Scammers use fake job vacancies to steal data

People who are looking for professional replacement have become the target of scammers who, through fake job vacancies, target the theft of personal data and the kidnapping of social networks.

That’s what happened to finance executive Rodrigo Barbosa, who was in a career transition.

“A guy with a strong English accent called me with a job opportunity. Excellent salary, possibility of growth and even moving abroad. He set up a Skype meeting, repeated the positive aspects of the vacancy and, at the end, sent me a link register and share the generated security code. I ended the call instantly”, he says.

Barbosa says that the alleged recruiter still tried to get back in touch, but that he made it clear that he was no longer interested.

“He even said that I would need to pay R$500 to cover preliminary expenses, without explaining what they were exactly. When I asked how he had found me, he only said that it was through LinkedIn and quickly changed the subject.”

The security code scam is used to hijack the user’s social networks.

By passing on this combination, believing it to be an identification related to the selection process, the person allows the scammer to take control of their profile and use it to try to deceive the holder’s contacts with false requests for money, for example.

Another very common action is “phishing”, in which the scammer sends the recipient a fake email pretending to be a real company. The malicious link redirects the victim to a replica of the real website in order to trick them into logging in and thus having their credentials and data stolen.

“Phishing scams give cybercriminals the opportunity to use the reputation of trusted brands to give users a false sense of security and thus steal personal or business information for financial gain,” says Omer Dembinsky, manager of the data from Check Point Software, a provider of cybersecurity solutions.

It advises consumers to tread carefully and be on the lookout for telltale signs of fake email, such as bad grammar, misspellings, or strange domain names. “When in doubt, go to the brand’s own website rather than clicking on any links.”

One way for the candidate to protect himself from the leak is to rely on the LGDP (General Data Protection Law). In force since 2020, one of its principles is transparency, guaranteeing citizens access to “clear, accurate and easily accessible information” regarding the treatment that platforms and companies give to their personal data.

In the case of job seekers, the point of attention are recruitment sites and online talent banks, which ask for information such as CPF and cell phone.

It is also up to the company or platform to explain the purpose of this information, inform where it is stored, for how long, under whose responsibility and what measures are taken to prevent leaks and access by unauthorized persons.

However, this clarity does not always occur. It is common to find complicated legal language that is difficult to understand in the privacy and data protection sections of websites. Users still face another difficulty, the lack of direct communication by companies in cases of leakage.

Isabelly Leão, a lawyer specializing in privacy and data protection, says that, in these cases, the platform must communicate its users directly. “In a notification email, the company must narrate the security incident and demonstrate that it is taking (or has taken) all necessary measures to cause as little harm as possible.”

“[Em caso de vazamento] The data subject can offer the complaint directly to the ANPD [Autoridade Nacional de Proteção de Dados] and the company can also be denounced by one of its employees”, says Isabelly. The ANPD has an exclusive channel to receive denouncements through the website anpd.gov.br.

The request for the deletion of personal data from the platforms can be time consuming.

This is because, in many cases, the information may have been downloaded by external recruiters, which forces the person to contact each of them to have their request fulfilled.

Faced with this scenario, Isabelly recommends looking for the person in charge for the main company’s data and thus obtaining all the information you need. According to her, it is up to this professional to send a document signed and dated by him, stating that information is no longer in the database.

“The problem is that this access is not always clearly indicated on the organizations’ websites”, says the lawyer.

What HR companies can and cannot do with user data

Can the company keep the candidate’s resume/data indefinitely even after the selection process is closed? Not. When starting the selection process, the company must inform the candidates for how long they will be in possession of these CVs. It is a preventive measure not only for the data subject, but also for the company itself.

Can HR collect sensitive user data? Yes, the LGPD does not prohibit it. The collection of sensitive data will depend on the purpose for which it will be used. An example is a casting of models that needs information about racial or ethnic origin to select professionals according to the event to be held.

Can the candidate demand information from HR about the treatment and protection of data when there is no information about this on the platform? Yup. The candidate, that is, the data subject, can request information about privacy policy and processing of personal data. It is a right provided for in the LGPD

In relation to data leaks, what legal measures can the candidate to take? This is a situation still under debate in Brazil, because there are differences in the Judiciary on the subject. The data subject who has his data leaked can, by law, go to court, but the Judiciary will require him to prove the damage (moral or financial) and damage that can be repaired.

Can the candidate revoke their permission and ask the recruiting company to delete their data? How can he be sure this was done? Yup. It is one of the rights provided for by the LGPD. The person in charge of company data will send a document signed and dated by him, stating that the user’s personal data is no longer in the controller’s database.

Does this document protect the user from leaks? If the company suffers a hacker attack, the document will not protect the holder’s data (if it has not been deleted), which can still be accessed. This document, on the other hand, will serve as evidence to hold the controller and the person responsible for possible damages.