Photo courtesy of

Fraudulent job postings targeting students: “Craziest fu**ing job I’ve ever had”

Posted October 12, 2018 by

A handshake. It seems so simple. So cordial. So harmless. Unless it is a job posted to Handshake. Maybe. Sometimes. Allow me to explain.

Today’s Community Digest e-newsletter from the National Association of Colleges and Employers (NACE) included a question from Shannon Schwaebler, Director of Career Services at Northeastern State University. She asked if her fellow subscribers, “would be open to sharing their policies for approving employer accounts through Handshake. We were forwarded this Inside Higher Ed article and want to make sure we have adequate policies in place to avoid this happening. We currently have processes we go through for 3rd party recruiters, utilize the trust score, etc. but are curious if anyone has written out processes they are proud of that we could take a look at. Our office wants to make sure there aren’t things we aren’t considering through the process that could be dangerous to our students.”

Hmmmm. What’s this article that Shannon references? Well, I bet that most of the subscribers didn’t open the e-newsletter at all and most of those who did only skimmed it and so missed a nugget that could potentially upend a key way that students and recent graduates of one-, two-, and four-year colleges find part-time, seasonal, internship, and entry-level jobs. Perhaps a little context would be of benefit here.

There are approximately 7,400 colleges and universities in the U.S., including about 3,000 four-year schools. As is the case with most things in life, the 80-20 rule applies. In this case, about 80 percent of students attend about 20 percent of the schools as you have a relatively small number of schools which are far larger than most. For every school with tens of thousands of students, there are dozens of schools with hundreds.

Most of the schools and all of the larger schools allow employers to advertise their job openings on the websites of the college career service offices. Some of the schools have home-grown job search software but most have outsourced that to companies like Symplicity (which operates NACElink on behalf of NACE), Gradleaders, Purple Briefcase, College Central Network, 12Twenty, CareerConext, and Handshake. These companies provide a variety of services to their career service office customers, but core to their offerings is essentially a job board that is typically accessible only by students and sometimes graduates of the school. Some of these networks and the schools they power charge a fee to employers to post a job and some do not.

Of all of the networks, the one that has grabbed the most attention over the past few years has been Handshake. They’ve raised $34 million in venture money and, as a result of the source of those funds, are under pressure to grow quickly. Grow, grow, grow. That’s the mantra in Silicon Valley and, from my discussions with a number of employees at Handshake, that’s their culture. I think that it is safe to opine that there is a strong libertarian streak amongst VC-funded, Silicon Valley, tech companies. Now, I’m sure the good folks at Handshake would dispute that they suffer from this mentality, but I’ve heard a number of insiders at tech companies admit that their executives are sociopaths. Their lack of empathy may be distressing to most, but it is also a key reason why they’re able to succeed where others fail because a sociopath will aggressively charge ahead regardless of the consequences to those around her, which is a pretty good character trait to have when you’re burning cash and that cash belongs to a VC that continually reminds you that they don’t care if 19 of their 20 investments fail as long as the one is a home run.

So, what’s that got to do with fraudulent job postings? I digress, you think? Not in the slightest. Patience, my friend. We’re getting there.

A dirty, dark, secret within the job board industry is that the vast majority of job boards are, at best, only reactive to fraudulent job postings. Tell us about a posting that you think is fraudulent and we’ll investigate, maybe, and inactivate it, maybe. As we saw with Facebook during the 2016 election, that’s all fine and dandy, but the damage has already been done. You cannot unring the bell. If you’re the candidate who came upon a fraudulent posting, agreed to work for an overseas company, and agreed to be paid via direct deposit like most workers are only to discover that the overseas company emptied your bank account and there’s not a damned thing you can do about it, well, the fact that the job board later took down that fraudulent posting isn’t going to be of much comfort, is it?

What most job boards do about fraudulent job postings is wait for job seekers to complain about them and then take action. To compound that problem, many and probably most job boards share postings. If an employer posts a job to job board A, that job board will likely send the posting to job board B and pay job board B a share of the revenue. Between the two sites, the employer will hopefully receive enough applications that it is happy. If all of the applications came from only site A, the employer would receive fewer applications, be less happy, and be less likely to renew. Similarly, if job seekers on job board B only had access to jobs posted directly to job board B, they’d have fewer postings to review and be less likely to find one of interest. If they don’t find one of interest, they’re less likely to come back and if they don’t come back, job board B has one fewer candidate to send to its own employer customers.

Some job boards, including College Recruiter, proactively review employers as they register and the jobs as they’re being posted in an effort to prevent any candidate — even one — from being victimized. Are we perfect? Hell, no. But do we bust our asses trying to be? Hell, yes. One of our managers, Dani Bennett-Danek, started off with us as a customer service representative before being promoted to customer service manager and then to vice president of operations. From the beginning, one of her areas of accountability has been to prevent fraudulent postings. She has a theatre major and so can be effectively dramatic at times. On a number of occasions when describing the latest (and almost always unsuccessful) fraud attempt, she’s exclaimed, “This is the craziest fu**ing job I’ve ever had!” Remember, theatre major. Working for a frickin’ job board is crazier than working in a theatre. Damn.

