All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Online résumé sites are one of the few recession-proof businesses still thriving on the Internet.
But job seekers who post their résumés online may be handing their personal data over to marketers and identity thieves instead of legitimate employers, according to a report released recently by the Privacy Rights Clearinghouse.
"You cannot post your résumé online without some kind of risk," said privacy expert Pam Dixon. "There is no such thing as a perfectly private résumé database."
Approximately 50 million résumés reside online, Dixon estimates. Online job behemoth Monster.com lists more than 24 million résumés, while HotJobs and CareerBuilder.com host another 10 million.
More than 80 percent of HR professionals use Internet job postings to find candidates, and 96 percent of job seekers use these postings to find jobs, according to the Society for Human Resource Management. Thus it's not surprising that résumé databases are a significant revenue source for online job sites. In 2002, 30 percent of Monster's profit came from its résumé database, Dixon said.
However, job sites aren't the only ones profiting from this trend. With millions of résumés now online, identity thieves and marketers are turning to online résumé databases to poach data such as e-mail addresses, phone numbers and other personal information.
Identity thieves have also been known to post fake job listings, then require that applicants submit additional personal data, such as social security numbers, credit card numbers or bank account information, Dixon said.
Monster recently issued a critical service message to its active users acknowledging that fake job listings are being used to gather and steal personal information from online job seekers. The company's e-mail to millions of job seekers appears to be the first time one of the major job sites has addressed the dangers of identity theft with its users.
"It's an indicator that fraud has crept into this industry, and perhaps not in small numbers," agreed Beth Givens, director of the Privacy Rights Clearinghouse.
MSNBC recently reported on an identity theft case in which a man fell victim to a fraudulent job listing on Monster.com. A con artist posing as a recruiter asked him to provide detailed personal information for a background check.
"It's the first time we've heard of (a scam involving) someone claiming a background check," said Les Rosen, president of Employment Screening Resources. "Because background screening is heavily regulated, the idea that somebody would claim a background check through the Internet makes no sense."
Regulated under the federal Fair Credit Reporting Act, background checks involve a written authorization from an applicant, who is entitled to a separate written disclosure before the process occurs.
"Simply clicking a button on the Internet is not legally sufficient," Rosen said.
Monster spokesman Kevin Mullins said only paying member companies are allowed access to résumés on the site, and if a paid member violates the company's terms of service, then its access is blocked. Monster will also remove any suspicious job postings that customers report.
Identity theft is "very rare, but as a leader in the industry, we want to be out in front of any problems," said Mullins.
Dixon says the incidence of fraud is much higher -- she estimates that 1 to 7 percent of job seekers encounter some sort of identity theft on résumé databases.
However, it's difficult to quantify the number of identity theft victims who have had information stolen from them through online job sites.
"Most victims of identity theft have no idea how this happened," said Betsy Broder, assistant director of planning and information for the Federal Trade Commission. "It's difficult to track (identity thieves) because it's so easy to cover your tracks using the Internet."
Since the Sept. 11 terrorist attacks, the number of employers doing background checks "has skyrocketed," Givens said. To comply with the Patriot Act, some employers are requiring prospective employees to provide personal data before they're hired.
Identity thieves posing as legitimate employers have taken advantage of this heightened use of background checks to glean user data, Dixon said.
"It's led to con artists picking up on the trend and exploiting it," Dixon explained. "Prior to Sept. 11, if you posted a résumé online the risk was much smaller."
In addition to identity thieves, marketers have also gained illicit access to résumé databases.
In a September 2001 report, the Privacy Foundation criticized Monster's privacy practices. The report alleged that Monster failed to remove deleted résumés and discussed selling private data to marketers.
Monster denies that it has ever considered selling customer data. "We don't sell résumés," Mullins said.
But data mining and selling job-seeker data is a common industry practice "that hasn't gone away and won't any time soon," Dixon said.
The risk that illicit marketers or identity thieves might use a résumé may be higher on one of the major online job sites than on some smaller niche sites, such as MedZilla.com, a health, pharmaceutical and biotech job site.
"(The big job sites) cannot take the time we can to review the job postings and the clients they work with," said Frank Heasley, president and CEO of MedZilla.
MedZilla carefully screens recruiters and employers, while closely monitoring activity logs to make sure that clients are using résumés for recruiting and employment purposes only. The site also offers candidates a MedZilla e-mail address, so all contacts are initiated through the company's mail server, which is configured to block spam.
The Privacy Rights Clearinghouse has issued privacy tips to help online job seekers protect themselves from false postings and minimize privacy issues.
Job seekers should validate recruiters' and employers' background information before handing over their personal data, Dixon advises. They shouldn't divulge any social security or bank account information before they are hired. If possible, job seekers should apply directly to an employer's corporate website rather than posting their résumé on a third-party website.
Job seekers who believe their résumé or personal job-search data has been shared or violated can file a complaint on the Federal Trade Commission's identity-theft website.
