Types of Interview Scams on LinkedIn and Twitter
I think scams are a genuinely interesting phenomenon and I have a personal catalogue in Google Docs where I take notes of the ones that I come across personally. It keeps me amused.
Originally published on my personal website.
I’ve been actively looking for a job for a couple of months now (check out my LinkedIn if you’re looking for a Product guy with a tech background). After spending so many years working in crypto, I have a fine sense for scams (bleh). Unfortunately, that fine sense has also been honed through being dumb enough to be compromised by one of the more sophisticated ones, which I go into detail about towards the end of this piece. If that’s what you’re after, you should skip to that.
LinkedIn, Twitter, and other social job sites are great for finding work, but they are also rife with scammers who are taking advantage of desperate people like me who need work.
Since I’ve already catalogued some of them, I’ll share some of the most common scams that I have personally encountered, detail how they work, how you can identify them for avoidance, and how you can defend against them.
Be careful out there though, because this is not a complete list by any means and scammers are actively updating and adapting their methodologies.
WhatsApp Number Request Scam
The Scam
I was lucky enough to be contacted by a whole slew of fake accounts like the inimitable Emma portrayed below.
The goal of these types of scams is to gain access to your phone number, either for further spam or scams, or to hijack your WhatsApp account entirely.
In the US WhatsApp is not very dominant, but in many places like the Middle East and Asia, it is the primary mode of communication.
Losing access to your WhatsApp account can be very dangerous as through it you can be impersonated, meaning that your direct contacts are also in danger.
Defense Method
The best way to defend against this type of attack is to never give out personal information which may compromise you or those close to you.
WhatsApp is tied to your phone number and SIM, and these are not foolproof security mechanisms and should not be trusted on their own to keep you and your account safe.
There is a basic setup for 2FA for WhatsApp, which I highly recommend that every active user of the app use. WhatsApp has some basic recommendations for securing your account which you should also review.
Accounts like Emma’s should be reported and blocked.
Fake Job Offer Scam
The Scam
Just from an emotionally draining perspective, this one is right at the top. The accounts who run them tend to look really legit, and tend to leverage the good reputations of large companies to invoke a sense of trust in the false process.
They reach out to you, generally posing as a recruiter for a large company. They ask intelligent questions and usually have checked out your LinkedIn profile so they can sound non-generic and realistic.
They will set up a typical interview and they will actually show up. The one that I showed up for was with a lady from the far east. I’m not sure if she was Indonesian or Malaysian. She asked some pretty general questions and let me do most of the talking. It didn’t feel too different from the dozen or so other interviews that I’d taken the month prior to that.
What did feel different was the quick offer that I received the following day. Typically for leadership roles in tech you have three or more interviews with different people within a company to assess both your capabilities and your cultural fit within a company. It’s a process and when it feels rushed, it sets off a red flag in my mind.
The offer itself was at least 100% more than what I’d mentioned during my call with her as my target salary, and this felt strange.
What made it an obvious scam were the requests for me to hand over money to process the job application, and that I’d need to cover their equipment costs. I declined and she ghosted me.
Defense Method
Being aware that these types of scams are out there is a big help in setting you up for a solid defense against them.
During interviews you should remember that you’re not just being interviewed, but also doing an interview of the company itself. Ask pointed questions and get a feel for if anything strikes you as odd or off.
Categorically refuse to pay any processing fees for your recruitment or on-boarding. I know that there are some companies out there that expect you to front costs for training, clothing, work materials, or other things needed for the job. I do consider these a type of scam and actively avoid companies who require them.
Install and Scan
The Scam
As promised, I’m going to share how I lost about 33 ETH tokens. A little back story is necessary to make this make any sense. In truth, I had no intention of making this personal disaster public, but I feel a need to share in the hopes that it saves someone in the future.
My apologies for the length.
In October, war broke out in Israel. My wife and three kids just happened to be on the way back from visiting family in the US on October 7th, and they got stuck in Munich as Lufthansa canceled all flights for fear of having planes shot out of the sky.
I spent a frantic few days trying to get any flight (or boat) out to any destination in Europe so that I could meet them.
It wasn’t clear how long we were going to be gone or if I was coming back at all so I did something that, up until then, I’d never done before. I copied my ledger seed phrase, in clear text, on to the laptop that I was traveling with, as a hedge against not having access to those funds in a case of emergency. Typically, I keep this seed phrase in a zipped file, which is encrypted with a strong password. That is held on a usb drive which is kept in a safe. It was pretty much all of my crypto and I was hoping to hold on to it for a long while. I don’t know why I did what I did. I chalk it up to a momentary lapse in judgment caused by fear and panic.
We met up in Athens and then moved to Cyprus, hoping that things would wind down quickly. They didn’t, but that’s outside the scope of what I’m trying to convey here. While we were in Cyprus, maybe two or three weeks after I met up with my wife and kids, I got approached on Twitter to take on a consulting role for a game that was being produced. I checked out their social accounts, which had substantial followings and good engagement, and their project’s website. I even poked around their Discord and talked to some people who were excited about the game. Everything seemed above board so I said that I’d be ok to take a call with their team to discuss things.
When we showed up to the call, there was a nicely dressed woman with an eastern European accent. We spoke for 30–40 minutes and I asked about what they were trying to build, why, and how things were going. She asked smart questions about my background and seemed interested in getting my opinions on an early build of the game called Myst Island.
We agreed on a reasonable hourly rate, with an understanding that a retainer would be appropriate for both sides if they found my feedback and network valuable. I was desperate for any income at this time and agreed.
At the end of the call she casually mentioned that they’d send over a link to a build that I could install and play with.
I said, “no problem”.
Narrator, “It was, in fact, a problem”.
An hour or so later, the build link arrived and I tried to install it. I got the typical unsigned bundle warning that Windows throws and I didn’t think much of it. I’ve been dealing with preliminary builds long enough to know that it’s often one of the last things that a team does before a product goes live.
I compulsively take notes and screenshots when I’m working, and I kept the entire process. Inline are screenshots from the day the scam happened, cropped to remove backgrounds with sensitive data.
I ran it anyway.
The install process took a few minutes, and then got stuck.
I ran it a few times and then sent a DM back to the lady. She never responded.
I dropped into the Discord and tried to get some support, and was duly booted from the server.
Something felt wrong and I couldn’t shake the feeling that I had just made a mistake.
The computer got closed and I went to go play with my kids. A little later, I happened to check Telegram and I saw that there was a weird “saved message” saying that I’d been hacked and they took all my ETH. That’s when everything clicked for me and I hit maximum panic.
I ran over to my machine and checked. Indeed, I’d been wiped out.
In retrospect, I understand today that the “game” I’d installed was simply an application that searched all of the directories on my computer for strings that looked like private keys or seed phrases, and uploaded them to the attacker’s site for use in draining addresses and accounts.
The attackers also gained access to a bunch of my secondary accounts, but since I’m a stickler for using 2FA, they thankfully did not end my digital life.
The computer that was compromised went in the trash. I had no way to verify at the time what had been done to it, and if the hardware itself was compromised. I was also really, really angry and it felt good. Don’t judge me.
Defense Method
I was dumb. Your best defense is to not be dumb like me.
- Don’t keep keys or seed phrases in plain text on your computers.
- Don’t keep keys or seed phrases any place that people can easily access.
- Don’t install stuff that you haven’t verified or had some third party verify.
- If you absolutely must install stuff that isn’t verified, do it inside of a virtual machine which is 100% clean.
—
Want to help me? I’m still looking for work as a Product lead with a tech background. Email here.