As a recruiter, your work relies heavily on trust, communication, and handling sensitive data, whether that’s candidate CVs, ID documents, or client banking details. But that trust can be exploited. Recruitment agencies are vulnerable to cybercriminals targeting them. One of the most deceptive threats is social engineering, a form of attack that manipulates people into handing over confidential information or authorising fraudulent transactions.
These types of scams are on the rise. In 2024, there was a sharp increase in phishing and social engineering attacks, with 42% of organisations reporting such incidents, according to the World Economic Forum’s Cybersecurity Report.[1] This approach doesn’t require complex code. Instead, it exploits human behaviour, urgency, familiarity, and helpfulness. And that makes it much harder to recognise in real time.
Why your agency might be at risk
Your agency handles high volumes of personal data and processes financial transactions on a regular basis. This makes your business a lucrative and vulnerable target. From payroll to contractor fees, your systems handle transactions that fraudsters are eager to intercept.
Social engineering in action
At Marsh Commercial, we regularly encounter these types of attacks, and in most cases, the aftermath is devastating. In one case, fraudsters posed as a reputable company, claiming to need contract staff for a UK market launch. Everything appeared legitimate: interviews, contracts, even references. However, it was all a sham, resulting in a substantial financial loss.
Here are some of the critical learnings and due diligence measures that can be taken from this case to help others avoid similar traps:
Exploiting urgency and authority – The scammers relied on the credibility of a big name and created time pressure.
Remote-only communication – No physical meetings or video calls were arranged.
Newly created domains – The email domain represented the authentic brand but was only recently registered.
False documentation and identities – All of which passed basic checks.
Common tactics include:
- Impersonating a client or candidate through email to trick you into updating bank details.
- Spoofing a director or colleague, asking for urgent fund transfers.
- Intercepting placement communications to reroute payments to fake accounts.
- Cold calling with a new enquiry that requires urgency or simple resolution.
You might not realise what’s happened until the money’s gone, sometimes days later. By then, recovering it is challenging.
Red flags: how to spot a social engineering attempt
Being aware of the warning signs can help protect your agency. Here are some key red flags recruiters should watch out for:
- Sudden urgency to process a payment or onboard a contractor.
- Unusual communication channels (for example, moving from email to WhatsApp).
- Calls and/or email communication only, with no in-person or video contact.
- Requests to change bank details.
- Generic or recently created websites.
- No in-person or video contact.
Use tools like Sendmarc, Whois Lookup, ScamAdviser, or Companies House to vet suspicious domains or registrations. Look for incorporation dates, director links to other shell companies, and discrepancies in company credentials.
Due diligence and risk management for recruiters
Here are some practical steps you can take:
- Verify domains and digital identities of any new clients.
- Don’t skip video calls or ID verification—especially for high-value deals.
- Use third-party platforms like Trulioo, Entrust, or Thirdfort for background and KYC checks.
- Escrow or advance payment before committing to payroll exposure.
Train your team using real case studies—this isn’t just about phishing anymore.
Consider implementing Governance, Risk Management, and Compliance (GRC) protocols, even if you’re a small agency. A designated internal risk team, or regular red-flag reviews of new opportunities, could prevent a catastrophic loss.
Check your insurance
Even with the best training, these scams are difficult to stop all the time. That’s why it’s vital to review your insurance cover. Many recruiters assume their cyber insurance protects them from all cyber-related losses, but that’s often not the case.
Here’s what to specifically look for in your policy:
Social engineering cover – Protection against losses caused by deception or impersonation.
Crime insurance – Covers both internal (employee) and external fraud.
Funds transfer fraud cover – Protects against unauthorised payments made in error due to manipulation.
Stay alert and stay covered
Recruitment is a fast-paced process, and cybercriminals are aware of it. They rely on that speed and trust to catch you off guard. Take the time to train your team, verify unusual requests, and contact your REC Insurance Services adviser to review your cyber insurance cover or click here to find out more.