The word “ransomware” sends shivers down the spine of virtually every Chief Information Security Officer. Over the past few decades, as an executive consultant for many of the world’s largest security firms—including Fortinet, Cisco, Symantec, and Qualys—I’ve talked to hundreds of CISOs about security risks. One of the most concerning and overlooked risks comes from the human resources side of the fence.
Most firms are struggling to fill open positions. Over 70 percent of the best candidates are passive—they aren’t looking and won’t send you a resume. Nearly all recruiters and talent acquisition professionals therefore proactively reach out to individuals on LinkedIn to find potential candidates. They are likely using LinkedIn Recruiter or Sales Navigator to do searches and then sending InMails or asking to connect. Conversely, individuals looking for new positions may reach out to recruiters or hiring managers to inquire about opportunities. Either of these scenarios can expose an organization to millions in ransomware, lawsuits, and brand damage.
LinkedIn now has over 750 million members. Unfortunately, many these members are fake. Anyone can create a profile on LinkedIn in a manner of minutes and say they work for or have worked for any company they choose. LinkedIn does not verify this. They do not employ Captcha, for example, to send a business email to validate that someone actually works for a company. They also don’t use scanning tools to flag suspicious profiles. It’s up to members to discern whether someone is real or fake.
As an example, I was approached by someone at one company in relation to joining the LinkedIn Tech Execs group that I manage. At first the conversation seemed ordinary, but later became suspicious. Most would not have noticed, but I raised an eyebrow as I’ve spent years working with security firms. I did some digging and discovered that there are six people at this company with similar titles and nearly identical backgrounds, including the same job history. They were all fakes created by phishers—threat actors who are trying to gain access into companies for nefarious reasons.
Again, for CISOs, this is a worst nightmare. Recruiters aren’t trained to spot these fakes. They are under great pressure to find candidates and will likely miss most red flags. Unaware, after engaging with one of these phishers, they may ask for a resume. The phisher will send one via LinkedIn or email and the recruiter will innocently click on the file. Smack. The file contains malware that creates hundreds of artifacts that are now behind the company’s firewall. They will finger their way throughout a network and find ways to steal identities, which they’ll use to gain access to sensitive information. This is really bad news.
These phishers are looking for Intellectual Property (IP) or Personally Identifiable Information (PII) about customers or employees—such as credit card numbers. Once accessed, they will steal it and then threaten to expose it unless a ransom is paid. The cost can be millions, but it doesn’t stop there. Compliance fines and lawsuits can add many more millions to the bill. What’s the answer?
A hot startup launched by some fellow veterans has a solution to help prevent this while also helping recruiters spot dishonest candidates. This solution also saves hundreds of hours and reduces costs. It’s a browser extension and platform called PDQAPP. Recruiters (or sales pros) find a candidate on LinkedIn and click once to extract key data. The app uses cognitive AI, ChatGPT, and neuroscience to analyze the contact and create a profile that includes attributes, soft skills, and communication preferences. Personalized playbooks are generated that include ChatGPT-powered emails, phone scripts, and LinkedIn messages that will resonate with candidates (or prospects). This can reduce the number of recruiter scripts required, as well as save time. The platform will also analyze candidates and match them against job requirements to determine a probability of success. This helps screen and prioritize candidates.
Best of all, the PDQAPP cognitive AI has been trained to spot fakes. It will generate a detailed report noting why a LinkedIn profile might be suspicious from a security standpoint, or might contain questionable information that could point to honesty and trust issues. Deloitte studies show that firms with high trust employees drive 400 percent more performance and 79 percent more productivity. RemotelyMe’s PDQAPP pre-assessment can help flag potential trust issues, and their full 9-minute visual neuroscience assessments can provide an accurate trust factor score to help you avoid bad hires.
If you’re a CISO, you might want to consider mandating that all recruiters use the RemotelyMe PDQAPP. Otherwise, all the tens of millions you spent on cybersecurity software will be useless if one recruiter clicks on a malicious resume.
Recruiters Expose Firms to Ransomware Risks. You don't want to be one or have one.
William Craig Reed is with RemotelyMe.com, which offers the only visual neuroscience assessments. Reed is also the New York Times bestselling author of The 7 Secrets of Neuron Leadership and Start With Who, that Ken Blanchard, co-author of The New One Minute Manager, says is “thought-provoking.”