Job boards are a common way of posting a job opportunity. Hopeful applicants respond by uploading a resume, and oftentimes, a cover letter. In 2015, several companies were digitally attacked through malware carried by decoy resume documents. A couple of examples include:
- Computer security company Trend Micro discusses the use of resumes to disseminate CryptoWall ransomware. Activated by unsuspecting hiring personnel, infectious code in a phony resume triggers system seizure. Once in play, the user is directed to pay a ransom in exchange for return of the use of their system, and documents. Unfortunately, there is no guarantee the digital assets will be unlocked upon payment of the ransom. Ransomware with resumes could grow more prevalent as graduation season approaches, and resumes flood online job boards.
- Word documents, like resumes, could carry code known as Dridex. Not ransomware, Dridex is downloaded with the resume and waits until the user visits an exploitable website where personal information like social security numbers, passwords, and other information could be phished. The illegally gathered data is sold or used to commit fraud or theft.
- Using the Microsoft Word Intruder (MWI), bad actors exploited a known gap in Word documents to target traffic to com. When triggered, the infectious code compromises the system of the individual who opens it--and anyone who opens the infected file after it is forwarded. Sites like CareerBuilder are in the business of forwarding prospective resume files to potential employers--offering an almost open door to hackers who would otherwise have a hard time convincing recipients to click on infected attachments.
Whether it is a resume from a job board, or from Craigslist, hiring personnel are vulnerable to any of these hacks.
In an increasingly competitive job market, companies with an urgent need to fill a skilled position could be tempted to cut corners during the hiring process. Explains Cisco security expert Nick Biasini, "These attacks are successful because these types of emails are seen legitimately as well. If they happen to reach someone who is in the process of hiring or evaluating candidates they are likely to open the attachments and follow the process."
Employ good digital hygiene
Social engineering techniques can trip up any company. Personnel who would not click on a questionable website online, may readily open an infected attachment. Even with secure recruiting software, your most vulnerable point is at access--through the people who interface with material from potential applicants, job boards, and others.
In the coming year, an increasing number of companies will suffer cyber invasion. HR is well positioned to contribute to digital security initiatives through ensuring infected material does not pass into the company network through the employment process.
Some tips to avoid infected resume and other materials include:
- Work with your IT unit to ensure security updates are routinely downloaded. Be sure your security package screens email attachments in addition to email. Do not enable macros when prompted online, or from an email attachment.
- Create, review, and train on security best practices for handling employment materials.
- Associate with credible, secure job boards with safety protocols that involve screening materials before transmission to client companies.
- Consider using a segregated cloud site to view potential applicant materials, instead of downloading to your computer.
The Society for Human Resource Management (SHRM) urges the review of security measures and external employment channels as part of the process to avoid infected application materials. Notes security professional Brian Huntley, "HR should review its external candidate communications channels, to reinforce awareness of the role that career websites and resume services play in the enterprise's candidate identification processes."
Another tactic is to join the movement away from resumes as the primary source of information about job candidates. Richer alternatives offer greater speed, security, and service during the recruitment process. Consider modes like:
- LinkedIn: An enriched LinkedIn profile offers potential employers a good idea of candidate background, work product, social engagement, and credentials. Filling all the needs of a resume, a LinkedIn profile is a great resume alternative.
- Online branding: Outside of LinkedIn, many professionals are creating their own brand, starting with a website, representative work, and even a history of social communications. Moving past LinkedIn, personal branding provides as much information as a candidate cares to provide--without the security risk.
- Hybrid options: Consider asking for a visual, or social, resume that responds to the area of expertise required by your company. Serious candidates can include a portfolio and other rich media to communicate their message, brand--and potential value to your company.
Avoid the risk and increase your chances of finding the right hire by evaluating your exposure to damaging cyber attack. When you have questions about secure recruiting or onboarding software, give us a call.
About the Author, Jimmy Hurff
Jimmy is a seasoned technology executive & entrepreneur noted for leading business transformations. Over his 25+ year career, Jimmy has developed multi-platform expertise in the domains of engineering, data analytics, security, compliance & business transformation. Starting in 1995, Jimmy worked with his best friend, David Webb, to develop one of the world's first Internet job board and resume bank applications. From then to now, Jimmy has been consistently helping his customers to build great teams, using best practices and world-class technology.
Try It Now
Make a BrightMove: Sign up for a free applicant tracking system trialStart Now