get the ginsu knives!
True story. The same week that I received the letter from Monster.com, two other people have contacted me from my resumé — on CareerBuilder.com.
I’ll preface this by saying that CareerBuilder actually lead me to a well paying day job exactly when I needed it. I had the first interview within an hour of posting a resumé.
Nevertheless, at the time I was working in that job, and had reposted my resume to test the waters.
Within hours another a head hunter I’d spoken with (but never been placed by) called me, asking why the most recent job wasn’t working out. It actually was working out — I was just testing the waters.
Job sites like CareerBuilder encourage people to post their resumé in response to job openings, but also to make their resumés searchable. As I found out, head hunters just trolling for new people for their files without jobs can find you. But I never suspected that there are…
Attorneys who find clients from job hunting sites
My resumé was posted on CareerBuilder — it was the same week as the headhunter. I received first an email and then a phone call out of the blue. It was an attorney in another state. He had found out that a company I had previously worked for had some problems with the administration of certain employee benefits during a range of years.
So he used the job seeking site to find people who worked for a specific employer in a specific period of time! And then called me! I’ve heard of ambulance chasers, but this struck me as an incredibly creative guy bringing new meaning to the Web 2.0 idea of “people search.” Apparently, because of either the accidental error of my former employer — or their willfully undercutting a valuable benefit — this attorney thought former employees could constitute a class action lawsuit. But I wasn’t looking to become part of a lawsuit! I was just putting my resumé online to see if I could find something that pays more or has a shorter commute!
Apparently, anyone who can register as an employer or head-hunter can have access to a job site’s database of job seekers. I have no experience in sales, but each time I’ve posted a resumé online, I’ve received numerous spam-like emails from employers who want a salesperson. Even the time I posted a resumé as an exotic dancer.
It got me to thinking — what other, non-work uses might people use a database of resumés for? And how…
How to prevent phishing attacks & invasions of privacy on job hunting sites?
Never give out your social security number! Ever! If you’re asking for a loan or have started employment with a bona fide employer, then those are relationships where you must share that information.
Syd Tash also suggests that if you use a site such as Monster that you change your password or cancel your account.
My suggestions:
- create job hunt aliases – and don’t include your real name in the email (meaning, don’t choose JoseSchmoe@gringomail.com if your name is José Schmoe). Some email providers such as SBC and Mac.com allow alias accounts — you can enable the email while on the job search, and disable the accounts when you’re employed. Better than creating separate email accounts, because disabling an account means no spam while you’re happily employed.
- redact your name — remove your name from the top of the resumé. Put in “name available upon request.” Or, if that idea seems a little weird — make like a web service proof against bots and create something like a captcha — insert a graphic with your name at the top of the resumé rather than text so would-be phishers have to be able to read like humans do visually and not from recognizing the characters you typed in.
- redact your phone number & address– At the very least, leave off your phone number. Or use a service like Vonage.com or Grand Central or your local telephone provider to create a virtual phone number or an additional voice mail line with call forwarding to your real number. When the hunt is on, you can receive calls, when the hunt is off, they can’t call you. Or cross-reference your information with the phone books available on CD ROM. Here in Hollywood, actor head shot and resumés have long been a source of information for would-be harassers & criminals. Would-be stars should never put their home phone number on a resumé, let alone an address.
- don’t put niche clubs or interests on your resumé — niche groups make you the perfect target for both spam and phising. Rule of thumb: if you wouldn’t put it on your forehead during a get-to-know-you game, don’t put it on your resumé. For the niche employers — give them a tailored version that includes the information. Don’t put niche interests and activities into the non-niche marketplace.
- block head-hunters & employers from finding you — only submit your resumé to jobs you select, not any random person who says they have a job and is willing to pay an employer fee to access the database of resumés.
- don’t post in any job site’s public forum – some websites allow you to join and post in various public fora. Don’t do it! When you announce your presence this way, anyone curious (or any automated program) can find out some information about you.
- read the privacy policies on job sites — there may be some surprises. Better to make informed decisions about the site in general — and about specific permissions you may need to opt-out of or protections you may need to opt-in for. Read the CareerBuilder privacy policy and the Monster.com privacy policy online.
Have you been a victim of phishing from a job site? Or received targeted spam? Any tips on how to prevent invasions of privacy during the job hunt? Please add a comment!
© Gib Wallis * Brief Episode. All rights reserved.
If you’re new to reading Brief Episode and would like to read more, please visit the archives or become a subscriber. It’s free!
