VETTICA Digital Integrity

Tag: digital hygiene

  • Integrity Alert #6: Internal Policy Bypass & The Gmail Trap

    Alert Summary

    Incident ID: IA-006

    Vector: Platform-to-Email Hand-off / Identity Injection

    Risk Level: MEDIUM-HIGH (PII Harvesting & Credential Theft)

    Status: ARCHIVED

    This forensic audit details an exploit where a criminal leveraged the Canada Job Bank‘s initial verification to obtain candidate data, then transitioned the interaction to a personal @gmail.com address. By impersonating a recruiter from a local firm with high Organizational GRC Drift (abandoned digital assets), the scammer made an unverified identity seem plausible to the average user.

    Target / Method / Ultimate Goal

    • Target: Job Bank candidates who trust the platform’s initial “verification” of the employer.
    • Method: Identity Injection. Exploiting a legitimate company’s low digital hygiene (outdated blog, vague website) to create a “plausibility gap” where a personal Gmail address doesn’t immediately trigger a red flag.
    • Ultimate Goal: Harvesting PII (Personally Identifiable Information) and financial data by piggybacking on a trusted, local brand name.

    VETTICA Audit: 4 Critical Internal Integrity Failures

    1. Platform Vetting Failure: The Hand-Off

    • GRC Policy Critique: The scammer successfully extracted contact data through the Job Bank portal, proving the platform fails to regulate the “hand-off” to unverified external emails.
    • VETTICA Verdict: CRITICAL FAILURE. This allows a criminal to “launder” their initial contact through a government platform’s credibility.

    2. Digital Identity Failure: Organizational GRC Drift

    • GRC Policy Critique: The target company’s site showed a total abandonment of public identity maintenance (the last blog post was December 2019).
    • VETTICA Verdict: IMMEDIATE FAILURE. Digital neglect creates a “soft target.” When a company’s own site looks semi-abandoned, a scammer’s poorly managed communication feels “on-brand” for that company.

    3. IAM (Identity Access Management) Violation

    • GRC Policy Critique: The use of an @gmail.com address to represent a company with a professional domain (@devforce.ca) is a primary breach of corporate communication protocol.
    • VETTICA Verdict: IMMEDIATE FAILURE. The criminal relies on the candidate to ignore the lack of a corporate domain—a failure of the company to secure its own “Recruitment Perimeter.”

    4. Communication Policy Failure

    • GRC Policy Critique: The legitimate company lacked a publicized “Communication Policy” stating that all official outreach must originate from the corporate domain.
    • VETTICA Verdict: FAILURE. Without a clear policy, there is no “Source of Truth” for the candidate to check against, allowing the Gmail trap to succeed.

    VETTICA Action Plan: Hardening the Brand

    • End GRC Drift: Companies must maintain their digital assets (blogs, LinkedIn pages, “About Us”) to signal an active, secure presence. An abandoned blog is a beacon for social engineers.
    • Domain Enforcement: Never engage with “Recruiters” who use personal Gmail, Yahoo, or Outlook accounts for a company that owns its own domain.
    • Audit the Hand-off: We advocate for a Forensic GRC Policy Audit to bridge the gap between platform trust and email security, forcing companies to secure their public-facing identity.