A decade ago, the bogus employers trying to post jobs to our site and others were pretty darned unsophisticated. They’d use Gmail and other free email addresses. They’d use 123 Main Street for their address. Their IP address would show them as being located in Latvia but they’d use credit cards belonging to Americans. We were playing a game of cat and mouse with them, but we were a leopard and they had already suffered a broken leg from being caught in a mouse trap. It wasn’t exciting or fun, but it was satisfying to beat those bastards down.

Fast forward to about four or five years ago. Suddenly, the fraudsters as we like to call them became more sophisticated. Instead of registering with clearly bogus company names, they’d register using the actual company names of real, well-known employers. Then they started to also register using the names of real employees at those employers so if we looked up the person on LinkedIn, we’d find them. They also started to create copies of the websites of these employers under domain names that were almost identical to the domains of the real employers. Instead of registering as an employee of Apple Inc. with an email address of, they’d register as that employee but with an email address of To the uninitiated or hurried, the registration looked valid, the employer would be allowed to register, pay, post, and steal the identity of candidates. In short, these fraudsters were stealing the identities of some of the best-known employers in the world in order to steal the identities and empty the bank accounts of tens and probably hundreds of thousands and perhaps even millions of job seekers worldwide.

College Recruiter has been, almost since day one, an active member of The Association for Talent Acquisition Solutions (TAtech), our industry trade association. Several years ago, the Association began to grapple with the issue of fraudulent job postings. Formally and informally, members have shared tips and tricks. We shared that we had found that no legitimate employer would only have a Gmail or other free email address and so we blocked all of those attempted registrations and reduced fraud that way. Others copied. That’s great. A hot topic of conversation for the past few years has been around the above-described employer identity theft, how to find it, and what to do about it. Considered individually, one might be able to have a pretty good track record at sniffing out these fraudsters, but job boards like College Recruiter have tens to hundreds of thousands of new jobs being posted A DAY, so manually digging into each and every registration and each and every job simply isn’t feasible. Some automation is critical so that folks like Dani can focus their attention just on the jobs and employers which are most likely to be fraudulent.

I trust that you’ll agree that some job boards are doing a great job of preventing fraudulent postings and getting rid of those which fall through the cracks. I hope you’ll agree that College Recruiter is one of those. But the point of this article isn’t about College Recruiter. It is about the job boards being run by most of the 7,400 colleges and universities in the country. Shannon’s seemingly innocuous question sent me to the Inside Higher Ed article, and that sent me to my keyboard to write this article. In short, the colleges and universities and the software companies they work with should be ashamed of their callous disregard for the students they serve.

According to the article by student reporter Jeremy Bauer-Wolf, “It took Jennifer West less than two hours to create a fake company on Handshake, the fast-growing career-services platform, and then advertise a bogus social media internship at the University of Delaware, which she attends.” West’s motivation came because she had been victimized by an employer that advertised a bogus internship on her school’s career site, which was powered by Handshake. After she logged into her university’s website, after she accessed the career service office job board, after she searched the job openings on that site, after she applied to a job, and after she was interviewed she was told that the employer had been flagged by the university as a fraudulent company.

“West remained curious about how thoroughly the institution was evaluating the companies that used Handshake, which allows employers both big and small to advertise at colleges and universities across the country.” She “interviewed Delaware’s Career Services Center for an article for the student newspaper about her fake internship experience, she was told that staffers there check for a legitimate email and phone number and a career-services page on a company website.”

West decided to take her career service office at their word and registered with Handshake as an employer using an email, phone number, and company that she made up. Handshake allowed her to send a request to her career service office site to advertise a job opening. Quickly, she was approved. Pretty clearly, the career service office did not check to see if her email and phone number were legitimate, despite what they had just told her on the record for her article. Now, before you start pointing the finger at Handshake or the University of Delaware, keep in mind that this is but an example. The same callous disregard is being displayed by software providers and higher education institutions across the country. The same fraudulent practices that the job board industry ferreted out years ago and which sites like College Recruiter routinely discover are deemed by these much larger, much better-funded organizations, apparently, as so unimportant that they merit little to no attention.

But wait. It gets worse. West “discovered she could request students’ résumés, cover letters and university transcripts, which would reveal to her students’ personal information, including grades. Shocked at the level of information she could access, West nixed the post.” I say (write?) again, transcripts. A student, likely with little to no experience in committing fraud and almost certainly no ties to international, organized crime was able, within minutes, to gain access to the transcripts of her fellow students. Transcripts. That’s just insane.

