Threat actors can use phone numbers obtained from past data breaches and public records to randomly call or send messages claiming to be a member of a loan processing team and providing a loan offer that appears too good to be true. They may provide vague details, impose urgent demands, or require advanced fees of a purported loan offer with the intent of stealing personally identifiable information (PII) and financial information, including Social Security numbers and bank account numbers.

The NJCCIC received reports of an advanced fee loan scam in which threat actors posed as lenders, guaranteed the loan approval without official credit checks, offered low rates or fees, and asked for money upfront. The victims submitted a supposed loan application and paid a deposit via peer-to-peer money transfer platforms typically used with these scams. The deposits were nominal due to a false claim of a low credit score or based on a percentage of the fake loan amount. In one scam, the victim applied for a loan and paid a $1,350 deposit via Zelle. In another scam, the victim was offered a several million-dollar loan with a reasonable rate and a four percent deposit. Once the victims paid the deposits, the so-called lenders stole their information and funds and never responded to the victims’ subsequent inquiries. Threat actors can use this stolen information to impersonate victims, apply for loans or lines of credit, access bank accounts, and steal additional funds.

In direct deposit or payroll diversion scams, threat actors research the targeted organization and identify an employee to impersonate. They typically register a free email address using the employee’s name and utilizing display name spoofing in the messages. In some cases, they compromise the employee’s email account to avoid suspicion. Then the threat actors email payroll, finance, or human resources departments to request direct deposit changes and applicable forms. Sometimes, the threat actors locate direct deposit change forms online and include the filled-out forms in the email. They intend to divert the employee’s direct deposit account information to an account under the threat actor’s control.

The NJCCIC continues to receive multiple reports of direct deposit scams, primarily targeting educational institutions. However, all organizations, regardless of sector, are at risk. In one incident, threat actors created a Google Gmail account, impersonated an employee, and attempted to change the direct deposit account information. They sent an email with a blank subject line and content containing “Good Morning, Hope you’re having a great day. Before the next payroll will be issued, I need to replace the account where my most recent deposit was made due to a bank change. What information is required?”

In another incident, threat actors impersonated an employee and emailed the finance department with a subject line of “New Account Info.” The email contained, “I am currently experiencing issues logging into the [redacted] portal, as I am being redirected to the homepage with a blank page. Therefore, I can provide my new banking information for the update. Here is the voided check with my new bank details for the change. Please cancel the previous account and use the new details provided below [redacted bank information].”

In the examples above, the requests to change direct deposit information were easily identified as scams. However, in another direct deposit scam, threat actors intended to compromise an employee’s account to impersonate them and avoid suspicion. They contacted the organization’s help desk to request a password and multi-factor authentication (MFA) reset in a successful social engineering attack. The threat actors gained unauthorized access to the employee’s account and emailed a direct deposit change request to the payroll department. The payroll employee initiated the change based solely on the email request, deviating from the organization’s established policy. Additionally, to evade detection, the threat actors created an inbox rule to delete emails containing “direct deposit” automatically. However, the organization’s security monitoring solution detected the rule promptly, and the account was locked.

Organizations, especially employees in payroll, finance, or human resources departments, are advised to identify several red flags in direct deposit scams. First, the authenticity of the request is concerning when the sender’s name does not match the email address. Threat actors may also create urgency to speed up the process and use phrases such as “This is urgent” or “Please make the change immediately.” Additionally, if the request includes a form attachment, there may be errors, the Social Security number may not be correct, or the signature may be suspicious. Furthermore, the request may not include a recommended voided check.

The NJCCIC received reports of Social Security Administration (SSA) phishing emails, consistent with the SSA’s scam alert earlier this month. The emails contain SSA branding to appear legitimate and claim to be from the SSA. However, upon further inspection, they were sent from non-.gov top-level domains (TLDs) with the sender’s display name as “Social Security administration.” The subject line displays, “Your benefits statement is now available for download.” The emails create urgency to convince potential victims to download and review their Social Security statements immediately to ensure uninterrupted access to their benefits and prevent processing delays. The emails also instruct potential victims to click the “Download Statement” button and install the required file specifically on PC/Windows systems. If clicked and installed, sensitive information and devices may be at risk.

