News & Blog

No phishing! How recruitment agencies can improve their IT security against cyber scams

By Francis West on 22nd January 2019
Filed under: Technology, Security

Techology can transform life and commerce, but what may be an opportunity for business is equally an opportunity for cybercrime. 

Criminals have long known the value of personal information and they know recruitment agencies have lots of it. Agencies depend heavily upon their databases and email communications, making them particularly vulnerable to different forms of cybercrime, not least phishing.

What is phishing?

Phishing is the fraudulent attempt to gain personal, confidential or financial information, often passwords or bank account details, through seemingly genuine emails, phone calls or texts.

According to SAFERjobs, a non-profit organisation combatting crime in the recruitment sector, there has been a 300% increase in phishing expeditions in two years. 

People like to think we could spot a scam but the truth is that criminals are getting away with it because they are becoming more sophisticated; they can make phishing messages look increasingly trustworthy.

How are recruitment agencies attacked by cyber criminals?

Criminals target an agency and its clients. Fake invoicing is a common trap for businesses; you buy monthly slots on a job advertising website and you receive an email from its “accounts department”, warning that you’re about to exceed your monthly limit. To secure an extra 10 slots for this month, just enter your card details….’

Criminals also pretend to be clients offering a fee for candidates. They ask you for bank details to transfer the money. 

Your employees have access to a lot of personal data and criminals may try to persuade them to pass on confidential information about an applicant, either by pretending to be that applicant or a potential employer.

Phishing emails may contain links to malware. Recruiters are particularly vulnerable to this because of the number of unsolicited emails with links to CVs they receive. Instead of a CV, that link or attachment could download software that tracks keyboard movements or shares your screen so passwords and sensitive data can be gathered.

There have also been some high profile ransomware attacks on large institutions recently. The malware is inadvertently downloaded and spreads, infecting any networked machine. Computers crash, recruiters are locked out of their databases and they can’t contact anyone or track progress. They literally lose the ability to operate. 

In around 20% of cases, even when victims pay their ransom, they don’t get their systems back, because the criminals don’t have the technical capability or they just don’t care once they have the money. 

The impact of phishing

If you don’t have the right protection and staff training then you may not be meeting your legal obligations under GDPR. In that case, not only can a phishing attack cost individuals money, your company can receive a fine of up to four million Euros or up to 4% of your global turnover. 

Other consequences of a phishing attack include:

* Damage to your organisation’s reputation

* Commercial loss while your business is offline

* Theft from individuals’ bank accounts

* Identity theft 

How to protect your recruitment business against phishing attacks

Businesses have three main lines of defence against phishing attacks: technology, people and governance.

  • Technology. Ensure you have the right software configured properly to protect your business and test it against simulated phishing attacks to see how it stands up. Keep your software up to date. Ensure you have a backup solution to enable you to recover your information and systems in the event of an attack getting through your security systems. 

  • People. According to a report from global risk brokers Willis Towers Watson, around 90% of cyberattacks result from human weakness. Your staff is on the frontline of cyber-attack so ensure they’re aware of the issue, vigilent for occurrences and are trained to spot it. 

  • Governance. Ensure you have the correct policies and procedures in place to help prevent attack and to mitigate against the effects of a breach in your defences, ensuring you can still operate. Inform candidates about the nature of your interaction with them so they can better spot a phishing attempt if an email doesn’t seem right. Consider putting cyber insurance in place.


If you don’t have your own in-house IT security expertise, make sure your IT support provider is in a position to help protect your systems and has a recovery programme in place that will get you back online as soon as possible after an attack.

About Westtek Solutions 

Westtek Solutions has built decades of experience operating as the Technology Success Partners of choice for many of the UK’s leading independent recruitment agencies.  

Based in Apsley, Hertfordshire, Westtek Solutions operates nationally and internationally. If you’re looking for a proactive technology success partner that offers strategic consulting and technical support services to help you maximise productivity, contact Westtek Solutions on 020 3195 0555.

We make sure your technology works for your business and not the other way around.