washingtonpost.com
Taking the Bait On a Phish Scam
Job Seekers Are Targets, Victims of Sophisticated Ploy

By Annys Shin
Washington Post Staff Writer
Saturday, February 10, 2007

The online news site USA Voice isn't going to win any kudos from media critics. Not for its top story Monday, "Super Bowl Ads Don't Live Up to the Hype." And not for its Fox News-style slogan, "USA Voice: Honest and Unfiltered."

As a phishing scheme, however, privacy experts say it's a winner.

The Web site for the "world's fastest growing news organization" looked good enough to fool Katherine Brinton, an aspiring journalist in Philadelphia. After posting her résumé on Monster.com nine months ago, the 23-year old received an e-mail from USA Voice in November that said it was looking for reporters with "excellent writing skills" and an "innate ability to find the truth."

Brinton filled out an online application with her name, address and telephone number. But instead of job offers, she began receiving a stream of unsolicited e-mails hawking Viagra, payday loans and penny stocks.

"I felt like I was being scammed," she said.

Brinton fell victim to a sophisticated phishing scam, which, in recent months, targeted thousands of job seekers on such popular Web sites as Monster.com and CareerBuilder.com. Phishers send out seemingly legitimate e-mail in an attempt to get people to reply with personal information then used in a variety of scams.

Since June, the Better Business Bureau serving Metro Washington has logged more than 8,000 inquiries about USA Voice and a related entity, Instant Human Resources. USA Voice lists a downtown Washington address; Instant Human Resources lists an address in Rockville. Both locations turned out to be a service that forwards mail for other businesses. Instant Human Resources' parent company, Internet Solutions, says it is based in Orlando.

The Better Business Bureau has received 20 complaints about the three companies, and all share similarities. USA Voice, Instant Human Resources and Internet Solutions advertised such positions as "gossip reporter," "IT assistant" and "quality control administrator" on employment sites such as Monster, CareerBuilder and Yahoo HotJobs, and contacted people who had posted résumés there. But after being enticed to give up personal information, job seekers never heard from the companies again and instead began getting inundated with spam.

"These firms purport to provide employment opportunities. Consumers allege that the only thing they have received is bulk unsolicited e-mail. Based on this, it would appear that the given companies are . . . a scheme to amass and sell personal contact information," said Edward J. Johnson III, chief executive of the Better Business Bureau of Washington.

None of the companies responded to Better Business Bureau inquiries. They also did not respond to a reporter's e-mails or to notes left in their Washington-area mailboxes.

In 2006, about 109 million U.S. adults received phishing e-mails, up from 57 million in 2004, according to research firm Gartner, of Stamford, Conn. About one in six phishing e-mails are opened -- a better rate than for e-mails from legitimate businesses, said Jeff Wilbur, vice president of marketing for e-mail security firm Iconix.

The majority of phishing e-mails claim to be from financial institutions, but phishers have also switched to mimicking dating, social networking and other kinds of online services. In those cases, victims might let their guard down because they are not giving out financial information, Wilbur said. But such attacks can leave them just as vulnerable to identity theft.

"Sometimes these phishing attacks look innocent because you're not giving up what you consider huge personal information. But it might be the final piece of the puzzle of the information they have on you," Wilbur said.

Job search sites offer identity thieves a rich source of personal information and a pool of potential victims willing to divulge even more in hopes of landing employment. Since 2004, some of the largest online job search firms, such as Monster and CareerBuilder, have taken more precautions against criminals looking to collect personal information from their users.

Privacy experts say the job sites could do more to weed out fraudulent ads. "People, when looking for work, are at their most vulnerable. Job sites owe it to consumers to take that extra step to make sure these scams don't slip through the net," said Pam Dixon, executive director of the World Privacy Forum, a nonprofit research and consumer group.

Spokespeople for Monster, CareerBuilder, and Yahoo said they include warnings about fraud on their sites, screen employment listings and employer Web sites and monitor job postings daily.

CareerBuilder removed job ads by USA Voice eight months ago, said spokeswoman Jennifer Sullivan. Monster removed ads by USA Voice and Instant Human Resources in December and ads by Internet Solutions last week, said spokeswoman Danielle Perry. Yahoo removed ads from Internet Solutions last week.

Privacy experts and security officials at the job sites agreed that the three Web sites in question are "particularly clever" and "very slick." Internet Solutions, for example, requires users to create a password. Dixon said this was probably a ploy to collect access codes for online bank and e-commerce accounts. Most people use the same password for everything, security experts said, and criminals know that.

USA Voice's victims were persuaded to harvest personal information from others. After posting her résumé on CareerBuilder, Emma Ward of Collegeville, Pa., was contacted by e-mail by USA Voice. The 24-year-old was told she qualified to be an editor and was responsible for recruiting her own writers. She just had to collect and send their e-mail addresses to the company. The writers, in turn, would be paid by the number of hits their stories received, giving them incentive to direct more people to the USA Voice site.

Ward never got around to recruiting anyone. She stopped hearing from USA Voice and started receiving spam.

Job seekers got offers, but not for legitimate employment. Instant Human Resources told Michael Coleman of Bronxville, N.Y., after seeing his résumé on Monster or CareerBuilder, that he could be the U.S. representative for an overseas firm. The 34-year-old Web project manager signed onto the Instant Human Resources' Web site, which required him to enter his name, address, phone number, and Social Security number and create a password.

Coleman followed the instructions but entered a fake Social Security number. The job, he said, "didn't sound right." He didn't pursue it any further after online research confirmed his suspicions: The position sounded like a scam involving cashing old money orders.

"For anyone looking for a job, it's a tough economy," Coleman said. "You don't want to go to a site and see some scam."

View all comments that have been posted about this article.

© 2007 The Washington Post Company