This story is part of our January 2026 issue. To read the print version, click here.

Our company is being used for a scam. The scammers pose as our company and try to get people to “apply” for a job, but it’s all a fraudulent attempt to get Social Security numbers and such. We even had our Handshake account hacked by them, which resulted in us being locked out. So far, between advice from Google and my IT team, we can shut down this instance (nothing stopping the bad actors from starting another), and we can put out messaging on our socials and website. What else can we do?

I’m so sorry. I think there’s a special place in hell reserved for these scammers. People who are out of work spend time, effort and, often, money to apply and interview for a nonexistent job, only to have their personal information or identity stolen. And you get a bad reputation as well. It’s horrifying.

As far as I know, Google and IT are right, and these scammers are like whack-a-mole: You smack one down, and another pops up in its place.

I reached out to Mike Coffey, HR security expert and president of Imperative, a comprehensive background check service. He confirmed what you already know: You have to tackle each scam when it pops up. Scammers don’t go away — they just start up a new attack. “This is the basic approach that the North Korean identity theft/employment fraud scams have been taking,” he says.

His advice: report, block, disclaim, repeat. And keep vigilant. It’s not only scammers who are trying to fool your candidates, but also scammer candidates who try to fool you. Job seekers need to keep vigilant as well, but there are several things you can do to help make that easier.

Strengthen your public-facing candidate guidance

Make your contact information easy to find. I write about a lot of companies, and it is often difficult to find a way to contact them. I’m often left to search out employees on LinkedIn and message them there. That doesn’t work so well, as normal people aren’t on LinkedIn every day of their lives.

Make sure you have a contact page that is monitored frequently. This is safer than a publicly displayed email address, which makes you vulnerable to phishing, spam and data breaches. If someone submits a question via the contact form, they need to receive an answer within 24 hours. Whoever answers the contact forms should be able to view applicant status and available job posts.

Be clear on your jobs page about the hiring process. Candidates will Google a company as part of their job search, so carefully detail what you will and will not do.

For instance, “At ABC Company, we will never make a job offer without an in-person interview, and we will never ask for your personal information until after we’ve made an offer.”

And: “All our available jobs are posted on this page. Any job postings that are not listed here do not exist.”

Try spelling out your process from sourcing to onboarding. It helps candidates know what is real and what is not. The most important part, of course, is to make it clear that you will not collect Social Security numbers before a job offer, and you will never ask a candidate for money.

Strengthen your security at third-party job posting sites

You said your Handshake account got hacked. I reached out to Handshake (a recruiting and networking platform primarily for college students and recent graduates), and they didn’t respond. I reached out a second time, and they did not respond. It’s frustrating. When you have hackers coming at you from multiple angles, it can be maddening.

This is an issue with a lot of companies. It can be challenging to get a human on the phone. But be persistent. Make sure you have strong passwords and two-factor authentication. It can be tempting to have one account with an easy-to-remember password so that everyone on the team can log in. But that’s easy to hack.

Treat victims with compassion

When a scammer “accidentally” sends a candidate $10,000 for office equipment instead of the promised $1,000, then asks them to return the extra $9,000, the victim eventually discovers that the original $10,000 check has bounced. And when that happens, they will come looking for you  — angry and believing your company was involved.

It’s not your fault, but it’s not their fault either. Be kind, help them report the scam to the police, and give them helpful supporting evidence, such as how you’ve had to shut down multiple scammers over the years.

And, what the heck, take a look at their resume. Maybe they are the right person for the job you have.

Overall, you do your best to give clear instructions to candidates on your own website, make yourself available to them, and fight the scammers the best you can. It’s a tough world.

–

Stay up to date on business in the Capital Region: Subscribe to the Comstock’s newsletter today.