Protecting Yourself from Fake Headhunters with OSINT

Authors: Paul Wright and Neal Ysart (The Coalition of Cyber Investigators)

Professional networking platforms like LinkedIn offer valuable opportunities for job seekers to connect with potential employers. However, these platforms have also become prime targets for malicious actors looking to exploit users and harvest sensitive information. From nation-states, organised crime groups, and corporate espionage to opportunistic fraudsters, the rise of fake recruitment scams is a growing concern. In 2021, UK security services warned that over 10,000 UK nationals had been approached by fake LinkedIn profiles linked to hostile states, often as part of larger, more coordinated efforts.

These scams typically involve fake recruiter profiles offering lucrative job opportunities to manipulate victims into divulging confidential information. The National Counterintelligence and Security Center (NCSC) highlights the growing risk of such attacks, with foreign intelligence agents posing as headhunters to harvest sensitive data. In fact, in 2021, malicious profiles were being used on “an industrial scale, with over 10,000 citizens approached by fake LinkedIn profiles linked to hostile states.

This article provides five tips for companies and individuals on utilising OSINT (open-source intelligence) techniques for identifying, analysing, and mitigating these scams. By applying OSINT methods, candidates can perform a reverse form of pre-employment screening to verify the legitimacy of recruiters and their offers.

Tip 1: Verify the Recruiter Profile

Bogus recruiters often create fake profiles on professional platforms like LinkedIn, where they appear legitimate, with polished photos, impressive career histories, and glowing recommendations.

Further, organised crime groups create multiple fake profiles to build networks of apparently legitimate recruiters to enhance credibility and make scams more challenging to detect. These accounts often endorse one other as valid through skill endorsements, testimonials, or even fake job postings, making their operations appear more legitimate and trustworthy to their victims. 

To verify the authenticity of these profiles, OSINT techniques can provide valuable insights.

A simple yet powerful method is to use reverse image search tools like Google Images or TinEye. By uploading the profile picture, you can check if the same image appears elsewhere on the web. If it’s found on multiple profiles or unrelated websites, it’s a red flag indicating a fake account. For example, if a recruiter’s profile photo is identified as a stock image or another person’s photo, it’s an immediate cause for suspicion. While LinkedIn restricts direct downloads and removes metadata from profile images investigators can use Inspect Element (F12) to locate the image URL within the HTML source code or Google Chrome’s Developer Tools to retrieve the image request if direct downloads are blocked. 

Additionally, career history verification can be done using platforms such as Pipl, Spokeo, or Glassdoor to cross-check a recruiter’s work history. If the recruiter claims to work for a well-known organisation but their name is absent from the company’s website or personnel roster, this is another clear warning sign.

Finally, LinkedIn profile details such as custom URLs, banner photos, about, experience, and the number of connections can offer further insights into a recruiter’s legitimacy. These should be cross-referenced with other platforms to ensure consistency.

These techniques represent only the beginning of OSINT investigations on LinkedIn. The platform offers a wealth of publicly available data that, when analysed effectively, can provide valuable insights.

‍

Tip 2: Analyse Their Digital Footprint

A digital footprint refers to the trail of data individuals leave behind through their online activities, such as social media posts, website visits, or interactions on professional forums. By analysing this footprint, you can assess the consistency and credibility of a recruiter’s online presence.

Legitimate recruiters tend to have a consistent presence across multiple platforms, such as LinkedIn, Twitter, or industry-specific forums. If a recruiter’s online presence is sparse or inconsistent, this could indicate that they are operating under a false identity.

Tools like Usersearch, Mention, and Social-Searcher can help identify other social media activity linked to the recruiter. Additionally, if you have access to the recruiter’s email address or phone number, tools like Skopenow Workbench or Holehe can help uncover further online accounts associated with them, revealing discrepancies or confirming their legitimacy.

