Not only is there phishing opportunity, it's being actively exploited to much greater financial effect (check fraud and identity theft), and you don't even need to go to the lengths of creating a company profile or a website as anyone can create a job posting for any company (with rare exception) [1].
Here's a very real series of events I'm privy to:
- Bad guy gets a domain name confusingly similar to the target company (maybe tack on "inc" or "llc").
- Bad guy gets access to a LinkedIn account (doesn't matter who or if they're connected to the company; stands to reason that a hacked account with existing connections adds credibility) and updates the title to CEO of target company.
- Bad guy posts an "Easy Apply" ad for a remote job with target company.
- That job listing automatically appears on target company's LinkedIn page.
- Bad guy begins receiving contact info for the job and gets to work.
- Following a weak interview process conducted entirely over IM or email, the candidate is hired.
- New hire provides identity documentation at bad actor’s request.
- Bad actor sends new hire a check with instructions to buy equipment for their home work area from a specific vendor who is also the bad actor.
- New hire deposits check and bank makes funds available before the check clearance process actually completes.
- New hire buys a few thousand dollars’ of equipment from a vendor that doesn’t exist with money they don’t actually have.
- Check bounces and the jig is up.
By the time target company found out, LinkedIn has removed both the job ad and the profile that created it, but did not and would not reach out to the applicants to warn them of the scam nor provide those applicants to the target company (y'know, the company the applicants thought they were applying to; citing "privacy reasons").
While [1] says LinkedIn can do something to restrict who can post jobs on behalf of your company, it's wholly undocumented (and I suspect may not work well for companies relying on both internal and external sourcing). The only defensive measure I've identified is setting up a job alert for your company, specifically for Easy Apply and/or Remote positions as that seems to track with the scam.
The more nefarious ploy is how Axie infinity got shut down for millions of dollars in fraud because the targets opened a PDF that was actually sent by NK bad actors posting a fake high paying job and interview process
Here's a very real series of events I'm privy to:
- Bad guy gets a domain name confusingly similar to the target company (maybe tack on "inc" or "llc").
- Bad guy gets access to a LinkedIn account (doesn't matter who or if they're connected to the company; stands to reason that a hacked account with existing connections adds credibility) and updates the title to CEO of target company.
- Bad guy posts an "Easy Apply" ad for a remote job with target company.
- That job listing automatically appears on target company's LinkedIn page.
- Bad guy begins receiving contact info for the job and gets to work.
- Following a weak interview process conducted entirely over IM or email, the candidate is hired.
- New hire provides identity documentation at bad actor’s request.
- Bad actor sends new hire a check with instructions to buy equipment for their home work area from a specific vendor who is also the bad actor.
- New hire deposits check and bank makes funds available before the check clearance process actually completes.
- New hire buys a few thousand dollars’ of equipment from a vendor that doesn’t exist with money they don’t actually have.
- Check bounces and the jig is up.
By the time target company found out, LinkedIn has removed both the job ad and the profile that created it, but did not and would not reach out to the applicants to warn them of the scam nor provide those applicants to the target company (y'know, the company the applicants thought they were applying to; citing "privacy reasons").
While [1] says LinkedIn can do something to restrict who can post jobs on behalf of your company, it's wholly undocumented (and I suspect may not work well for companies relying on both internal and external sourcing). The only defensive measure I've identified is setting up a job alert for your company, specifically for Easy Apply and/or Remote positions as that seems to track with the scam.
[1] https://www.bleepingcomputer.com/news/security/you-can-post-...