
Job Interview Phishing Scam Impersonates 30 Big Brands
.webp)
A large-scale job interview phishing scam is targeting marketing professionals right now. The campaign poses as recruiters from more than 30 recognizable companies. It impersonates brands across airlines, hospitality, food and beverage, apparel, and technology.
The attackers use real recruiter names and photos to appear legitimate. Their goal is simple: trick job seekers into handing over their Google account credentials.
The operation has been running for at least five months. Researchers tracking the activity found more than 34 lookalike domains built to mimic hiring pages for companies including Adidas, Adobe, Netflix, Coca-Cola, Marriott, OpenAI, and FIFA. Each domain is tailored to its target brand. Colors and layout match the real company closely, so the outreach feels convincing to someone expecting a genuine interview invitation.
How the Job Interview Phishing Scam Works
The scam begins with an email that looks like routine recruiter outreach. In one documented case, the attacker used the name and photo of a real Adidas recruiter to add credibility. The message invites the recipient to schedule an interview through a calendar link. That step feels ordinary, so it rarely raises suspicion.
The link is where this job interview phishing scam gets technically interesting. Instead of pointing straight to a phishing page, it routes through a chain of legitimate platforms.
The path runs through PeopleForce, a real HR scheduling tool. From there it passes through Salesforce Marketing Cloud's exct.netdomain. It then continues through Wise Agent, a customer relationship platform built for real estate agents. Only after this sequence does the victim land onthe actual phishing page.
This layered redirect approach is a deliberate evasion tactic. Security tools often flag suspicious links by checking where they ultimately lead. But a chain built from trusted, well-known platforms can pass those checks at each individual hop. It remains unclear if the attacker compromised existing accounts on these platforms or simply registered new ones to abuse.
The Fake Google Login Trick
Once a victim reaches the final page, a "Continue with Google" button appears. It looks standard for any modern web application. Clicking it does not open a real browser window. Instead, the page displays a fake pop-up built entirely from HTML and CSS, designed to copy a genuine Google sign-in prompt.
This method is known as a browser-in-the-browser attack. It works because the fake window sits inside the existing page rather than opening as a separate browser process. The address bar and the security padlock, both signs of a legitimate login window, are simply drawn onto the fake interface.
A careful look reveals the deception in this job interview phishing scam. But under the pressure of an active job search, most people move quickly and enter their credentials without a second thought.
Those Google credentials go straight to the attacker once entered. Many people reuse the same account across email, cloud storage, and other services. So a single stolen login can open access to far more than an inbox.
Why Marketing Professionals Are the Target
The choice of marketing roles as bait is not random. Marketing professionals often manage advertising accounts, client data, and social media credentials tied to their Google accounts. That makes them valuable targets beyond the initial account theft. A compromised marketing employee could give an attacker a foothold into a company's broader digital presence.
Brand impersonation plays to a real weakness in how job seekers evaluate outreach, too. A recruiter reaching out from OpenAI or Netflix carries an assumption of legitimacy that a lesser-known company would not. Attackers understand this pattern and have built infrastructure specifically to exploit it.
Protecting Against This Phishing Campaign
Job seekers can take a few concrete steps to avoid falling for this job interview phishing scam. Verify recruiter identities directly through a company's official careers page rather than trusting contact details in an email. Treat any login pop-up with suspicion if it appears right after clicking a link from an unfamiliar site. Try dragging the window: a genuine browser pop-up moves independently, while a fake one stays locked inside the page.
Enabling two-factor authentication on Google accounts adds a meaningful barrier. A stolen password alone will not grant access when a second verification step stands in the way. Security teams at organizations with marketing staff should also remind employees about this specific technique, given how convincingly it mimics a normal hiring process.
This job interview phishing scam remains active. Its use of legitimate platforms as unwitting infrastructure makes it harder to shut down quickly. Similar redirect chains are likely to keep appearing in future phishing attempts until the abused services tighten their own account verification.
Subscribe to receive the latest blog posts to your inbox every week.