Harman Singh, a security expert and managing consultant at security company Cyphere, shared details of the scams with BleepingComputer, noting that, “Anyone can post a job under a company’s LinkedIn account and it appears exactly the same as a job advertised by a company.”
There’s no dearth of fake LinkedIn job scams, but while these were orchestrated from fake recruiter accounts, Singh’s technique post the fake job on behalf of a genuine company, adding a whole new level of legitimacy to the scam.
Feature or faux pas?
To test Singh’s claims, BleepingComputer used a LinkedIn account unconnected with its website to advertise a fake job listing.
The listing didn’t identify who posted the job, making it appear as if it was posted by BleepingComputer itself. Furthermore, all applications sent in response to the fake listing, were sent to the non-BleepingComputer-owned email address.
Even more worryingly, BleepingComputer was unable to take down the fake listing posted on behalf of the website, as the platform prevented it from exercising admin control on the content.
The only option for businesses to prevent others from fraudulently posting jobs on their behalf is to rope in LinkedIn.
“You can manually email to the LinkedIn trust and safety team to get those options enabled that allow you to block unauthorised posts, and only allow authorised team members to post jobs,” shared Singh.
A LinkedIn representative didn’t directly comment on Singh’s workaround, but shared the following statement with TechRadar Pro:
“Posting a fraudulent job is a clear violation of our terms of service. We use automated and manual defenses to detect any fake job posting and quickly take action to remove them. We’re constantly investing in new ways to improve detection, including providing tools for companies to require work email verification before posting to LinkedIn.”