A recent job posting on LinkedIn sought applications for one of the most prestigious jobs in Silicon Valley: CEO of tech giant Google.
But Google CEO Sundar Pichai isn’t about to step down. Rather, the job posting was phony—created by Michel Rijnders, a recruiter in the Netherlands who spotted a vulnerability in LinkedIn and decided to see what would happen if he exploited it.
While it was just a stunt, the incident sheds light on the very real problem of fraudulent job posts that are used to steal personal information from applicants. In some cases, businesses post them simply to snoop on rivals by uncovering which of their employees are looking for new jobs.
Zack Allen, director of threat operations at computer security firm ZeroFOX, says company has found thousands of fake job ads online in the past six months.
“These are especially prolific because many job websites require little to no verification of posting the job, and other job sites aggregate postings,” Allen says. “These aggregation websites help amplify the job ad, which makes it more attractive for cyber criminals as it’s a low-cost way to boost their signal.”
It can even go as far as job seekers being interviewed by fake employers, says Rob Paone, founder of recruiting agency Proof of Talent. For remote positions, some fraudsters even offer jobs to applicants, who are then asked for their banking information and their social security numbers, Paone says.
It’s unclear what percentage of job postings online are fraudulent, however. But the problem is big enough that LinkedIn says it has a team of human moderators devoted to catching suspicious job posts before they’re public on the site.
“This is something we are investing heavily in understanding better,” says Sophie Sieck, a LinkedIn spokeswoman. “These online scams are really savvy. They can be super complicated, so big focus is working to understand and prevent them.”
Unknown accounts are routinely flagged for review, she tells Fortune. Additionally, the reviewers work to make sure that the companies mentioned in the new postings actually exist, and if someone posted a job for the first time, that they have approval to do so. The vetting also relies on the community to help flag any posts that are suspicious, Sieck says.
In addition to the posting for the Google CEO, Rijnders also managed to create a job post for the CEO position at LinkedIn. It was possible because LinkedIn began testing free job postings two weeks ago for small and medium-sized businesses, which is when Rijnders discovered the vulnerability.
Recruiters, it turned out, could edit the company field in their job postings after their ads went live, Sieck tells Fortune. Rijnders merely switched the companies listed in two ads to Google and LinkedIn.
No one applied to the fake jobs and that they were quickly removed, according to Sieck.
Creating postings “that intentionally misrepresent the job, hiring company, or poster” is a violation of LinkedIn’s terms of service. But in this case, LinkedIn gave thanks to Rijnders after he tweeted about his discovery on July 25.
Ultimately, the case serves as a lesson for job seekers to do their due diligence before sharing any personal information on a job application.
“If you’re never heard of the company, do a quick Google search before applying,” Paone says. “If there isn’t an publicly available information about the company, it might be best to not apply.”
Allen adds: “Basic cybersecurity hygiene also protects those who do fall victim to these attacks. Two factor authentication, password managers and backup codes for your devices can help save you during a compromise.“