Alert Summary

Incident ID: IA-006

Vector: Platform-to-Email Hand-off / Identity Injection

Risk Level: MEDIUM-HIGH (PII Harvesting & Credential Theft)

Status: ARCHIVED

This forensic audit details an exploit where a criminal leveraged the Canada Job Bank‘s initial verification to obtain candidate data, then transitioned the interaction to a personal @gmail.com address. By impersonating a recruiter from a local firm with high Organizational GRC Drift (abandoned digital assets), the scammer made an unverified identity seem plausible to the average user.

---

Target / Method / Ultimate Goal

• Target: Job Bank candidates who trust the platform’s initial “verification” of the employer.
• Method: Identity Injection. Exploiting a legitimate company’s low digital hygiene (outdated blog, vague website) to create a “plausibility gap” where a personal Gmail address doesn’t immediately trigger a red flag.
• Ultimate Goal: Harvesting PII (Personally Identifiable Information) and financial data by piggybacking on a trusted, local brand name.

---

VETTICA Audit: 4 Critical Internal Integrity Failures

1. Platform Vetting Failure: The Hand-Off

• GRC Policy Critique: The scammer successfully extracted contact data through the Job Bank portal, proving the platform fails to regulate the “hand-off” to unverified external emails.
• VETTICA Verdict: CRITICAL FAILURE. This allows a criminal to “launder” their initial contact through a government platform’s credibility.

2. Digital Identity Failure: Organizational GRC Drift

• GRC Policy Critique: The target company’s site showed a total abandonment of public identity maintenance (the last blog post was December 2019).
• VETTICA Verdict: IMMEDIATE FAILURE. Digital neglect creates a “soft target.” When a company’s own site looks semi-abandoned, a scammer’s poorly managed communication feels “on-brand” for that company.

3. IAM (Identity Access Management) Violation

• GRC Policy Critique: The use of an @gmail.com address to represent a company with a professional domain (@devforce.ca) is a primary breach of corporate communication protocol.
• VETTICA Verdict: IMMEDIATE FAILURE. The criminal relies on the candidate to ignore the lack of a corporate domain—a failure of the company to secure its own “Recruitment Perimeter.”

4. Communication Policy Failure

• GRC Policy Critique: The legitimate company lacked a publicized “Communication Policy” stating that all official outreach must originate from the corporate domain.
• VETTICA Verdict: FAILURE. Without a clear policy, there is no “Source of Truth” for the candidate to check against, allowing the Gmail trap to succeed.

---

VETTICA Action Plan: Hardening the Brand

• End GRC Drift: Companies must maintain their digital assets (blogs, LinkedIn pages, “About Us”) to signal an active, secure presence. An abandoned blog is a beacon for social engineers.
• Domain Enforcement: Never engage with “Recruiters” who use personal Gmail, Yahoo, or Outlook accounts for a company that owns its own domain.
• Audit the Hand-off: We advocate for a Forensic GRC Policy Audit to bridge the gap between platform trust and email security, forcing companies to secure their public-facing identity.