Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Someone is impersonating us in a recruiting scam (kapwing.com)
280 points by jenthoven on July 13, 2022 | hide | past | favorite | 160 comments



Years ago, my previous employer had a few listings on Indeed for software engineers (some were very long-running). A recruiter reached out to us with a candidate they had, who had experience in the areas we were looking for, which was enticing because people like this were not so easy to come by for a small company not based in a major city. By chance, we found out during the interview process with the candidate that the recruiter was playing both parties. This very shady recruiter cloned our job listing (removing the company information) and was able to out-rank us in the search. They presented themselves to the candidate as if they were working for us, and to us they presented themselves as trying to place this candidate, effectively collecting a recruiting fee for hijacking our listing forwarding a resume. They ended up with nothing but a warning from lawyers, but they _almost_ got an easy paycheck out of it.


I don’t think this is uncommon—in fact I think it’s the way many recruiters work.


Hence why most companies don't accept placements by recruiters unless it's the one they specifically hired for the job


Unfortunately recruiters lie about "exclusivity" as well.

About a year ago I was on the job market and multiple recruiters reached out to me with the exact same job listing, just with the company name removed. All of them claimed to have an exclusive relationship with the company and they were working directly with the hiring manager. With 5 minutes of Googling I found the original position and the company that posted it.

Do they get penalized if they present a candidate for the job and the company says "No recruiters" and they remove the candidate from their candidate pool?


penalized by who? It works enough that tech recruiters and their agencies make a lot of money. If there is no agreement between the company and the recruiter the company is free to contact that applicant themselves. The recruiter will usually hide the contact information of the applicant for this reason.

Enough hiring companies only care about getting a seemingly qualified applicant in for an interview and will ignore what ever shady things recruiters do.


He's asking if he, as a candidate, will get blackballed by the company if a recruiter submits his resume. I think you're assuring him he will not.


Nowadays you can often use a search with some text from the ad to figure out who the real company is. Though who would bother?


I do that every time a recruiter cold calls me about an opportunity without mentioning the company, if the opportunity sounds interesting.


> Though who would bother?

It takes like four seconds.


Who would bother to find out who the company they would be working for is? Who wouldn't?


I do that to find out who the company is. It's usually a better way to find out how much they pay than the recruiter is. Too often recruiters try to avoid telling me either item.


I would love to do business directly with the company, but often they don't reach out to me, while these intermediary recruiters do. I guess the value of recruiters is that they reach out to companies and to developers, and they connect the two.

Recruiters who merely repost the same listing that the company posted without adding any value, deserve to go out of business. Mind you, if every listing contained the hourly rate or pay range, they'd have a much harder time inserting themselves where they don't belong.


recruiters have all kinds of shady tactics.

A friend asked me if he could use me as a reference, and I said sure.

A few days later I got a call asking about my friend, and I readily engaged because I took being a reference seriously. As we were winding up, he suddenly asked if I was looking for a position. I then began to realize it was the recruiter - who was recruiting off the reference list of my friend. I was gracious (but pissed off, because I think the whole thing might have not been about my friend but recruiting).


And many real estate agents, and sadly perhaps more occupations.


This is simply wrong, and any real estate agent caught doing this would lose their real estate license and might even face criminal charges (depending on jurisdiction).

In a nutshell: a real state agent is an agent, which has a specific legal meaning and legal requirements, and that relationship can't just be hijacked by posting someone else's listing.


How is that how real estate agents work? The seller signs an agreement outlining compensation with a real estate agent before any work is done.


Realtors certainly will try to get you to sign an exclusivity contract as early as possible. But if you don’t sign, most will show you homes for free. Agents will talk about it like you don’t have a choice to get you to sign, though. Personally, I’d at least demand that such a contract include a cash rebate for a portion of any fees the realtor earns, and I’d want it to be limited to the transaction on a particular home. I wouldn’t sign anything that prohibits me from working with other agents on other purchases.


Not engaging a buyer's agent via a contract is a mistake, but few people understand that. If you have no buyer's agent contract, then guess who you are dealing with? The seller's agent! Yes, that very friendly person that is driving you around to see homes, who listens to your negotiating strategy, your maximum price, and your other sensitive information, is bound by agency law and their state license board to share every detail with ... the seller and their agents. (Why? Because the seller is paying all the agents.) Oh, but you say, your nice agent would not do that! Well, let's say they don't do that. Then you have what is called "undisclosed dual agency", and that gives the seller and/or you a cause of action in court. All these agency options are explained in detail in that pamphlet they shove at you on first contact, but almost no one reads or understands.

>most will show you homes for free

I'm still looking for that real estate agent that does anything "for free".


-Some- realtors will. The best ones won't; they know they're offering you more than Zillow. When I bought, our realtor was constantly hounding the seller's realtor and our own financing company to move the process forward, as well as proactively reaching out to answer our questions and in general help us feel good about the process. She also returned texts and calls promptly, and she had an arrangement with an extremely good independent home inspector, plus pretty much every kind of contractor we could need for improvements; everyone she put us in touch with was amazing. She didn't ask for exclusivity, and she absolutely didn't need it.