Bauer-Wolf reached out to the University of Delaware’s career service office. Their solution? According to the director of its career service office, Nathan Elton, “the university will now check the businesses licenses for every employer that wants to use Handshake.” Sound good? Yeah, we thought so too. About a decade ago. Put yourself in the shoes of, oh, maybe a manager of a large institution. Maybe even a university? Maybe the manager even oversees the career service office? Say you’re representing a legitimate organization and are a legitimate employer and you want to post a legitimate ad. You’re deciding between two media options, one of which is a job board operated by a VC-funded software company that doesn’t require you to jump through a bunch of hoops to post your job and get back to your work and the second is a job board that requires you to dig out your organization’s business license. Do you even know that your organization has a business license? Who do you contact to get a copy? How long will it take to get that? Do you need permission to upload it to some site that maybe you’ve used and maybe you haven’t? And then what? Does that site take an hour, a day, a week, or a month to review it before you can post your job? Forget it. You’re going to choose the path of least resistance by posting your job where it is easiest to post. Sorry, Nathan. Your motives are good but your plan isn’t feasible. Been there, done that. Trust me, when you find out that the employers you most care about are the least likely to advertise because of the flaming hoops you’ve created for them to jump through, you’re going to need to make some adjustments. Been there, done that.

Lest you think that the University of Delaware cares so deeply about the welfare of its students who are paying hundreds of thousands of dollars for a degree that it is investing money and other resources to do what it can to prevent more fraud from being committed through the services that it offers, have a look at the disclaimer that appears on its career service office site:

The university does not endorse or recommend employers, and a posting does not constitute an endorsement or recommendation. The university explicitly makes no representations or guarantees about job listings or the accuracy of the information provided by the employer. The university is not responsible for safety, wages, working conditions, or any other aspect of off-campus employment without limitation. It is the responsibility of students to perform due diligence in researching employers when applying for or accepting private, off-campus employment and to thoroughly research the facts and reputation of each organization to which they are applying. Students should be prudent and use common sense and caution when applying for or accepting any position.

In short, U of Delaware’s lawyers are welcoming its students to the Wild West, where anything goes and the school is unwilling to take any responsibility for anything that may happen through the services that it provides. Surely, if a student were mugged on campus and their wallet stolen, the university would take enough responsibility to install lights and security alarms to try to prevent a future, similar mugging. Why is cybertheft treated differently?

Again, this isn’t a slam against Nathan or his office or his school or his software provider. Not at all. Their actions are symptomatic of an entire industry built upon sociopathic tech companies that care far more about scaling up and successfully exiting than the occasional student whose name, address, phone number, email address, work history, educational background, and frickin’ transcript are stolen by some organized crime organization operating out of Latvia. Oh, wait, did I write “occasional”? Is it really occasional?

According to the Inside Higher Ed article, in 2017, about 200,000 employers advertised on Handshake, and about 0.4 percent of them were flagged as fraudulent. In addition, another 100,000 “engaged” with the Handshake community, probably meaning that they searched resumes posted by students. Let’s get real stupid and assume that not a single one of the 100,000 searching resumes were fraudsters. If 200,000 employers advertised on Handshake and 0.4 percent of them were flagged as fraudulent, that means that 8,000 (!) apparent fraudsters managed to get by Handshake’s anti-fraud measures and successfully advertised jobs. Of course, that does not include the number of fraudsters who did the same on the other sites that power other career service office job boards. And it also doesn’t include the, ahem, employers who posted fraudulent jobs but whose jobs weren’t flagged as fraudulent. How many of those were there? Bueller? Bueller?

So, aside from getting more and more pissed off at the absolutely awful people who prey on job seekers, what am I trying to do here? Hopefully, one or more of these software companies or the thousands of schools they work with will wake up and realize that it makes no economic sense for a handful of companies to shift from themselves the work of making real, impactful, proactive fraud prevention efforts to their thousands of school customers. Nor does it make sense for thousands of colleges to shift from themselves the work of making real, impactful, proactive fraud prevention efforts to their millions of students. The software companies are in a better position to prevent this fraud than the schools, the schools are in a better position to prevent this fraud than the students, and yet the students are the ones left holding the bag. And the empty bank accounts. And the stolen identities.

Something that Silicon Valley, VC-funded, tech companies are really, really good at is privatizing profits and socializing losses. If their software succeeds in generating a lot of money, that money goes to the investors. But if their software succeeds in destroying a lot of lives, that destruction, in this case, is being inflicted upon a whole lot of 18- to 22-year-old young adults who are far less likely to have the tools and other resources to determine which jobs are real and which are fraudulent.

Shit rolls downhill, folks. Clean it up at the top, and you’ll have a much cleaner hill and a much less disgusting environment in which to live.

Print Friendly, PDF & Email

Posted in Advice for Employers and Recruiters, Career Advice for Job Seekers, Industry News and Information | Tagged Tagged , , , , , , , , , , , , , , , , , , ,