Using job boards in your hiring process can seem incredibly impersonal (and if you’re the one looking for a job, it can seem like throwing your resume into a black hole), which isn’t something you typically want when looking for a new person to your join your team.
But we have a very real and very important reason for using one at PTG: security. Malicious emails designed to look like resumes are a very common way to send ransomware and other forms of malware.
Ransomware, a form of malware that holds your files hostage for a ransom fee, can be potentially devastating to businesses, especially if you don’t have good backups (for a deeper dive into what it is and what to watch out for, read this blog).
While we back up our files regularly, and haven taken measures to limit the possibility of ransomware entering our system, we don’t take chances when it comes to protecting our data and our customer data.
What We Do Instead
Use a Job Board: Instead of asking applicants to email their resumes (and opening resumes sent to us via email), we use a job board. The particular job board we use displays the resumes submitted in a web browser so we never have to actually download the file. We can get through the entire hiring process without having to take any risk of opening a file that could be malware. If you’re interested in what our job board looks like, or what positions we currently have open, check it out here.
Block Certain File Types: Outside of the hiring process, there are other steps we’ve taken to help prevent malware emails from even coming in our environment. One step is to block files types commonly associated with malware from coming into our company via email. Some of the file types we’ve blocked include .exe, .scr, .bat, .js, .jse, .vb, .vbe, .wsf, .wsh, .cmd, .pif, and .chm. We update this list as new forms of malware come out. Directions for how to do this in Office 365 are in this blog post.
Use Advanced Threat Analytics: We’re Office 365 users and have turned on Advanced Threat Analytics (which we’ve written more about here). Basically, it uses machine learning to detect threats (specifically in attachments and links in emails) before they come into your network. This has prevented multiple malicious emails – including some disguised as resumes – from getting inside our network.
Train Employees: All employees on are trained on data security best practices, including the warning signs for malicious emails. We post about the newest threats on our company-wide social media site (Yammer), so everyone is up to date. This is critical - even the best spam filter isn't going to keep out 100% of malicious emails. It's vital for all employees to know what to look for. It only takes one click on a bad link or opening the wrong attachment and your entire company could be compromised.
What to Watch Out For
We understand a job board isn’t right for everyone. If you do still need to get resumes via email, take some precautions and watch out for the warning signs that something could be off. Some of the red flags include:
- Resumes sent with emails not customized to your company or the position in any way – this could be a sign of a hacker blasting an email to as many people as possible to try to up their chances of someone falling for it.
- Bad grammar and spelling - Emails containing malware are typically poorly written with grammar and spelling errors.
- Large files sizes – Resumes typically shouldn’t be very large files, so a large file size should raise a red flag.
- Weird file types – If you don’t recognize the file extension (or if it’s a file extension not typically associated with documents or resumes), don’t open it. This doesn’t mean a .doc file doesn’t contain malware, but if it’s a strange file type, it’s more likely you’re in for a nasty surprise.
- Macros – Do not ever enable macros on an attachment from an unknown sender (and be very, very cautious even when you know the sender). This has gotten to be such a common way of sending malware in an otherwise innocent looking file that Microsoft has turned them off by default.
Of course, emails that don’t raise any of these red flags could still be dangerous. Always be careful when opening attachments from unknown senders.
Not accepting resumes via email may not seem like the friendliest way to recruit new employees, but it’s the safest for us – and security is a top priority.
Our friends at Propel HR have written more about best practices while hiring on their blog.