Meanwhile in the past when we were looking, a mediocre one tried to get us to sign an exclusivity deal that we'd agree to use him until we chose to cancel (no stipulations there at least, though legally I don't know if he could have, but still, into perpetuity unless we canceled) for -any house in the entire state-.


I was told this by a realtor once.


A real estate agent might repost an owner's ad for an apartment, and earn a broker's fee from the renter when the apartment is rented


I have only dealt with agents for apartment rentals in NYC, and there, the landlord hires the agent and agrees to pay them a fee, just like a house seller would agree to.

If neither a renter or the landlord have an agreement to pay an agent, why would the agent be owed any money?


In Mass, it's the renter that pays the fee.


In NYC, the renter usually pays the fee too, but that is simply part of the rental agreement from the landlord.

The person that agreed to pay agent is still the landlord. In times when supply of apartments exceeds demand from renters, landlords have to pay the agent from their pocket.

But the point is that in all cases, someone agreed to pay an agent. The agent did not simply materialize and obtained a right to collect money from someone.


That's not how the multiple listing systems work in the US real estate market.


Color me naive, but why is this a bad thing? If your listing reaches more people, it's ultimately better for you. Maybe I'm misunderstanding something.


It's the fee, which is a percentage of the employee's salary. That's much more than the listing fee on Indeed, likely by orders of magnitude.

There's also the downside that some scummy person is representing themselves as being affiliated with you, when they're not. So if they do scummy things to the candidate (which they likely would, given what they're doing to you), then you are painted in a bad light. Think of situations that HNers complain about here, and then imagine that it's your company being (wrongfully) dragged for having lousy interviewing practices.


The fee is the most common issue cited by employers.

I generally respond (as a candidate) to get a sense of the problem. I can assure you that bad representation is the biggest problem. It’s not uncommon for recruiters to say something really problematic (bluntly racist or sexist) or impose excessive interview steps to filter candidates, without knowledge of the industry. I often know the hiring manager well enough to give feedback and they are generally horrified.


As if companies don't do that on their own.

I'm actively interviewing for new positions, and the amount of stuff that startups (most out of Silicon Valley) are doing is absolute batshit. From 2-hour tech screens to 19-hour unpaid interviews WORKING ON THEIR OWN CODE BASE, I will not be surprised when the DoL does a crackdown on the interview process. I have been in the software development industry for decades. If you can't tell if a candidate qualifies after 45-90 (tops!) minutes of interviews, you may want to look internally for problems. All they are really doing is rejecting a ton of super smart developers, many who may have disabilities.

Oh, and then there was that one company who told me I had no knowledge of a language and framework I am actively contributing to, and have built robust, scalable enterprise apps out of. "We are looking for experts of <language x> and also <framework y> and <framework z>." That was literally the message they sent me. They did NOT know about my contributions because my dumb ass tries not to show off stuff like that when looking for employment as I want to be weighed on my ability to write awesome code and not weighed on a popularity contest.


>> my dumb ass tries not to show off stuff like that when looking for employment as I want to be weighed on my ability to write awesome code and not weighed on a popularity contest.

I know you likely learned from this, but it's worth repeating especially for people who don't often go looking for jobs.

Getting hired is a sales process. You are the product. It doesn't really matter what you can do - that's probably not what you are selling to the interviewer.

What you are selling is the fact that _you_ (and you alone) are the best choice for the position. That means a combination of skill set and personality.

So specifically, being "popular", or "known", or "admired" in the tech community is a feature, one which is very valuable to potential employers. Being popular means you're (probably) not a dick, and that's worth knowing.

I say this with respect, but there were likely a bunch of folk they interviewed who can write code just as awesome as yours (at least in their eyes). I don't mean that to demean you, but clearly a) it's impossible to determine code awesomeness in an interview - it takes months for awesome code to even surface - and b) there are a _lot_ of people out there writing awesome code.

In Western culture it is considered polite to be modest, but being modest in an interview, or on a CV is a bug, not a feature. You need to sell, and sell hard, every possible accomplishment - without being a dick.

Writing awesome code is not enough. Fitting in with the team (ie demonstrating social skills), having deep knowledge of some framework (enough to contribute, and have those contributions accepted), publishing or presenting at conferences (ability to communicate and articulate), are all huge box ticks in the recruiting process.

Don't. Be. Shy.


I would imagine it's for the same reason that many big musical acts go to lengths to make it difficult for concert tickets to be resold. It's important to them to manage their relationship with their customers, and they simply don't want all or most of their tickets essentially being auctioned off to the highest bidders even if that is technically the most economically efficient allocation according to some extremely short-sighted interpretation of an Econ 101 textbook. Heck, it's the same reason Apple sometimes has long wait times for a new popular iPhone model instead of holding an auction and shipping to the highest bidders first.


I think you're right, it's what separates companies classing the same/similar behavior as unwanted, even illegal (grey market luxury watch dealers) vs encouraged (food delivery). The relationship with the client and it's perceived value. Coming to think about it, probably a Michelin-star high-end restaurant would shoo away a doordash person coming to pick up takeaway.


