Job scams: The hidden risk undermining employer trust in a talent-short market

In this exclusive conversation with HRO's Tracy Chan, Joe Choy, Partner at JSM shares proactive and strategic measures that companies can take to protect their brand, their candidates, and their long-term credibility.

In today’s competitive talent landscape, where skilled talent is in short supply, a strong employer brand is more important than ever as the foundation for attracting and retaining top candidates.

A positive brand image is built on various pillars – authenticity, consistency, transparency, and responsibility – it is all about the trust and confidence the public has in a company.

Yet, while building a brand takes time and effort, it can be undermined in an instant – sometimes by threats that go unnoticed.

One such threat is job scams, where scammers impersonate companies to publicise fake job offers and defraud job seekers into sharing personal data or giving money.

Occasional job scams may not cause lasting damage if companies respond swiftly and clearly. But frequent impersonation can erode public trust, damage credibility, and lead to long-term reputational fallout as victims often associate the scam with the real brand, regardless of the company’s actual involvement.

“Generally, a company is not legally liable for scams conducted by third parties impersonating its brand, provided it is not found to have been involved in, or negligent in relation to, the fraudulent behaviour,” explains Joe Choy, Partner at JSM (pictured below), in an exclusive conversation with HRO’s Tracy Chan.

“However, if the company fails to take reasonable steps to prevent or respond to known impersonation risks, it could give rise to adverse PR ramifications.”

The growing threat in Hong Kong

Alarmingly, statistics indicate that the scale of scam prevalence is growing, especially in Hong Kong.

According to Hong Kong’s Anti-Deception Coordination Centre (ADCC), the city has recorded 4,083 cases of employment fraud in 2024, up 3.9% year-on-year.

While financial losses caused by employment frauds dropped slightly compared to the previous year, the amounts still stood significantly at HK$819.6mn.

Meanwhile, as cited by South China Morning Post, the Cybersecurity and Technology Crime Bureau of the Hong Kong Police Force has recorded 2,148 online employment scams from January to May in 2025, an increase of 92.1% year-on-year.

In the face of rising scams, Choy emphasises the importance of swift and strategic action.

“If a company discovers that it is being impersonated, its first step should always be to monitor and document all records it can of the scam with a view to collating and preserving evidence, such as by taking dated screenshots and saving available communications with the scammers,” he advises.

“From a practical standpoint, the company should consider reporting the incident to the ADCC of the Hong Kong Police Force, which specialises in handling fraud cases.”

Meanwhile, companies should also:

• Issue public warnings via official channels, such as the company's website and social media, to alert other job seekers and clarify legitimate recruitment channels.
• Engage brand protection services to monitor and remove fraudulent content online.
• Consult legal advice to assess potential liabilities and prepare for any regulatory enquiries.

Prevention is better than cure

While swift action is essential to minimise immediate harm, companies should also take a more proactive role in advance to better protect both themselves and job seekers.

As such, Choy has outlined several preventative measures:

• Centralising all job listings, directing all applicants to apply exclusively through the company's own official careers page or a designated and verified recruitment platform. This allows the company to maintain control over its recruitment pipeline, reducing the risk of impersonation via unofficial channels.
  
• Implementing a secure verification portal, which would allow candidates to confirm the legitimacy of job offers and the identity of recruiters directly through the company's official website.
  
• Including clear disclaimers in all job advertisements and recruitment communications, explicitly stating that the company does not, for example, request payment, sensitive personal information, or banking details at any stage of the recruitment process. Taking this simple step can help alert job seekers to red flags of fraud and reduce their likelihood of falling victim to such scams.
  
• Actively monitoring online recruitment platforms, including job boards and social media, for signs of impersonation. When fraudulent activity is detected, prompt public alerts and takedown requests can help mitigate harm and demonstrate the company's commitment to protecting job seekers.

Verifying the legitimacy while protecting privacy

Beyond shielding job seekers from fraudulent offers, companies must also protect themselves from impersonation or fraud by candidates.

In that sense, Choy recommends HR teams to implement robust verification system, such as multi-factor authentication and document verification protocols, to confirm the legitimacy of candidates.

However, these measures must be prudentially balanced with privacy considerations.

In Hong Kong, companies are subject to obligations under the Personal Data (Privacy) Ordinance (PDPO) when handling personal data during recruitment.

“Striking the right balance between verifying the legitimacy of job applications and safeguarding applicants' privacy is essential – not only for legal compliance, but also to build and maintain trust throughout the hiring process,” Choy stresses.

He further elaborates several key steps companies should take to protect candidate privacy:

• Adopt a data minimisation approach: Collect only the personal data strictly necessary to assess a candidate's suitability for the role being recruited for. Avoid requesting sensitive candidate information at this stage, unless there is a compelling and reasonable reason to do so.
  
• Provide clear notifications: Under the PDPO, employers are required to notify applicants on or before collecting their personal data, typically by way of a Personal Information Collection Statements (PICS). A well drafted PICS should outline the purpose of data collection, the types of data being collected, the classes of transferees, whether provision of the data is obligatory or voluntary, and the applicant's rights to access and correct their data.
  
• Ensure secure data storage: Use encrypted systems and implement access controls to ensure that only authorised personnel can view or process sensitive information. This helps reduce the risk of internal breaches or misuse.
  
• Implement and adhere to a data retention policy: In Hong Kong, personal data of unsuccessful applicants should generally be retained for no longer than two years, unless the applicant has given explicit consent for a longer retention period or there is otherwise a subsisting reason that obliges the employer to retain the data for a longer period.

And extra consideration should be taken when it involves third-party platforms or agencies.

“Companies must exercise due diligence when selecting external recruiters,” Choy emphasises.

“This includes thoroughly vetting recruitment agencies and requiring them to adhere to the organisation's data privacy and cybersecurity standards. Formalising these expectations by incorporation into service agreements or standalone confidentiality agreements can increase legal accountability and compliance of third parties.”

Final note

While Hong Kong law does not currently mandate companies to report a crime or data breaches, Choy advises that organisations should still take proactive steps when such incidents occur. This includes reporting scams to the ADCC, and notifying the Office of the Privacy Commissioner for Personal Data (PCPD) if any personal data has been compromised.

After all, in a market where reputation is everything, job scams are more than just a nuisance – they are a strategic risk. Companies must treat impersonation threats with the same seriousness as cybersecurity breaches, taking swift, transparent, and proactive measures to protect their brand, their candidates, and their long-term credibility.