I’ve commented on this blog about the trend recruiters have where they ask for the last 4 digits of a candidate’s SSN in their first contact email (Along with name, dob, location and other PII). I thought I’d consolidate my thoughts on a post.
Let me explain the format of a SSN:
The first 3 digits are tied to the state where the applicant applied for their SSN. Since most people in the US are born, live and die within a 50 mile radius this becomes guessable.
The next 2 are a group number and can be tied to the year the applicant applied for their SSN. States only issue from a few group numbers a year. Most Americans are issued their SSN in the first couple of years of their life. Where a recruiter doesn’t know a candidate’s age / year of birth, it can estimated from info on a candidate’s resume (graduation year or when the candidate entered the workforce).
The last 4 are assigned in sequence while isn’t really derivable from a candidate’s information.
So for a large portion of candidates, someone can whittle SSNs down to 1-100 possible options. You can see when I am concerned that this could be a fishing attack. Someone I don’t know asking for information that can lead to identity theft. Also the thought that you’re submitting the info via email which is insecure by design which adds another vector for possible theft..
I understand that firms are using Candidate Tracking Systems where the last 4 digits of a SSN are used to ensure candidates don’t get double submitted, but there are risks involved that I think many people are unaware of.