If the recruiter is saying he's been hired by a company to find people for a given job posting, and he hasn't actually been hired by the company, that's fraud.


I have a strange case about this. Several years ago I was looking for a job. I found a listing for a position in a company and apply for it, then it went silence for a couple of weeks. I later searched for a posting that seems to be identical to the listing of the company I first applied (though it was presented in recruiter's name and at the time, I was naive enough not to check that it's identical to the previous one. Granted, the company hasn't advertised the position at the time the recruiter did)

It wasn't until the recruiter tell me to proceed with the on-site interview would I learned that in fact, the company the recruiter is seeking candidates for is the same company I applied and failed earlier. This leaves me scratch my head why the company didn't respond to job posting I applied directly, but decided to pick me up when I was referred to by recruiter. They could have turned down recruiter's referral about me and I won't be surprised one bit.


Those recruiters probably badger them much more aggressively than you would ever consider even remotely acceptable, and apparently that works.


Fraud, misrepresentation, front-running, and a potential avenue for further scams (e.g., demanding payment from candidates, collecting personal information). For both candidates and companies, this may mean exclusion from consideration due to misrepresentations or concerns over exclusivity.

See:

https://www.forbes.com/sites/forbeshumanresourcescouncil/202...

Incidentally, the search for "recruiter (fraud|scam)" turns up a distressingly high number of hits, many from companies targeted:

https://duckduckgo.com/?q=recruiter+(fraud%7Cscams)&ia=web


Because you don't want an unrelated 3rd party inserting themselves between you and the candidates.

How many good candidates were scared away by the sketchy recruiter? There's no way to know.


How is this different than doordash coming to pick up food from a restaurant and delivering to me? I think it's very similar, they charge an extra fee, restaurants might not sign up for this and it's not the restaurant employees handing me the food.


In this case, neither party has really signed-up for it. To the candidate, it might not matter that much if they don't have a negative experience with the recruiter, but to the company whose job listing was straight-up plagiarized and outranked on the same job board (with a big recruiting fee on top), it's very different. With doordash, you at least agree to the fee, right?


Well, for one either you or the restaurant wanted Doordash to do that job, and Doordash isn't misrepresenting themselves as if they were working for the restaurant (without the restaurant's knowledge).

Of course, with that said, there was some service a few years ago (maybe it's Doordash?) that was generating landing pages and buying domains pretending they were the restaurant. But that's also very shady.


> Doordash isn't misrepresenting themselves as if they were working for the restaurant

From what I head, the various delivery services have been setting up websites that pretend to be the actual restaurant's site, but list their own phone number. So they're committing fraud, too.


I don’t underdeveloped why you people are ignoring my second paragraph and repeating what I said. I guess trying to cover all bases in a message doesn’t work anymore, I gotta cover all bases in a single small paragraph, since posting a gotcha takes precedence over reading the whole message.


Wow, I totally missed that you spoke to exactly the point I was making. I'm sorry.


Thanks for being cool about it (rare in the internet) it and sorry about me being grumpy over it. The internet needs more of you!


Ugh, I mean “understand”. Autocorrect typo.


Delivery services DO misrepresent restaurants. If you search for a specific restaurant in your area, you will get lots of SEO spam that is not from the actual restaurant.


...and that's precisely what I mentioned in the second paragraph of my message.


I always get contacted by recruiters who rarely work full-time for the company they hire for and hide the company name when they reach out.


It is shady, but at the same time it sounds like the recruiter succeeded where your company failed. He was able to find a candidate for your position, where your employer was unable by just posting it to indeed.

He did a better job, and maybe that is worth the additional money? Do you think your employer would have found the same candidate by just relying on the job listing on Indeed?


The recruiter copied listing as-is, with only company name removed. If thir listing wasn't there, candidate would find the company directly.

So they provided no positive value; in fact they provided negative value by adding duplicate listing and making them harder to navigate. I don't thin


How do you score higher on indeed with the same text with just a name removed? The original listing would still show up?


This is the 4th time I have heard this news in a month. I wasn't paying much attention till it happened to my girlfriend.

A person with a linkedin profile, that looks very legit saying they work for Nike at a senior level position reached to my gf for a job role. Well, at first she was excited and then she forwarded me their profile. It was really good presentation, however, few things were way off. Like the timelines on their profile were not accurate. The related experience was shady and more. As I dig deep I was convinced its a scam.

I reported the profile to Linkedin.


Ugh, LinkedIn. Someone created a profile saying they were in my company's Mumbai office. We're 100% US-based, which is very important in our specific market. It could be very bad for us if a large customer thought we were lying about having employees outside the US.

I finally had to resort to blatant Twitter shaming to get LinkedIn to address the problem.


I've been reading quite a few more of these lately.

It appears that LinkedIn has a problem not only with the tsunami of everyday recruiter spam flooding out their primary value proposition (real biz connections), but now criminal scams exploiting their platform.

