Recruiter emails from well-known companies… but not really. A new campaign pretends to be legitimate job interview invites to trick people — especially marketers — into handing over their accounts. It’s sneaky, elaborate, and surprisingly polite about it: “Want to schedule an interview?” Sure… until you’re asked to log in.
What happened (in plain, slightly annoyed English)
Attackers are impersonating more than 30 big-name brands across airlines, food and beverage, fashion, tech, and entertainment. They send messages that look like recruiter outreach and even plaster real recruiter names and photos into the bait to seem credible.
- Airlines & travel: American Airlines, Delta, Booking.com, United
- Food & drink: Coca‑Cola, PepsiCo, Red Bull
- Apparel & luxury: Adidas, Louis Vuitton, Sephora, Levis
- Tech, staffing & consulting: Adobe, OpenAI, McKinsey, ManpowerGroup
- Hospitality & marketing: Marriott, Omnicom
- Entertainment & sports: FIFA, Netflix
The campaign abuses a cloud HR platform called PeopleForce (or at least spoofs it) along with marketing automation domains. From there, the victim is funneled through a chain of legitimate services before landing on a fake page that wants them to authenticate.
How the scam works — and how not to get conned
Unlike blunt phishing blasts, this one uses a multi-step redirect chain and convincing visuals. The flow goes something like this: a recruiter-sounding email → calendar link → several legitimate services used as stepping stones → a fake hiring page that asks you to sign in with your Google account.
When you click the “Continue with Google” button, a popup appears that looks just like a real Google sign-in. But it’s not a browser dialog at all — it’s HTML and CSS pretending to be a login window. That trick is often called Phishing in spirit and plays on the old “looks real, must be real” fallacy.
Why it works:
- Real company names and recruiter images make the message feel trustworthy.
- Nested redirects route victims through bona fide services so URL checks can look convincing.
- The fake login is rendered on the page (the so‑called browser-in-the-browser trick), so users don’t see the usual browser UI cues that something’s off.
The campaign has been active for months and cycles through many domains that mimic high-value brands. Researchers have compiled lists and technical write-ups on GitHub for folks who want a deep dive (no links here — just search for the analyst’s public report).
Want practical, non-annoying advice? Here’s how to avoid walking into this trap:
- Pause before you click: if an unsolicited recruiter asks you to log in, stop and verify through the company’s official careers page or LinkedIn profile.
- Check the URL bar carefully — but remember attackers can make things look legit by chaining redirects.
- Never authenticate from a hiring page that opened via an email link. Instead, go to the company site directly or contact the recruiter through a known channel.
- Use strong multi-factor authentication methods (hardware keys or phone-based apps beat SMS).
- Use a password manager — it helps by only auto-filling credentials on real domains.
- Train your team: simulated phishing drills and clear reporting paths make these scams less effective.
Short version: recruiting scams are getting fancier, and they’re trying to cozy up to you with flattering job offers. Treat unexpected interview invites like surprise parties — great in theory, stressful in practice. Verify first, click later.