Last month, I got the invitation of a lifetime in my inbox: Vogue wanted to purchase my freelance writing services to cover a fashion event in Canada. The email, with the subject line “Vogue Talent Recruiting Team,” arrived at a time when I was specifically looking for new assignments to dig into after I finished a six-month research contract. Surprisingly, editor-in-chief of British Vogue Edward Enninful himself was reaching out to me by email to offer me an all-expenses paid trip to Toronto, plus payment for coverage of the event. 

When I read the email again, I noticed something was off. Enninful’s email address wasn’t a standard Condé Nast address — it was a Gmail account. His name also didn’t appear on the “From:” space — instead, the email was from “Condé Nast.” There were typos, and the writing was awkward: “Our reps came across your past works online and with interest we thought you might be interested in joining the rest of the team.” It just didn’t sound like someone in charge of a major magazine.

I knew the job offer was a sham. This was not Edward Enninful from British Vogue. It was someone pretending to be Enninful in order to get something from me. Sure enough, when I asked for more information, I got a PDF full of typos, with a table of costs they would cover for my trip. 

Job scams generally consist of bogus employment offers that seek to take advantage of the job seeker somehow. There are many different kinds of job scams, but scammers are generally after two main things: either the job seeker’s personal information or a way to steal the job seeker’s money through bogus offers. 

Protecting yourself from job scams is as much about cybersecurity as it is about doing your research and generally being a little skeptical about the company that is trying to hire you. As you’ve heard before, you want to make it as hard as possible for scammers to hack into your accounts by using two-factor authentication and regularly changing your passwords. But making sure you’re not getting scammed also draws on new skills, like spotting the tiny details that show something’s not right. In my case, the Gmail address gave it away.

I suspect my own scammer was after one of two things: either spear phishing to gain access to my accounts or sending me a bad check to cover the cost of the trip.

“This is a common scam,” explained Bryan Hornung, CEO of Xact I.T. Solutions. “They send you a bad check that takes about a week to bounce. You pay the ‘travel agent’ for the cost of the ‘trip,’ thinking you are being reimbursed. They take your money for the trip, and eventually, your bank returns the check you deposited from them. You’d be out $3,950 plus any bank fees.”

Ariel Robinson, senior product manager of security at New Relic, was more suspicious about a spear phishing attempt, given the fake PDF that was sent to me. “The scammers are trying to get you as the victim to send them your personal information,” Robinson explained. “I would go through, change all of your passwords, and run a virus scanner or see if you can restore your laptop to before you opened this attachment.” 

If the people who targeted me had gotten enough of my personal and financial information, they could have made me into an unwilling money mule by setting up bank accounts and credit cards through identity theft.

Either way, what attracted the scammers to me as a target is that I am a freelance writer who is currently looking for work. I will probably never know how much they actually know about me — did they see me asking for assignments on Twitter? Did they get my email from my Twitter bio or from my website? Did they care that I have never once written about fashion? — but Robinson says how much I share online is key to keeping myself safe.

“This is something that is difficult for freelance writers in particular,” Robinson, who used to be a freelance journalist before pivoting into cybersecurity, explained. “To make our living, we have to put ourselves out there, right? You have a website. You make your contact info readily available. That means that we have to be extra careful and extra judicious because we make ourselves that much easier to find.”

According to the Federal Trade Commission, job scams are on the rise. In 2021, the agency received more than twice the number of job scam reports than in 2020, and in the first quarter of 2022, there were already more than 16,000 complaints filed. And it’s not just freelancers like me who are vulnerable — before the remote work boom, spotting fake opportunities that swindled workers of their money was easy: working from home with flexible hours was what made opportunities suspicious, too good to be true. But now, with more and more employers offering WFH and hybrid arrangements, how can workers tell a scam apart from a good opportunity?

Robinson says that the old “if it’s too good to be true, it’s because it is” rule still stands despite a shift in working culture post-pandemic. Unfortunately, much of the onus to stay safe falls upon the job seeker or gig worker who is simply trying to make a living. 

Researching the company to make sure it’s real is essential, as is looking for red flags like typos and researching the person who reached out to you. Not opening any attachments — a mistake I made out of curiosity — until you confirm the opportunity is legitimate is also crucial, as is not sharing your bank information with companies who reach out to you. Observing the email domain, which was ultimately what gave my scammers away for using Gmail rather than the standardized Condé Nast email format, can also reveal the legitimacy of the offer.

“When I was a writer and I needed to be easy to find, I abided by some safety tips to keep myself safe,” Robinson said. “I never post about where I am. I never talk about location. If I talk about location, it’s very broad, and I also turned geolocation off on all of my devices. I check all of my app permissions regularly to make sure it’s still turned off.” 

Robinson also flags LinkedIn for being rife with scammers, particularly because it’s a networking-based app where job seekers are eager to meet people who might offer them a job. “Be judicious,” Robinson says. “Actually go to the person’s profile and look at it.”

Encountering a scam I could have fallen for has strengthened my commitment to my own cybersecurity. As Robinson suggested, I changed my passwords and ran an antivirus scan on my laptop — indeed, as she warned me, malware was found and deleted. But Robinson wants internet users to know they can protect themselves from scams if they are alert and set boundaries around the information they share.

