[Update 12/28/2022] Reposting this because it come up in conversation with a recruiter today.
I’ve commented on this blog about the trend recruiters have where they ask for the last 4 digits of a candidate’s SSN in their first contact email (Along with name, dob, location and other PII). I thought I’d consolidate my thoughts on a post.
Let me explain the format of a SSN:
The first 3 digits are tied to the state where the applicant applied for their SSN. Since most people in the US are born, live and die within a 50 mile radius this becomes guessable.
The next 2 are a group number and can be tied to the year the applicant applied for their SSN. States only issue from a few group numbers a year. Most Americans are issued their SSN in the first couple of years of their life. Where a recruiter doesn’t know a candidate’s age/year of birth, it can be estimated from info on a candidate’s resume (graduation year or when the candidate entered the workforce).
The last 4 are assigned in sequence and isn’t derivable from a candidate’s information. These are the most significant digits for your privacy,
So for a large portion of candidates, someone can whittle SSNs down to 1-25 possible options. You can see why I am concerned that this could be a fishing attack. Someone I don’t know asking for information that can lead to identity theft. Also the thought that you’re submitting the info via email which is insecure by design adds another vector for possible theft.
I understand that firms are using Applicant Tracking Systems where the last 4 digits of a SSN are used to ensure candidates don’t get double submitted, but I think many people are unaware of the risks.