As U.S. employers gear up for holiday season hiring so, too, do scammers.
The fall seasonal hiring period likely will lead to a surge in identity fraud targeting job applicants, according to employee screening and consumer fraud experts.
Fake job listings and bogus websites are among their most common tools. Legitimate employers also are being warned to take extra precautions. Unscrupulous employees can steal personal information of applicants or employees. And personal data left unguarded can tempt even hitherto honest employees, experts say.
“The biggest problem we see is online job scams,” said Nikki Junker, social media manager for the nonprofit Identity Theft Resource Center.
“It’s just very risky applying for a job online,” says Will Marling, executive director of the nonprofit National Organization for Victim Assistance. “You think you are going to a legitimate site, but you could be ‘click-jacked’ ”—taken to a site where your data is stolen.
“A lot of times potential employees are desperate. They will put anything down [on an application] if they think it will help them,” said Mari J. Frank, a privacy attorney, consultant and mediator.
Identity theft is the top source of consumer fraud in the U.S., according to the Federal Trade Commission. The agency says that about 9 million people have their identity stolen each year, typically when someone obtains another person’s Social Security number and credit card number and impersonates the victim for improper purposes.
“A Social Security number is worth a lot of money on the black market,” said Jason Morris, president and COO of screening firm EmployeeScreen IQ.
Often, identity theft victims do not know about the breaches until many months later; some never know. And even those who discover the problem aren’t always sure how it occurred.
“The reality is that we give people our personal information every day,” said Marling.
Eight percent of identity theft reported in the U.S. in 2011 was employment-related, according to the FTC. Experts say that a significant share of identity fraud is never reported to authorities.
Data Protections, Training Needed
For employers, having strong policies on data protection is not enough.
“The policies have to be taken very seriously,” said Marling. “What if you have a rogue employee or inadequate safeguards?”
Employees in IT or accounting might gain access to applicant or employee information that could be misused, said Robert Capwell, chief knowledge officer of Employment Background Investigations, Inc., a screening firm. “Anyone with access to personal data should be properly screened.”
“Keep passwords segregated too so that the information is available only to those who really need it,” advised Junker.
“I think HR professionals understand the problem,” Morris said. “But HR needs to explain the repercussions” of a breach to all employees—even the night cleaning crew, he said. “It just takes one time.”
Screeners and HR experts offer the following tips for HR to minimize the risk that employees’ or job applicants’ personal data will be misused:
- Collect only essential personal information.
- In personnel files, do not keep medical records, EEO data, immigration forms, safety training records, and information obtained from background investigations and reference checks.
- Keep personal employee and customer data locked up at all times.
- Shred unneeded information on former employees, including temps and contract workers.
- Avoid using Social Security numbers to identify employees and customers.
- Have a plan and act quickly if data is compromised.
Employers face liability, too. Lawsuits filed against employers for negligence in handling personal data have resulted in mixed verdicts. However, the FTC and other authorities can launch investigations and levy fines. And in many countries, notably Europe, identity theft and improper safekeeping of personal information can draw severe penalties.
“HR departments really need to get training in data protection,” said Frank.
“Employers need to ask themselves: What do we need this information for? How are we protecting this information? What do we need to do to archive or destroy it?” said Marling.