Seems like one of those tipping point phenomena, that doesn't seem critical, until it is, and by then, it's too late and mostly all of the customers have decided they're done with it.


[This is Julia, the IC] In this case, LinkedIn had nothing to do with the scam. The thieves were using my real name and they didn’t create a fake profile for the supposed recruiter, so there’s unfortunately no phony profile to report.


Someone used this technique to steal hundreds of millions in crypto tokens from a company recently, so looks to be a common and lucrative scam more people are trying. https://news.ycombinator.com/item?id=32001742


I was targeted by a similar recruiting scam several years ago -- again, a smallish company which was high on my interest list, with a personalized email matching my stated skills and experience.

All I can say is that while legit "cold" recruiting outreach happens all the time, if you are a job seeker take the time to verify these contacts. Don't give out personal or contact information until you are absolutely sure you know who you are talking to! A professional will not mind you taking this extra step.


[This is Julia, the OC] 100% agree. At Kapwing, we would never penalize a candidate for verifying a job opening; in fact, we’d likely see it as a positive signal and sign of enthusiasm.


What does OC mean?

Thanks for writing about all this and warning people :-)

I wonder how much the actions Kapwing took has reduced the amount of scam attempts -- if you happen to know? Maybe hard to measure


Maybe "original creator"?


I was once contacted by Apple.

The email almost got shitcanned, because it was so scruffy.

The subject was just "Hello From Apple." There was no HTML in the email, and the letter was really short.

It may have been an auto-generated one.

It never turned into anything, but it was a legit contact.


I once had a recruiter from facebook get stuck in the "spam" tab in facebook messenger back in 2014. Not the "you may know" message requests you get a notification about, but the spam you never see.

It was legit. Didn't see it until someone reached out a different way. A bit funny how their own platform failed them.


That’s funny, there’s actually been an intentional shift among “email thought leaders” towards shorter, plain-text emails because they can come across as more personal in today’s world of high-powered CRMs.


Reminds me of the Amazon ones.


I've heard from multiple senior engineers that they felt like they were being scammed while interviewing with a legitimate company. I end up spending a lot of time digging through the company website to make sure that at least ONE of the people I spoke to in interviews is even mentioned by name somewhere. If I can't do that, I make up some excuse to talk to the CFO about stock option vs base salary balance or something.

This is all bullshit. Companies should accompany any request for personal information with a document signed by their private key, so I can verify it with the company's public key. Wasn't PKI invented in the 1980s?


I was contacted through LinkedIn by a scammer with a position at a major company. The email was slightly off and the email suffix was a .company.somethingelse.com. I contacted the company HR department asking if it was a real job and if not, would they like all the information I had on the scammers. No reply...


You'd hope the company would care. But on the other hand I suppose it'd be you being scammed not them. As harsh as it seems, that's probably why they don't care.


Or more explicitly the people who would see the message would have no incentive to do anything about it as it would likely add more work for them with no gain. I think this is in part a result of all work "efficiency" optimizations and the exact performance metrics that come with them that have been applied to many workers in the past decade or so.


> would have no incentive

Look: https://news.ycombinator.com/item?id=32094120

I asked how to fix that (what are your thoughts?)


You need employees to care about their employer. This won't happen if the employer doesn't care about the employees first. I am not sure how true this is but I have a feeling a lot of the issues come from already successful businesses hiring MBAs who find and push for these worker optimizations that drive short term profits at the cost of eroding employee loyalty and company values. So maybe at the company level execs need to push back on viewing their employees as soulless automatons that need to be optimized. And at the nation level it would help if people didn't view continuous employment as vital to survival and separating health care from the employer (specific to the US) is a necessary step imo.


> need employees to care about their employer. This won't happen if the employer doesn't care about the employees first

I'd like to try that :-)

(among some other things, like profit sharing for everyone, so that doing what's good for the company is good for oneself)


And it would probably be a hassle for the HR person to reach out to legal, answer various questions, and deal with it. Not their job, not their problem, not a great attitude either--but so it goes.


How do you arrange incentive structures so that people in the company who get such emails, want to do something about it -- and, so others in the company (eg legal) want to, too?

(Without messing up other things the company is doing)


Fundamentally, it's culture. But even under the best of circumstances it's still hard to get people to care about things that they're not being measured on or rewarded for.


Maybe the execs and CEOs can try to be examples

Rewarded... Maybe profit sharing? Then could pay back to do what's good for the company?


They probably thought your report of a scam was a scam itself. We get this occasionally at our company.


We've had an ongoing problem with this as well, and it's shockingly effective. A couple of "candidates" have reached out to us right before they were scammed.

The con really preys on people's hopes - promise them a higher paying job, hopes of a better life, then casually extort them right at the end.


How did the "candidates" actually get scammed? Did the bad actors steal their personal information and commit fraud?

I don't understand what scammers get out of doing this. How do they make money?


With us, they would have the candidates purchase their own hardware from a custom store and then “reimburse” them.


By getting acct and routing numbers they can easily siphon money.


Unrelated: Kapwing runs the most odious dark pattern I've seen for users who wish to cancel - they threaten to make all the content you created public.


