Beware This Hot New Scam: LinkedIn Job Hunt Takes a Sharp Detour Into Attempted Bank Emptying

phishing graphic, email symbol on a laptop

Saw this post on r/accounting and while I know some of you feel a certain type of way about using Reddit for “content” it felt important to pass along to any of you looking for a job in this not-so-great market.

TLDR is this: OP applied for a remote accounting job on LinkedIn, the business name checked out and the account that posted it looked legit. During the initial interview process they were sent what they thought was a meeting link that ended up being malware (yes, she realizes this is where she f’d up). From there, the scammers attempted to use their access to OP’s computer to do all kinds of naughty stuff with her and her husband’s bank accounts, Zelle, and Gmail. Those attempts were thankfully thwarted.

The craziest part is that this wasn’t some wholly made-up company, the scammers co-opted an established brand that had closed just enough to make it look like they were one in the same. Business impersonation scams have been going on for a while now but this one is pretty elaborate compared to your usual “Hello this is the government kindly send $5000 in Google Play cards immediately” scam.

The post:

This is a long story that I’m still processing but wanted to post a warning to others. I’m sure some people will think I’m stupid but I’m generally very cautious. Sorry for it being disorganized.

I got hacked by a job, to the point where they got into my husband’s and my bank accounts. It was an accounting job on LinkedIn. It was a promoted job, posted by a paid account with followers etc. It’s a legitimate business in my state and I googled them and looked them up on the secretary of state website. This is a small business so there’s no careers page. I know that’s advice a lot of people give to avoid scams but small businesses don’t usually have them.

This person/company have posted accounting jobs 4 weeks in a row, all open remotely, with different titles and salaries. For what it’s worth I’m a CPA and I saw them post bookkeeper, staff accountant, controller and CPA roles.

Anyway, later after applying I received an email from the operations manager telling me thanks for applying, they’re reviewing resumes, and here’s the website link. The link was the one I found before when searching.

Then the poster emailed me saying they wanted to set up an interview and laid out the process. 1) Schedule via their calendly link, then 2) I’d be invited to a private slack channel for final details etc. This actually matched a legitimate process I’d seen before so I didn’t see any red flags.

They sent me the link in the Slack interview to join the call. I shouldn’t have clicked on it but it didn’t feel like a suspicious link because it was from someone I had communicated with, and was expecting a link.

It downloaded something that said Zoo Google Meet [Ed. note: OP later clarified it was called Zoho Google Meet, not Zoo]. After it downloaded, my paid Malware Bytes said it was malware but it was too late. I uninstalled it but didn’t realize it had installed other crazy things that allowed it to access my computer.

I use 1password for password manager but I had a handful of passwords in Google password manager that must have been added accidentally but I think this is where they got access to two of our accounts.

They spammed me and my husband on separate days with texts (to hopefully hide the text from the bank saying that something had been changed). The MFA phone number on those two banks had been changed. I assume they were able to override it due to having access to my computer. For my husband’s account, they added a Zelle recipient. For me, they set up a bank rule in my Gmail sending all notifications from the bank to my trash.

They didn’t transfer money and my current understanding is that it often gets flagged as fraud if they do it the same day, so they try to prevent you from noticing things were changed and then go in later.

After the fact, I realized the real business had recently closed and their website no longer existed. These people had registered a new domain one month ago that showed up first in search engines when you googled them. It had an extra s in the name, let’s say XYZ constructionS.com instead of construction. But since it matched that first Google result, I wasn’t suspicious. It also was the URL in the company page on LinkedIn.

I reported the job and poster to linked in many times and they did nothing and said there was nothing suspicious but I finally got a human to review who said there was suspicious activity and removed it.

I had to spend six hours on with an IT person getting rid of the malware.

Anyway, there are obviously mistakes I made, the biggest one was clicking on the link. But again it wasn’t a “suspicious link” in the way people say – it was an expected link.

Things I learned:

Def no Google/browser password manager

Google the actual domain – copy and paste it to see when it was registered.

Check your trash email regularly.

Don’t be complacent about using unique passwords and MFA though it can be overridden.

Look up the fraud line specifically for your financial institutions and put them in your phone because it’s stressful to think of when you were already hacked.

Just because someone has a legit LinkedIn account and paid posting doesn’t mean it’s legitimate.

Even if you’re expecting a link, right click on it and run it through a URL tester (I actually did this after and it said it was safe so maybe only works on better known schemes)

Make everything as difficult to login to as possible. Don’t save login lessons even on trusted devices. It’s annoying but could protect you.

I’m sure there’s more – I’m still dealing with it two weeks later. Just wanted to share so it helps even one person learn from my mistakes. I think they’re targeting accountants hoping we have access to more logins.

Feel free to ask me anything because I know this was chaotic

ETA: They had also changed the LinkedIn company’s URL on the LinkedIn page, had a branded Calendly, and hosted email signatures.

Be careful out there, everyone. And maybe use a clean or virtual PC when job hunting just to be extra safe.

Leave a Reply

Your email address will not be published. Required fields are marked *