Recruitment

How CoinDesk’s IT and HR departments teamed up to take down an employment scam

“I created a Google doc outlining what happened and the communications I received, along with domains used by the threat actors. I alerted our team about this and they immediately sprung into action,” said CoinDesk’s VP of HR.
article cover

Nadia_bormotova/Getty Images

· 5 min read

Earlier this summer, CoinDesk had a problem on its hands. The crypto-focused media outlet was targeted by a criminal outfit deploying a phishing scam that has become more common in the age of remote work—luring job applicants to fake careers websites, convincing them to share their financial information, and stealing their money.

CoinDesk’s VP of HR, Talie Schwager, previously told HR Brew she was made aware of the scheme by applicants who messaged her on LinkedIn about fake job offers for positions that weren’t actually open. The fraudsters masqueraded as Schwager to create a veneer of authenticity, an email seen by HR Brew showed, and eventually lured victims to two fake CoinDesk careers pages. Later, during what seemed like onboarding, the scammers asked the would-be applicants for their banking details for the purposes of depositing their first paychecks.

Luckily, CoinDesk promptly pounced on the issue. Its security engineer, Christian Galvan, was able to target both phony job sites, and through a range of measures, have them taken offline in less than a week, he explained to HR Brew. Efficiently scrubbing the fake careers pages required a direct line of communication between HR and IT, so that information could be relayed as quickly and clearly as possible, Galvan and Schwager agreed.

CoinDesk faced an issue that can pose daunting challenges for companies that lack robust technical resources, KC O’Carroll, head of security engineering at cloud email security platform Tessian, told HR Brew. “If you are an HR person with no security team, which is not unheard of, and you find out a scam, what do you do? Do you have the technical acuity to even identify the scam to begin with?”

How CoinDesk took down two fake job sites. When the scam became apparent to Schwager, she immediately contacted her IT department. “I created a Google doc outlining what happened and the communications I received, along with domains used by the threat actors. I alerted our team about this and they immediately sprung into action,” she said via text.

Equipped with this baseline information, Galvan was able to begin the process of ferreting out the operation’s geographic location, including that of its servers. “With the report HR provided, it had emails, it had website links, it had screenshots of what they were using to lure victims. And those details were enough for us to do research and understand how they’re operating and where their infrastructure lives,” he told HR Brew.

Like many phishing operations, the attack targeting CoinDesk originated from abroad, on servers hosted in the UK, Germany, and Kenya, Galvan said. While criminal websites hosted in the US can be removed under the Digital Millennium Copyright Act (DMCA) for violating intellectual property rights, schemes operating beyond US legal jurisdiction can sometimes play by their own nefarious rules.

Quick-to-read HR news & insights

From recruiting and retention to company culture and the latest in HR tech, HR Brew delivers up-to-date industry news and tips to help HR pros stay nimble in today’s fast-changing business environment.

Bad actors working abroad can “cite policies of being hands-off with regards to content [regulations], they can say that your proof of scam doesn’t amount to proof of malicious activity,” O’Carroll said. Sometimes, scams will persist because “there are sufficient numbers of companies who simply choose not to comply” with DMCA requests from the US.

The scenario held true for Galvan, who said, “After reporting to different authorities and different cloud providers, the website was not taken down immediately.” This compelled him to adopt a “hacker mindset” and take a more clandestine route: doctoring a fake job application and using a new email account, unaffiliated with CoinDesk, to apply to one of the fake jobs. Galvan’s application included “encoded messages”—namely, the address of an FBI field office—to let the scammers know that CoinDesk was wise to the ruse. Within a day, the websites were taken offline.

Integral to HR. In order to thwart the scam ring, HR and IT had to work hand in hand, Schwager said. But establishing a tight working relationship between these departments should always be a top priority. “HR relies on robust IT practices through the entire employee life cycle and it is critical for that relationship to be strong in order to solve these kinds of issues. So much of what we do occurs in the digital world and we depend on IT teams to help us operationalize our work,” she explained.

There are other resources HR can harness, too. O’Carroll noted that at a former employer, marketing assisted with damage control in the wake of a recruiting scam. “I worked with our social media marketing manager to identify people speaking out on these sorts of scams…basically, finding victims complaining about our company…defraud[ing] them of some application fees” when, in fact, they’d been targeted by a criminal outfit, O’Carroll said.

It may take an all-hands approach and the implementation of unorthodox techniques, but CoinDesk’s experience shows that certain employment scams can be overcome when HR and IT collaborate.—SB

Do you work in HR or have information about your HR department we should know? Email [email protected] or DM @SammBlum on Twitter. For completely confidential conversations, ask Sam for his number on Signal.

Quick-to-read HR news & insights

From recruiting and retention to company culture and the latest in HR tech, HR Brew delivers up-to-date industry news and tips to help HR pros stay nimble in today’s fast-changing business environment.