Reminds me of food delivery companies presenting themselves as restaurants. There was some question of if or how illegal it actually was.


Surely it comes down to trademarks. If you’re using someone else’s trademark you’re in trouble if they sue you.


Or wire fraud. IANAL but this in particular seems to go beyond trademark misuse into yeah-that's-a-crime territory:

> For example, in this case, candidates received the “offer letter” with our old company logo in the letterhead instead of the new logo we introduced recently. The offer letter was also signed by a random "Advisor" named Tom Gahm (who actually doesn't exist) rather than the CEO.



Oh the irony. These startups have been growth hacked!


I wanted to add information. Please correct if I am off:

The reported heist of $xxx in Axie crypto by takeover of the majority of nodes, was organized N Korean group that created an entire fake company in linkedin and related story and web presence... The group used the mark - a senior engineer at axis - as a gateway to the nodes themselves, under the pretense of recruitment.

The engineer went thru a very formal interview process, during which he received a PDF with sophisticated malware trojan.

Food for thought.


You are correct although it seems a bit under-reported.

How does a senior engineer have control over millions of dollars without review?

I also am somewhat skeptical of this one-click PDF hack. They used a zero-day for this attack? In Chrome? Why hasn't this been discussed if so?


I'd speculated previously on this, but that could be fairly trivially accomplished with signature requirement extensions. here's my prior comment:

We had an employee compromised by a similar attack-executable linked in a Pdf.

Basic flow was-phisher asked employee to sign a document relating to customs. The phisher had gathered that this employee works with shipping claims and returns, and surmised that they need to deal with customs documents requiring signature. There was a link to an exe hosted on a European cloud service in the PDF titled "install fake signature certificate company to sign this document". This directed to a download of a basic ransomware executable. This did get past our AV to the point of encrypting the employee's machine, but thankfully was blocked from spreading to the rest of the network.

The employee's machine was toast, but I was able to restore from the prior day's backup and no major harm occurred. I was able to see the phishing attack since we use gsuite email so the ransom ware didn't erase the employee's inbox, but they did lose a half-day work and I updated our training. The attack itself was clever from a social engineering perspective, but the technical exploit was something any script kiddy could have downloaded from the open web, nothing advanced at all. But Gmail doesn't always scan links in PDFs, so a clever ruse was able to bypass Google's scanning as well as our local scanning.


Something similar happened to one of my corporations. Somebody targeted by scam the was suspicious and contacted me via LinkedIn. Discovered somebody had setup a completely separate and very legit looking website using a similar domain name (e.g., instead of company.com, it was companyinc.com).

I have no idea if they successfully scammed anybody.

One thing I did that is not mentioned in this article is that I contacted the police. The police took a statement and collected all the relevant files (e.g., the PDF job offers I had been sent).

There was, unfortunately, not much the police could actually do. But having an official police report helped in my next step, which was to start an internet-wide game of whack-a-mole with the scammer's website. I'd identify the hosting company, send them an abuse report, citing the police report, and request the website be taken down. The hosting company would usually comply within 24 hours, then a week or so later the website would reappear using a different host. Lather, rinse, and repeat several times until the scammer gave up (or moved to a different domain that I have not discovered yet).


We had a very similar issue. It wasn't recruiter, but a scammer setup a companyname+(inc).com domain to sell fake products. We went straight for their registrar with a trademark claim and were successfully able to get the domain transferred to us so we could redirect to our actual site. If they are hosting content that is clearly similar to yours, then a trademark claim can be successful. Then, rather than chasing down hosting providers, you only need to deal with it once. This is also a good point to spend a few hours registering any permutations of your domain that are similar enough to cause confusion to prevent this from reoccurring.

This is why the Nissan.com guy could keep the domain, since he wasn't selling cars. If he'd been using the domain that could be argued to be impersonating Nissan the car company, he would have lost ownership.


I wonder if they ever tried to take down your website with their own, phony, police report


> ...an elaborate scheme around [our company name]

Why is she calling this "elaborate"? It's typo-ridden, done from random gmail addresses, and worse. I get "Nigerian Central Bank need you help transfering $40 million to you account" spam that looks better-done than this scheme.

Edit: 's/is he/is she'


Maybe it's not "elaborate", relative term, but it's multi step, several fake accounts, a fake mail server, multi step interview, and it's tailored to a specific company and targeted to a relevant audience.


That's intentional in both Nigerian 419's and this. They are both looking for fools with money with which to part.


The author and CEO appears to be a she, preferred pronouns notwithstanding.


Somewhere out there, phishers with spell check are raking it in.

Seriously though - a big focus of corporate phishing training is “watch out for typos”, which is insane. If that’s our main indicator of phishing we’re toast.


You should post a visible warning in your careers page, it may help for some cases.


May be they should add a notice on their home page too.


Reminds me of that guy from Sweden(?) who HIRED more than 100 people to a non-existing company. Best scam ever, because it is so stupid, and hard to understand why.