Another key aspect of digital footprint analysis is email verification. Fraudsters often use fake email addresses or newly created domains to appear credible. You can perform a Whois search on the domain associated with the recruiter’s email to verify its registration details. A newly registered domain may indicate a fraudulent account. Additionally, tools such as Avatarapi can be used to connect profile pictures with email addresses, while EmailRep can help verify whether an email address is associated with a legitimate organisation.

For example, if a recruiter uses an email like "badactor@scamheadhunter.com," a Whois search revealing that the domain was only recently registered could expose the scam.

Tip 3: Reviewing Suspicious Activity on Professional Networks

OSINT tools and techniques can be employed to detect suspicious activity on professional networking platforms. For example, using Maltego, you can map out the connections between suspicious profiles. This can help identify if multiple profiles are part of a coordinated effort or a larger scam operation.

For example, if you come across a group of recruiters using the same profile picture but claiming to work at different companies, it’s likely they’re part of a fake network designed to build credibility.

Keyword spotting is another technique. Certain phrases or keywords, like "exclusive job opportunity" or "confidential offer," are often used in scam job postings. You can set up alerts on search engines or platforms like Pastebin using Pastebin Scrappers, Python scripts, or API integrations to find these phrases and evaluate them for potential scams before they spread.

By proactively searching for these signals, OSINT practitioners can stay one step ahead of scammers, identifying fake job offers early on and preventing further harm.

‍

‍

Tip 4: Educate Employees

An essential part of defending against fake recruiter schemes is educating employees. OSINT can play a crucial role in developing realistic training materials that help employees recognise these threats. Real-world case studies of fake recruiter schemes can be used to highlight common tactics and warning signs.

The UK’s National Protective Security Authority (NPSA) has created the “Think Before You Link” app to help users identify the hallmarks of fake headhunter profiles. This app, along with other NPSA resources such as awareness campaign materials and training guides, can help raise awareness of these threats and improve security practices within organisations.

Simulated phishing attacks and mock recruiter profiles can also be used in training exercises to test employees’ ability to identify fake profiles. These simulated attacks offer an opportunity to educate staff on the specific tactics used by scammers and prepare them to respond effectively.

Tip 5: Report Fake Profiles

Once a fake profile has been identified, OSINT can help gather the necessary evidence to report the scam. This evidence can include screenshots, metadata, and other digital artefacts that demonstrate the fraudulent nature of the profile.

Tools like Hunchly can assist in capturing and preserving this evidence. It’s important to ensure the integrity of the evidence, as well as maintaining a clear chain of custody, which is crucial for potential legal proceedings. As pointed out by The Coalition of Cyber Investigators, just because a tool is labelled as “forensic”, this isn’t always necessarily the case as not all will include features that enable:

• Preservation of Evidence - so it maintains integrity and admissibility in legal proceedings.
• Maintaining the Chain of Custody – so there is a detailed record of how evidence has been handled.

Repeatability and Reproducibility – so there is the ability to consistently achieve the same results.

When multiple fake profiles are linked, OSINT can help identify the connections between them, providing a more comprehensive report for law enforcement or platform administrators. This information can contribute to ongoing investigations into corporate espionage or identity theft rings.

For example, if several fake profiles use the same email address or IP address, reporting these details to the authorities could lead to the exposure of a broader scam operation.

Conclusion

The threat of scams by fake headhunters is real and growing, with security and intelligence agencies taking action to warn the public. However, OSINT provides a robust toolkit to help both individuals and organisations defend against these threats.

By using techniques such as profile verification, digital footprint analysis, and evaluating suspicious activity, OSINT professionals can stay ahead of scammers. Additionally, educating employees and reporting fraudulent profiles are key strategies in mitigating the risk of falling victim to these schemes.

As the NPSA advises, "Think before you link." Taking a cautious and informed approach when engaging with unknown individuals on social media and professional networks can help protect personal and organisational security from these increasingly sophisticated scams.

‍