“The data economy is huge,” she said. “But users aren’t helpless. We have more agency than we think we do.”

For more than two decades, Lorraine* has known her ex-boyfriend is watching her. She cut contact with him 20 years ago, but in Facebook posts and intimidating emails, he makes sure she knows he’s still keeping tabs, from the birth of her children to her most recent wedding anniversary. After years of abuse that resulted in a PTSD diagnosis and intense nightmares, the notes are chilling, and make her uncomfortable putting any personal information in an online space where he could see it.

“It’s affected my relationship with my friends,” Lorraine says. “It’s affected my relationship with my partner. It’s affected my ability to feel safe.”

The advice many survivors like Lorraine receive when they look for help is to leave their online life behind and delete themselves from the internet entirely. There are many tutorials on how to delete your online presence. Given how often abusers use digital channels to harass their targets, erasing yourself can seem like the obvious choice. But interpersonal abuse thrives on the alienation of its victims, and some kind of online presence can be a crucial lifeline for people trying to escape their abusers and rebuild a new life. 

 

This story is part of Keep it Locked: how to protect yourself online.

Tony Hunt, chief development officer of Operation Safe Escape, a nonprofit organization that helps victims of domestic violence escape their abusers, says deleting yourself from the internet could be exactly what the stalker wants. “It’s about control, they want to isolate you because that gives them absolute control over everything you do,” Hunt explained. “It’s easy to think you need to disappear, but you don’t need to.”

It’s an urgent question for thousands of people quietly struggling with domestic violence. One in four women and one in nine men will experience severe intimate partner physical violence at some point in their lives, according to the National Coalition Against Domestic Violence. One in seven women and one in 18 men have been stalked by an intimate partner during their lifetime, to a point where they felt very fearful or believed that they or someone close to them would be harmed or killed. A 2015 survey of college students found that nearly 75 percent had experienced some kind of tech-assisted intimate partner victimization in the past year.

For Lorraine, deleting herself from the internet didn’t feel like a solution. “It felt like I was removing my online liberty because of someone else’s abuse,” she said. “Both my husband and I have worked in various countries, so social media is brilliant for keeping in contact with people that we rarely see. We wouldn’t want to lose that ability.”

Julia’s* ex-partner surveilled her even when they were together and continued to do so after they had broken up, which made online spaces particularly dangerous. But instead of retreating, the threat inspired her to learn more about internet security, and to be more careful with how and where she logged on. For her, establishing safe communications with trusted people was particularly essential.

“An abusive relationship is already devastating, and shrinking afterwards adds to the devastation,” Julia said. “We can develop intentional boundaries on the internet, it doesn’t have to be all or nothing. It was better for me to learn more about internet security, privacy, and different tools stalkers can use than retreating, because that knowledge empowered me to have a more realistic sense of what is possible.”

Some survivors also worry that disappearing entirely will escalate the situation, according to University of Kentucky professor TK Logan, who researches cyberstalking. “I’ve had victims say, he was threatening me and doing all this stuff through social media so I got off social media,” she explained. “And now all the survivor can think about is, ‘Oh, my God, what is he doing? Is he just going to show up physically?’”

Hunt frames the security measures survivors should employ as a new kind of lifestyle where survivors are intentional about their online presence, rather than a disappearing act. “The priority is making sure that nobody’s advertising everything about their personal lives,” he said. “Because [the abuser] will have something that will give them access to the kids or their location or their regimen throughout the day. Once you’ve established those boundaries and you start living your life again, you’ll be glad you did it.” 

Though Operation Safe Escape trains survivors on more general security protocols rather than only focusing on online security, Hunt says technology-facilitated abuse comes up often. Part of the organization’s job, in partnership with the Coalition Against Stalkerware, is to identify developers that claim their software is for law enforcement, but actually sell their products to individuals looking to coerce and control their victims.

“What happens is, you have boyfriends who will pay contractors to install a keylogger on their girlfriend’s computer, and all of a sudden, a whole new world opens up,” Hunt said. “If the abuser has the right tools and he has physical access to the device, in 30 to 60 seconds there’s a lot he can do.” 

With regard to these higher-level security threats that include hacking and surveillance, Hunt recommends survivors get directly in contact with Operation Safe Escape so they can be guided on what options they have to leave safely and regain their life and autonomy. “We are really selective about who we work with and how much information we put out there,” Hunt explained. “Once that information is out there, guess who tries to use it against survivors?” Logan also recommends setting up multiple-factor authentication, and directs survivors to the Stalking and Harassment Assessment & Risk Profile (SHARP) tool.

The most reliable way to detect stalkerware on an Android device is to run an antivirus app and do a scan. For iOS users, Apple provides a step-by-step guide for detecting invasive apps. The Coalition Against Stalkerware also recommends that potential victims keep a log of what they are experiencing, to help detect patterns and show the history of what has been happening if they choose to get help from law enforcement or a survivor assistance charity.

But even given the threat of malicious software, the most effective protections still rely on a strong support network, which is much easier to build when you’re connected. “The goal is to put up as many barriers, make it as difficult as possible for the stalker,” says Logan, “and then the other step is to get support.”

*Some names have been changed to protect sources who have been targeted by abuse.