This story from four months ago? https://metro.co.uk/2022/02/21/jobfished-bbc-doc-on-madbird-... (It was the UK.)


This was 5-10 years ago. I can’t find an article now, but the dude was a scammer. He did things like eating at restaurants and leaving without paying. Then for some reason he made up this fake warehouse company with fake clients. He built an office, he even hired his fiancé and then hired 100+ workers. The scam was revealed the first workday for the workers. The location given was another warehouse company that were rather surprised to see all the people at the gates.


This has been happening to my org more and more too.

It's been a combination of fake linked accounts reaching out to unsuspecting people and getting them to pay in return for getting priority access to the recruitment queue. Sadly, it works - we have had people show up at our offices for their non-existent interview. They tend to get very irate when you explain that they were scammed.


I mean, TBH this seems like a pretty dumb scam, and you have to be pretty gullible to fall for it. Send my bank account information over to a company before I've actually had face-to-face conversation with anyone there? And who would expect to get an offer letter before you've even had an actual interview (as opposed to just some questionnaire you had to fill out)?


I'm not sure it help to shame people who fall for those scams. People do fall for it, scammed are exploiting human's trust that most people are nice. Most scams seem dumb once you know about them. And once some scam becomes well known, scammers will just change tactics.

The important thing is to educate people (for example do not give your bank information over the phone ever, except if you are the one who called maybe) and have good insurances in case something like this happens. And I believe it could happen to any of us, even people who think they're not gullible.


Sorry, I didn't mean to shame folks, I just meant to highlight that there is very little in this scam that seems new or clever, so it doesn't seem particularly noteworthy. I probably get a couple of similar scams directed to me every week (we joke in our company how we all get texts from our "CEO" asking to respond to an urgent need...)

Every now and then I'll read about an online phishing/spear-phishing scam and think "Wow, that is really good. I definitely may have fallen for that!" (e.g. the "delayed disconnect" phone scam - TBH I didn't even realize some landlines worked like that.) This is not one of those times.


TIL about delayed disconnect. Scary!


Companies are increasingly intrusive when hiring, like everyone else. Running background, credit, etc. checks for low-level employees was considered absurd not too long ago, now it is routine.

Especially young folks, excited by their great new gig, are likely to be unclear on where, exactly, the line is, or not think through the implications of things happening in the wrong order. (At my current gig, one of the first things HR did after we signed was ask me for direct deposit info.)


I applied for a job couple of years ago that wanted a cognitive assessment and what they billed as an IQ test. I applied to several other jobs that had such absurd hoops that, as you say, it became routine for low level work. It's not that we're naive youngsters who don't know any better. We just often don't have a choice. There's no chance to save money or to live off savings when young unless living with relatives while working, and that becomes burdensome quite quickly.


> It's not that we're naive youngsters who don't know any better.

Sorry if it came out that way, that wasn't my intent. Fake jobs were not a thing that I encountered when entering the market, but I almost certainly would have fallen for anything that wasn't utterly incompetent.

> We just often don't have a choice.

This isn't new. I grew up very poor, and it wasn't until my mid-30's that I had things paid off and could start thinking about what economic security might feel like someday.

What's new is that middle-class young people are starting to have that experience, too.


Due to the rising trend of people working remotely, some people might have never had any physical contact with the people they work with, all the way from interview up to signing the contract. It might be difficult for these people to verify that a startup is legit.


I work in a remote company, and have hired a ton of people remotely. How many folks do you know who are hired remotely without ever having even a phone call, not to mention a video/zoom call?


Younglings may have no idea what’s normal, right? I don’t know anyone who’s been hired without a call or interview, but that isn’t necessarily relevant; it doesn’t mean that scam is obvious to someone who’s never been hired anywhere before, or is too excited about the prospect of a decent job to question the process. Lots of scams are somewhat based on people’s general reluctance to challenge someone else, especially when there’s a prize or benefit on the line, this is a human trait.


Since a lot of interviewers conducted interviews from their homes during the pandemic, I am not sure just being able to see a person would provide enough assurance.


I was on a Zoom interview panel where it was clear that the interviewee had someone else on an earpiece and was being fed answers.

When we conversed about non-technical things, the interviewee spoke clearly and fluently. But when we'd ask a targeted technical follow-up to something on their resume, they would always repeat the question slowly, and then robotically with several pauses say their answer back. Another interviewer said they could hear the voice in the earpiece talking in between their pauses.

I'm not sure what their end goal was with getting hired, but we ended up cutting the panel short.


Don't disagree, but that didn't happen in this case.


There's a reason why there are a lot of typos, broken English, fake emails from gmail, etc, they do not want to waste time on non-gullible people.


I don't understand this part, is this US-specific? (Genuinly curious... I'm from EU) If I send my banking details to some company here they can deposit funds (as in, pay) to it. No way can they withdraw anything without my authorization. So how does this scam even work? Or am I missing something?


Welcome to the byzantine world of ACH transfers in the US.

