Harman Singh, a security expert and managing consultant at security company Cyphere, shared details of the trick with BleepingComputer.
“Anyone can post a job under a company’s LinkedIn account and it appears exactly the same as a job advertised by a company,” Singh revealed.
There’s no dearth of fake LinkedIn job scams, but while these were orchestrated from fake recruiter accounts, Singh’s technique post the fake job on behalf of a genuine company, adding a whole new level of legitimacy to the scam.
Feature or faux pas?
To test Singh’s claims, BleepingComputer used a LinkedIn account unconnected with its website to advertise a fake job listing.
The listing didn’t identify who posted the job, making it appear as if it was posted by BleepingComputer itself. Furthermore, all applications sent in response to the fake listing, were sent to the non-BleepingComputer-owned email address.
Even more worryingly, BleepingComputer was unable to take down the fake listing posted on behalf of the website, as the platform prevented it from exercising admin control on the content.
The only option for businesses to prevent others from fraudulently posting jobs on their behalf is to rope in LinkedIn.
“You can manually email to the LinkedIn trust and safety team to get those options enabled that allow you to block unauthorised posts, and only allow authorised team members to post jobs,” shared Singh.
LinkedIn did not immediately respond to TechRadar Pro’s email on the claims made by Singh.