5 Ways to Spot a Scam

Posted on August 27th, 2009 by dave

I received another convincing phishing attempt today, this one was from someone claiming to be CareerBuilder. It was the first email I read this morning and in my sleepy haze, was thinking, “Well, finally!” I almost hit the link. Here is the screen shot.

Click to Enlarge

While it looks great, very convincing, the text reads like a google translation, or worse since the translator usually gets the punctuation right.

The url in the download link is to a site the could be easily mistaken for something belonging to CareerBuilder. Most likely whatever it is malware of some sort. It’s certainly not security software — trust certificates are installed by visiting the site with trust, not through a download. Since most malware is written for Windows, it’s unlikely that it could have effected a change on my computer (a Mac) but there is no guarantee on that.

The link also contains a hash (a long string of letters and number) that could be used to uniquely identify my computer on the internet. So, just clicking the link could tell these people (destined for the “Special Place”) that my email address is valid, and then do whatever they want with that information, like spam me, or sell my address to spammers.

Tips for detecting a phishing attempt:

• Double-check the sending address, this one was mailed from a gmail.com account. It should have been from someone at careerbuilder.com. Except no substitutes, as they used to say. The email address can be faked (spoofed) so having the correct address is not a guarantee, having the wrong one is an indication of fraud.
• Read the text. Many of the scams originate from Russia, The Ukraine and Somalia (to name a few) and English is not the first language. So unclear phrases, misspellings, and missing or misused punctuation should all set off an alarm in your head. Not having mistakes is not a guarantee of validity.
• Reputable organizations with an online presence avoid technobable when communicating with you. They take the time to explain themselves clearly and in very few words. Scammers tend to use more technobable or wordy explanations. Phrases like analyze of client side contents and Security Certificates are jibberish. It might sound valid, but if what is happening is not crystal clear to you, then don’t believe it. This scam was almost believable partly because it was so brief. That’s usually not the case.
• Check the download link. By hovering your mouse over the link, the address will appear either in a tooltip or on the status bar at the bottom of the screen. (If your mail client doesn’t do this, consider upgrading or finding a new mail application.) This link went to a file at cb-downloads.com so I wasn’t convinced it was from CareerBuilder. In fact, if you are over 30 (I am) and don’t know what LOL means, you probably shouldn’t ever click anything.
• Notice this one gives me only five days to comply. Organizations typically have a roll-out plan to migrate their users to the new system. A roll-out usually starts with one or more messages announcing the upcoming changes and what steps you will need to take, weeks in advance. Scammers can’t afford to give advance notice or they will be discovered. So, if this is the first you’ve heard of the change, it’s probably not real.  Secondly, a rollout is usually engineered so there is little or nothing to do at your end, it happens automatically. If there is anything you need to do, it would have been mentioned in the announcements.

One last thing. Despite my precautions there is still a chance the scammer has my IP address. You will notice there are pictures in the email. These pictures are downloaded from the scammer’s server and when that happens, my computer connects to their server and they exchange a bit of information, enough information that they can uniquely identify my computer. To avoid this type of attack, online services like GMail hide the graphics unless you give the sender the thumbs up. Only then does your computer talk to the server (and sometimes not even then). Most email clients like Outlook and Mail.app have options that can hide the graphics or turn off HTML mail (which converts it into plain text, and that can look ugly but at least it’s safe).

Monster Has Privacy

Posted on August 24th, 2009 by dave

I’ve decided keep my Monster account because it DOES support privacy features.

As previously mentioned, I requested Monster cancel my account. The response came in about an hour. I learned at that time of the different privacy settings.

The “resume status” (as it’s called on Monster) can be set in Preferences. Each resume has a different “status”, which can be Public, Confidential (no contact information or current employer), or Private.

This gives Monster the same level of privacy as CareerBuilder.com. However, the odd location and naming supports my comments about the site quality.

(Not) Dropping Monster

Posted on August 24th, 2009 by dave

Out of concerns for my identity, I have decided to drop my Monster account and have requested they cancel my profile (there is no way to do this online).

The reason is I received a very convincing phishing email today as a result of my Monster profile. It read like a detailed job description, clearly stating compensation and describing the job duties. In the end, it turned out to be a scam to get credit card information.

Read the rest of this entry »

The Big 3 Job Sites (and 3 Little Ones)

Posted on August 21st, 2009 by dave

I’ve spent several weeks working with the “Big 3″ online job resources and have been comparing them on a number of fronts. All three have strengths, most have weaknesses but each is better suited to a niche. Here they are listed in order of my preference.

CareerBuilder.com — The website is the easiest to use, most stable and has the most complete set of search features. I also find that it has close to the best quality of job listings. I have, however, received a few spams from companies that use their site to blast out mails to anyone who applies regardless of their qualifications. For instance, one mail I received (twice so far) is for a “broker” who needs employees for cold calling potential clients. This was not targeted at me, just a shot gun and a waste of time. Despite this, I’d give CareerBuilder the number 1 spot. It’s truly aimed at people seeking improve their career and not just trying to find a job.

Monster.com — Currently, Monster is the buggiest site. In fact, I couldn’t even sign up while using FireFox (I had to switch to Safari, I use a Mac). Many times, I’d get only a partial page or lines and lines of SQL or javascript errors spewing onto the bottom of screen. It lacks some privacy features that CareerBuilder.com has* and the job quality is only slightly higher than CraigsList.com, which is to say fairly low. On the plus side, Monster.com has a lot of resources to assist you in writing resumes, preparing for interviews, and choosing careers in the Resources section. However, I found them to be poorly organized and pedestrian in content. The biggest benefit of Monster.com is it’s name — of the Big 3, it’s the best advertised and best known, so if you’re looking to get your name in front of as many people as possible, Monster’s the place. (I just wish they’d clean up their site.)

CraigsList.com — This site is the easiest and quickest to use, so I use it most often. However, the quality of jobs posted there is quite low. I’ve found there are several great jobs listed every week, in fact I found my top pick there, but you need to kiss a lot of frogs, as they say. For a tech-head like me, frogs mean pre-money start-ups (not pre-IPO like in the good ol’ days) looking for a senior developer or intern who will design, code and test the back-end and customer facing front-end on their new killer stealth social networking site or top secret Facebook app for future pay and benefits. When I read phrases like that, I immediately think “high school kid in his basement”. However, that’s also the beauty of it. Since job posts on CraigsList are, well, posts on CraigsList you’re guaranteed to get an ultra fast response. I imagine that if you are looking for someone who can start in 15 minutes, it’s the place to post. If you are a job seeker, you’re likely the last of 10,000 people to see the post.

A couple of other new (to me) sites have piqued my interest because they are more nichey than the others. This helps drill down to better matches much quicker than searching the other sites. Also, because they aren’t as well known, I’m fairly certain I’m the same size fish in a smaller pond.

USAJobs.gov — This isn’t one of the Big 3 because it’s not available to everyone. However, because I’m a recent Peace Corps returnee, I get a special “non-compete elegibility” status with the Feds that makes it easier to get interviews in government organizations. The site is easy to search and the details on job openings are quite clear and more detailed than any of the other sites. Furthermore, the quality of jobs is outstanding since only the government or organizations that directly serve the government can use the service to post openings. I’d put USAJobs right in there with CareerBuilder for site and job quality.

CGCareers.com (Common Good Careers) I found through CraigsList. It’s not a site as much as it is a service, though the site does have the current openings listed. Common Good matches non-profit organization with high caliber talent for any imaginable positions. They have an interesting mission and one that best suits my desires in a career currently, which is why the hiring organizations of my top two choices are working through Common Good.

VirtualVocations.com is just what it sounds like: you can search for jobs that can be worked full or part-time from home. I found this site through a LinkedIn contact. For that reason, I can give it a thumbs up on reputation. I can also say the site is easy to use and is rather sparse graphically ala CraigsList, so there is more information on the screen and less to go wrong cross-browser-wise.  Since, I’d prefer a job with a little travel, staying at home definitely isn’t for me, but it sounds like a good idea for a lot of people. I was surprised to see the number and breadth of telecommutable jobs available.

The point is, if you have a special need in a job, there is probably a site out there to help you find one. The Big 3 aren’t the only games in town.

*UPDATE: Monster DOES have privacy features. They are just not obvious.