Short of it is that, no, they do not need your specific authorization to initiate a withdrawal. Here's how ACH works:

1. One banking institution is the ODFI - originating depository financial institution, that makes the request. The other is the RDFI - receiving depository financial institution. In order to make a withdrawal, the ODFI sends the RDFI an ACH request that says "For this routing number (which determines the RDFI), for this account number and account holder name, debit $XXX amount and send it to me, the ODFI." No other authorization is necessary from the account holder.

2. The RDFI will send the ODFI (basically, the ACH process is more complicated) the money, BUT the RDFI has 90 days I believe (maybe longer) to pull the money back (search for "R10 ACH response code). If they do, the ODFI is left "holding the bag" and must return the funds. Thus, it's up to the ODFI to ensure that the user who initiated the withdrawal in the first place is authorized to do so.

Thus, a common ACH scam is:

1. Bad guy opens account at some financial institution with a stolen identity.

2. Many fintechs and online banks use Plaid to link to an account at an external institution to transfer funds. If the bad guy somehow has stolen credentials, then they link Plaid to that external account.

3. Bad guy initiates the ACH. Most ODFIs will then hold the funds for 2-5 days (depends on how long the account has been open, there are banking rules about how long they can hold it) specifically because of this return possibility.

4. Bad guy then tries to withdraw the money as soon as they can. If the original account holder doesn't notice the money missing from their account for, say, 2 weeks, the bad buy will have gotten the money and the ODFI is the one that has to make good on the stolen funds.

Google "ACH Fraud". It's a common problem with startups that don't realize all the intricacies and problems of the NACHA rules.


Wow... The US banking system is truly mind boggling.

Thank you for taking the time to share this information about ACH scams.


Wow, that is interesting... Thank you for an excellent explanation, makes sense now.


[This is Julia, the OC] It’s not exactly clear what the end scam will be. Scammers ask for bank info, a photo of your ID, and credit info. Sounds like some sort of identity theft or bank withdrawal situation.


>And who would expect to get an offer letter before you've even had an actual interview (as opposed to just some questionnaire you had to fill out)?

Many years ago now but I did get a job offer out of grad school on the basis of a mass mailed job application cover letter/resume. (And this was with a major aerospace company.) Only did a site visit/interview after I asked for it.


People are gullible. I can probably build a website with reasonably fake job listings, and ask job applicants to fill out I-9. I'm pretty sure I can get a lot of personal data from that.


Plus the "offer" (and all email communication) is run from a Gmail account, they didn't even bother to spoof or semi-spoof a credible looking address. Of course they're not targeting the best and brightest, but this is by design - such folks wouldn't jump at a random job opportunity to begin with


There are lots of dumb scams. It's a numbers game, you reach out to thousands of people and if only a few bite, you're probably still making a profit.


I mean if I said it was for Direct Deposit this would match many candidates and employees experience.


On the other hand:

I once got an offer letter with typos, after just a phone screen.. and it was totally legit! I worked there for a while


There are multiple red flags here:

1. Asking you for a fee if you are hired. Staffing fees should be paid by the employer on top of agreed to compensation to the employee. In fact, if you a direct hire, you shouldn't even know what the recruiter is getting, but they should tell you they are getting paid.

2. Asking you to pay for or buy equipment that will belong to the company. Telling you we'll give you money to buy a Mac and other gear. Any legit company will simply ship the equipment to you, usually pre-configured.

3. A non-company domain for emails.

4. Unrealistic compensation. Who wouldn't want to edit video for $187K/year ($90/hr)? This is very high.


There are companies that offer brand and employee impersonation detection services, but something like this is undetectable. Any scam done through a public email provider, you really can't do much aside from reporting the email and raising awareness.

Had the scammers linked back to a domain or website that looks similar to your brand, THAT is detectable and there are services that can help here.


Initially I expected they'd pretend to hire the person to use services for free.

It could last about 45 days. After the first missed paycheck, they could drag 2 more weeks on "bank transfer issues".

Depending on the person, even 60 days...

They could potentially get 2 months of senior video editing free of charge. Sell this on Fiverr and make more money they were asking the candidates.


But then they'd have to go out and sell the editing work. This way they just hit the mark's bank account.


A North Korean APT and other nation-state backed hackers are using fake job offers and interviews to drop targeted malware. It's actually a pretty effective method. Certainly something to be aware of if you are job hunting and an engineer or sysadmin position for a large F500 company. Triple verify everything and dont open PDFs lol.


If you work at a crypto exchange I have an exciting opportunity for you!


The job offer says they'll receive an iMac Pro, a bunch of hardware and software, including "Crimson Editor". I wasn't familiar with it, but it seems to be an HTML editor for Windows that was last released in 2008, it's "so small that it can be copied in one floppy disk". Their website doesn't even have HTTPS: http://www.crimsoneditor.com/

Did they copy part of this list of perks from a 15-year-old scam script?


Interesting scheme. I wonder why they do it.

Neither in the linked article nor in the comments here I found a real financial damage - other than huge waste of your time and loss of personal data.

Anyone any clue on this?