These communications are not legitimate, as the SSA will not ask for personally identifiable information (PII), including Social Security numbers or dates of birth, or financial information via email, phone, or text message. Also, the SSA will not threaten to suspend your Social Security number, demand immediate payment, warn of legal action, download “secure” software, or request permission to access your device.

The NJCCIC observed an uptick in employment scams that target and exploit individuals seeking employment. Threat actors first perform reconnaissance on their targets, gathering information from various sources, such as past data breaches, publicly disclosed data, social media profiles, and data purchased on the dark web. They communicate with their targets via emails, text messages, WhatsApp, or Telegram to initiate conversations about purported job opportunities created from legitimate job postings. They may also create and post fraudulent job postings or profiles through trusted professional online employment boards and websites, such as LinkedIn, CareerBuilder, Indeed, and Monster, or via social media platforms like Facebook. They typically impersonate legitimate employers and recruiters and spoof legitimate domains. The threat actors express interest in the target’s compatibility for a vacant position and attempt to ascertain the target’s willingness to explore the opportunity further.

The NJCCIC’s email security solution detected an employment scam in which threat actors use the legitimate Xero platform to create a trial organization to quickly send large amounts of spam emails before they are detected and shut down. In the above campaign, the threat actors impersonate Coca-Cola and incorporate their branding. The email contains a link with the Coca-Cola name in the URL, but it does not direct to Coca-Cola’s official website. Instead, it directs the target to a malicious website that prompts them to update their browser. If clicked and installed, sensitive information and devices may be at risk.  

Threat actors also impersonate legitimate employers and recruiters through multiple random text messages in the hope that their target is an interested job seeker. In the above campaign, the text message outlines the position's benefits, including remote work, flexible hours, and a potential average daily pay ranging from $300 to $900 or more. To avoid detection, they often request to continue the conversation on a chat platform like WhatsApp or Telegram. Legitimate employers do not typically request that applicants communicate or send information through instant messaging platforms.

The NJCCIC also received multiple reports of threat actors creating fake profiles on LinkedIn, impersonating employers and recruiters, and sending direct messages to potential victims regarding fraudulent job postings. The emails request interested targets to provide their email addresses and resumes. If there is no response, the threat actors sometimes attempt to contact their targets via email and phone.

Once contact with a target in these employment scams is established, the threat actors often request information as part of the application process or job offer. They intend to steal personally identifiable information (PII) or monetary funds, potentially committing identity theft and launching other cyberattacks. They may conduct fake online interviews to inquire about work experience, salary expectations, and other typical employment concerns. Threat actors may ask for personal information or request their target to pay processing or application fees, training, or background checks. They may also send fraudulent invoices for equipment, with instructions to pay using cash, Zelle, or PayPal and a promise of reimbursement. In some instances, they also partake in fraudulent check scams via mail to cover all or a portion of the job-related fees or expenses. Until the fraudulent check supposedly clears, threat actors pressure their targets to start the job immediately and insist they front the money, resulting in monetary losses.

Key suspicious indicators of employment scams include vagueness from the purported employer or recruiter about the position, the job sounding “too good to be true,” and upfront requests for personal and financial information, such as a Social Security number, a driver’s license number, or banking information for direct deposits. Threat actors may also create urgency to respond or accept a job offer. Using unofficial communication methods, including personal email accounts, non-company email domains, teleconferencing applications, and apps like WhatsApp, Telegram, Signal, or Wire, are also red flags.

Besides targeting job seekers, threat actors also target corporate human resources departments and recruiters to steal account credentials and funds. They abuse legitimate message services and job platforms to apply for real jobs. Researchers discovered the financially motivated Venom Spider threat group sending spearphishing emails to the hiring manager or recruiter. These emails contain links directing them to download the purported resume from an external website. The threat actors insert a CAPTCHA box to create legitimacy and bypass security controls. They then drop a backdoor called More_eggs and use server polymorphism to deliver the payloads and evade detection and analysis.