Bring hiring scams into your corporate deception training

Expand your perspective and build greater resilience with insights and inspiration from the global Black Hat MEA community. 

This week we’re focused on…

The psychology of hiring scams – and what it teaches us about trust. 

Because if you ever needed proof that humans are the most complex part of the security stack, look no further than a job board. 

A recent report from PasswordManager.com shows that six in ten American job seekers encountered fake job postings or recruiters during their search. Four in ten of them fell for the ruse – 30% replied to fake recruiters, and 26% actually applied for entirely fabricated roles. 

Three quarters of those victims lost money (a quarter lost over $2,000). 

We know this isn’t a very uplifting read. But what’s playing out in public job markets is the same emotional calculus that decides whether someone in your organisation clicks a malicious link. There’s hope, urgency, the fear of missing out. And every CISO can learn something from the success of these social engineering scams against job hunters. 

When trust becomes the exploit 

Instead of blaming people for falling for scams like this, we have to recognise those emotional levers that malicious actors are using. 

The promise of a new start, or of a great job in a tough market, overrides the cautious training we all think we’ve internalised. Red-team operators simulate that tension every day inside companies. The difference here is that the targets are ordinary people, outside any awareness programme, running on trust and adrenaline.

For CISOs, that should trigger a rethink. Awareness training that advises people not to click links from unknown sources misses the point – because real attackers craft pretexts that sound kind, and that play on the emotional context of their targets. And they play the long game; the kind of social engineering that builds piece by piece, and can’t be caught with a link scanner.

So you need to craft training that feels real (not routine) 

Training needs to feel real and relevant. And reading the latest surveys and studies, then building them into your training modules, is a straightforward way to do that. 

Use the research to understand what’s happening right now and then use your creativity to connect it back to your audience; and make your training content matter to them. 

Build phishing simulations that mirror today’s lures – HR updates, conference invites, job offers. Replace corporate jargon with the language your people actually hear in their inboxes. When they see a real-world tactic, they’ll remember the story behind it (they won’t remember a checklist exercise). 

Next, teach emotional awareness, not just technical hygiene. The job scam victims in the report didn’t lose because they missed a red flag, and as a cybersecurity leader, you have to acknowledge that. They lost because the flag was wrapped in a compliment or a deadline or dream. Help your teams learn to recognise those emotional cues. 

Run red team exercises where stress and hope are part of the design.

Connect personal scams to professional resilience 

And finally, make links between people’s personal experiences and their professional ones. 

When an employee gets scammed in their private life, that erosion of confidence comes with them through the office door. Bring consumer scams into your internal briefings. Show empathy first, then education. If you can bridge the gap between personal vulnerability and your organisation’s vulnerability, you’re much more likely to end up with a team that really understands the role they play in your overall security posture. 

Attackers don’t need zero days when they have human hope. So as a CISO, you have to understand what motivates your people; and work with them to stay safe. 

We want to know what you think

Why are a growing number of threat actors targeting job seekers – and why is this kind of social engineering attack so effective? We want your perspective.