Most likely they send an offer letter that contains malware. Typically it looks like a PDF - but maybe requires a "special reader" to sign. This is used to hack your bank, crypto, maybe the company they work at currently (as many employees use their work laptop as a personal laptop even though they should not).



This is also how they were able to steal money from Axie Infinity, they sent a malicious PDF file that was able to exploit and compromise the company's security and steal US$600 million!

https://www.cnet.com/personal-finance/crypto/a-fake-job-offe...


Happened to me once to my company. I signed up for a bunch of porn sites with their fake email as most sites don’t require email verification. The only way to fight scam is by spam. Authorities and others take too long.

The other way I fought back was to create a bunch of fake gmail addresses and keep in touch with them and waste their time. They hate it when you waste their time. But time wasted for them means money saved for someone.


I don't get how it works. If I give my IBAN, then people can send me money, but they cannot take money from me.

A scam would need to ask e.g. my credit card data, but at this point it's pretty clear that it's not to send me money.

I am not in the US. Is that different there? Like do you use the same numbers for both? Or do people just not know the difference?


In the US the same requisites are used for both directions of the transfer. If you give your account number and routing number to receive a deposit, the same numbers can be used to withdraw from your account. Coincidently, these numbers are on any check you cut. Banks provide protection (requiring authorization for every withdrawal or disabling withdrawals all together) to business accounts but the consumer accounts do not have this even as a paid service, at least in the major retail banks.

The government is supposed to come after any fraud here with heavy criminal charges, it's essentially a check forgery but I don't think it's too busy or too successful doing this.


My way feels so much simpler :-). It's a bit like public/private key: when I use my credit card, I know I'm paying. And if I pay from my bank, I do it from my e-banking and it's super clear.

I can allow a company to withdraw directly, but still it's clear I'm doing it (and I don't use that, I hate that feature).

Feels like it just prevents such scams. Of course then you can still convince people to "lend" you money ("send me 5k to leave my country and when I'm safe I send you 2M"), but that's slightly different.


A whole bunch of American infra is protected only with the fear of law. On one hand it makes things much simpler: you can do many things over the phone instead of filing signed and sealed forms in multiple places, on the other - the law enforcement is the common breaking point and it's not very well protected itself.


The key is in the 'congratulations' email:

> Please note that, on acceptance of this employment offer, the following equipment will be deliver to you to set up your home office, the funds for the purchase of the equipment will be made available to you prior to purchase and delivery.

They will send you a $15k check, you'll buy the equipment, and Venmo them back the remainder. Meanwhile, the check bounces.


I was just idly thinking "a name like kapwing should be easy to get a domain name for, i wonder where they got the name?", so I looked it up in wiktionary.

Not sure if this is the origin, but wiktionary lists it as "(rare) the sound of a bullet richochet"... KA-PWING!

is this how the company name is pronounced?


[This is Julia, the OC] We've got you https://www.youtube.com/watch?v=vpUvcWjFkFs

Also check out our blog post about the name :) https://www.kapwing.com/blog/why-we-chose-an-onomatopoeia/


> The “applicant” gets a job offer letter PDF, supposedly from our HR department. The email may come from kapwingeditor@outlook.com.

I laughed for a good 2 minutes at this one. You have to admire the chutzpah of some of these scammers.


> We haven’t had anyone report that they actually got stollen from yet, but of course there would be a delay before they notice.

I’d expect that to happen sometime around Christmas :p


This is common problem in nearly all intermediary business models from real estate agents, stock brokers (now nearly obsolete), recruiters to freight brokers...


this happened to me with facebook pre ipo! someone tried to impersonate them and screw with me on a fake technical interview. That person ended up getting kicked out of our college for academic reasons and the campus facebook recruiter found out and extended me an interview.


These scams always have horrendous grammar. To me that's a huge red flag


It’s done on purpose, those who don’t see the grammar mistakes are more likely to fall for the scam and not be able to track the scammer back


Oh! That's a way of seeing it that I never thought about but that now just made "click" in my mind!


Off topic but I love their website. Fast and nicely structured in general.


Not a fan of kapwing as they seem to be running a spam campaign on reddit.

Also not fond of hosts that put watermarks on media as it contributes to a kind of bit-rot.


[This is Julia, the OC] We’re not running a spam campaign. Any more info here on what you’re referring to?

We used to make it free to remove the Kapwing watermark, but needed to up our conversion recently to extend runway and fund R&D. Just shot every creative tool in our space leverages watermarks as a conversion lever because it means we can offer most things for free.


I am referring to a recent spate in unusual comments on top posts that link to reaction-image like clips hosted by kapwing.

I'm trying to find some examples, but naturally there's none to be seen as soon as I look.

The comments contain unusual English, perhaps computer generated, and consist of an initial sentence, followed by a quoted hyperlinked sentence linking to kapwing.

I assumed these were an attempt by kapwing, and if that's not the case, I apologise for my accusation.


Recruiters get what they deserve for ghosting people and being assholes


First impression. Fake. Some random company trying to get attention. Scams are often more generic or more poorly done. This would be some Americans trying to harm the biz by targeting. Not unheard of but not very likely.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: