28 October 2015

Dealing with dodgy recruiter tactics

Updated version of this on my new blog: https://blog.timwise.co.uk/recruiters/


So I'm back on the contractor market again, and while many recruiters try and be reasonable, there are enough out there using underhand tactics to make life difficult and potentially jeopardise a good contract.

The one I plan to tackle this time round is "multiple submission", this is where you end up with your cv landing on a client's desk from two different recruiters. I gather this can be the nail in the coffin of a contract even if the client was keen - who wants to be stuck in the middle of two recruiters fighting over the commission?!


The first step is simple, which is don't agree verbally or otherwise to be put forward without first finding out who the client is, and make sure you keep track of who sent your CV where. I find Trello is a good tool for keeping on top of the fast moving and often fragmented information you get when hunting for contracts.

Recruiters are often hesitant to pass on the client's name, and this is understandable as if you were to go round them then they'd lose their commission which is how they earn a living. Worse, if you let the name slip to another less scrupulous recruiter then they may try and get your CV in first themselves without asking and in doing so sour the deal for everyone. (They often fish for names with phrases like "I need to know who else you've been submitted to in order to avoid duplication" - this is a lie, you can manage this fine yourself.)

To tackle this I recommend the following:
  • Never share their client's name with anyone else, especially other recruiters; make it clear this is a point of principle.
  • Prove your integrity by politely refusing to tell recruiters who ask, they might have liked the name, but they will be more likely to trust you in the future for respecting the wishes of other recruiters.
So that's the easy bit which I've been doing for some time...

Picture of an otter's head poking up in the sea.

Technical measures

There are unfortunately a bunch of particularly unscrupulous recruiters out there like sharks in the water who will without your permission, or possibly without ever contacting you, send your CV to their "client" (or just some poor manager they've found to spam with CVs). You can't tell them not to if they've never asked you, and it can still ruin a deal. So what to do about that?

If you're looking for contract work, you really need good exposure, so having your CV all over the place like leaves in the wind is not a bad way of getting the word out there (bear in mind I'm looking for work for my contracting company, which is a different ball-game to finding that perfect permanent role). It's actually pretty hard to control at all if you're dealing with recruiters because as soon as you include your CV in a response to posting on JobServe it'll be dropped straight into that recruiter's pool of CVs, and some recruiters even pool CVs between them using services like iProfileUK.

My plan of action is this: having just brushed up my CV, it will contain the following text (as does my LinkedIn profile):
Recruiters: this CV is not authorised for distribution to your clients. Please contact me for permission to represent me and for a separate copy containing an authorisation code & gpg signature. Thanks. To prospective clients, if you receive my CV without these then I haven't given permission to be represented.
Okay, so far so good, but any unscrupulous recruiter could just strip that out and send it anyway, and how would I be able to make a client comfortable that they can tell this scumbag to jog on?

So before I agree to be represented by a particular recruiter to a particular client (which I have no particular objection to if they've found work I otherwise couldn't have found), I will be needing the client's name. I will add this to a list of who has authorization to send my CV where; I will then generate a customised CV (via mail merge) with explicit permission to represent me to this specific client included in it, and a note that any CVs received without this are unauthorized by me.

To prevent a recruiter cottoning on and just generating this themselves I will then be gpg signing the result, which can then be checked against my public key, proving that it did indeed come from me (assuming my pc hasn't been hacked of course but I haven't heard of any recruiters going that far, if they could they'd probably be security consultants instead of recruiters!). 

My public key

My current public key for tim@timwise.co.uk is available on the public keyservers, or you can download it: my public key on dropbox. Primary key fingerprint: 74D4 2A4C 9055 07C5 4A7E  3C9C 26C6 E087 28CD F8EA.

Technical details

Using libreoffice calc, codes are generated with the following:

A cell containing allowable characters in the codes as text: 0123ABCDEF etc for this example this is in cell "F1".

A row for each authorized representation containing this formula to generate a unique authorisation code: =CONCATENATE(MID($F$1,RANDBETWEEN(1,LEN($F$1)),1), [repeat the "mid" clause once for each digit of the code to be generated] )

There's then another concatenation cell to generate the message to add to the CV. This is then copy-pasted into a file, and signed with gnupg on the command-line of my linux box. Here you can see the signing happening, followed by verification that the file is signed properly (as the client might do if they suspect a recruiter is reusing my CV for without my permission).

$ ./sign.sh
#!/bin/sh -v
gpg --clearsign authorization.txt

You need a passphrase to unlock the secret key for
user: "Tim Abell <tim@timwise.co.uk>"
4096-bit RSA key, ID 28CDF8EA, created 2015-01-20
$ ./verify.sh
#!/bin/sh -v
gpg --verify authorization.txt.asc
gpg: Signature made Thu 29 Oct 2015 01:02:52 GMT using RSA key ID 28CDF8EA
gpg: Good signature from "Tim Abell <tim@timwise.co.uk>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 74D4 2A4C 9055 07C5 4A7E  3C9C 26C6 E087 28CD F8EA
the contents of the signed file is then copy-pasted onto the end of a CV and sent off to the recruiter to relay to their client.


I've uploaded a couple of files for you to try out verifying, one with the original message, and one with a forged message where the client's name has been changed. See if you can figure out which is which:
Here's an example signed authorization with a valid signature for the end of my CV (mail merge fields in bold):
Hash: SHA1

Tim Abell has given permission for Test Recruiter Ltd to pass on this CV to Some Client on 28 Oct 2015; auth code 662QP93XP4. Any copies of my CV received without a valid signature have not been authorized for distribution.
Version: GnuPG v1



EK said...

A company signs a deal with their prefered recruiter though, you will still miss out if your prefered recruiter is a different one. This seems like a lot of faff without actually fixing the problem.

Tim Abell said...

Howdy Ben, you raise a good point and one that I have no answer to. If I speak to two recruiters and they both claim to exclusively represent the same client I can think of no way of verifying who's telling the truth without contacting the end company directly and trying to find out from them. Ideas welcome ;-)