Help wanted original

The Hiring Funnel Is Leaking And Criminals Are Profiting

Phishing

It’s mid-July 2026, and the domestic job market isn’t exactly improving, based on a set of IOCs (indicators of compromise) that a friend sent me yesterday. Job seekers are side-eyeing LinkedIn posts with the skepticism of someone checking a used car for rust that’s been painted over, while legitimate recruiters are shouting into a void where fake job offers are dominating the attention economy. This friction isn’t just annoying for applicants who want to get back work, or recent graduates entering the workforce. It’s creating a blind spot that threat actors are profiting from.

<Not a technical person? Maybe skip this next bit>

A new phishing campaign analyzed by BushidoUk shows how threat actors are impersonating thirty-four major brands, including Adobe, Netflix, and McKinsey, to steal Google credentials from marketing professionals. The attack infrastructure’s based on a four-hop redirect chain designed to evade detection. Traffic flows from PeopleForce, a legitimate HR platform, through Salesforce ExactTarget, then Wise Agent, before landing on a Netlify-hosted phishing page. The nested redirects are intended to install trust in the victim and bypass basic web filters that only look at the initial domain.

The technical execution relies on a Browser-in-the-Browser (BitB) technique (which makes you wonder if anyone ever thought if that feature was a good idea). Instead of tricking users with a new sign-in tab, attackers just render a fake Google sign-in popup directly inside the web page. You enter your password, and the credential dumps instantly into their database, so if you have MFA on your Google account, at least you’re slightly better off. But that’s not quite the point. The campaign’s been active for five months, suggesting that traditional methods missed the warning signs for half a year.

</End of technical fiddly bits>

This phishing operation isn’t succeeding because the targets are careless. It works because the hiring infrastructure itself is broken (ADMT, anyone?) and folks are desperate. ResumeUp.AI released a study earlier this year claiming 27.4% of all U.S. job listings on LinkedIn are likely ghost jobs; although Halloween decor is now available at Home Depot, these aren’t ghosts for that type of spooky season. The Congressional Research Service defined “ghost jobs” as online postings for positions that “do not exist or that employers are not planning to fill immediately”. Companies post fake roles to signal growth to investors or cast a wider net for extraordinary talent without intention to hire. And when nearly three out of ten listings are already fake, the barrier to entry for scammers and threat actors vanishes.

And if you think that a phishing campaign and ghost jobs are one-offs and that everything else is going swimmingly, a Monster survey commissioned earlier this year shows the experience of job seekers. Ninety-five percent of job seekers have encountered a suspicious job offer, and more than half say they have been directly targeted. Job seekers seem to be relying on old (pre-AI) cybersecurity training, saying that the tells for scams include “poor grammar” or “unidentifiable companies”, but the campaign found by BushidoUK doesn’t have any of those tells. They use real recruiter names like Blair Ciesil, verified LinkedIn profiles, and polished branding that passes human scrutiny. In other words, this is proof of what you’ve heard about AI phishing campaigns being really good.

Oh, and state actors are also targeting job seekers too. The Five Eyes alliance dropped a bulletin just last month confirming that China’s Ministry of State Security treats LinkedIn as a target. Ken McCallum, head of MI5, called it an “industrial scale operation” back in 2021 (no, this isn’t a mis-print, this is a problem that isn’t fixing itself). By 2025, tactics shifted to exploit mass federal layoffs, with groups identifying five fake consulting firms targeting displaced workers. Spies pose as HR consultants for firms like Oriental Consulting (you’d think that’s a little too on-the-nose) or use aliases like Kevin Zhang. If you apply, they rank your resume based on access to sensitive info, interview you virtually to ask probing questions about your unit, and then ask for a trial report on bilateral relations. Money starts flowing via PayPal, Zelle, Wise, or crypto once the chat moves to encrypted apps. Oh, and you’re now working as a spy, complete with a future complimentary stay at Club Fed!

The reason that all of this works isn’t technology, though. It’s the economy and incentives.

The Labor Department released their June 2026 jobs report showing the U.S. economy added 57,000 new jobs, which was well below the 115,000 economists expected. February had a loss of 92,000 jobs with unemployment rising to 4.4%. And looking ahead, employers historically have pulled back on hiring in the months preceding midterms due to anticipated policy uncertainty; for example, monthly payroll additions dropped by roughly one-third in late 2018 and again in late 2022. Guess what this year’s October surprise will be ?

As legitimate jobs become fewer, the proportion of fake listings is going to increase, because they don’t depend on actual hiring budgets (just salaries for the MSS and bonuses for criminals). And when job creation slows to a crawl, anxious workers will probably lower their guard against even more (and probably improved) AI-generated attacks. The phishing campaign targeting marketing professionals already shows that unemployment anxiety motivates people to do things they might not otherwise.

Here’s how to decide if a job’s real, July 2026 edition:

  • If the “apply” link resolves through three different legitimate domains before reaching a static host, skip it (not sure how to do this? WhereGoes.com is neat)
  • If the recruiter pushes for a trial report instead of a standard interview, block them

We’re entering the second half of 2026 with a labor market defined by uncertainty. The election cycle is just going to amplify this volatility, and employers are probably going hesitate while workers are going to scramble. We can expect more like this. For job seekers, the cost of ignoring these signals isn’t just lost time filling out yet another job application. It’s identity theft, financial loss, and potential national security compromises disguised as job offers.

Similar Posts