- NordVPN Researchers Uncover Massive Recruitment Phishing Scam
- Scammers pretend to be top global employers like Meta, Disney, Spotify
- Hackers use fake job portals to steal job seekers’ Facebook login credentials
The job market is tough enough that you don’t have to dodge cybercriminals. But according to new research from NordVPN, hackers are now posing as recruiters for some of the world’s biggest brands to hijack the social media accounts of unsuspecting job seekers.
The cybersecurity company’s Threat Intelligence unit revealed a highly sophisticated phishing campaign that used the names of major employers, including Meta, Disney, Coca-Cola and Spotify. Rather than stealing your money, the operation is designed to discreetly recover your Facebook credentials.
By deploying polished recruitment emails, hidden “HUB” domains, and incredibly realistic job portals, attackers trick candidates into handing over the keys to their digital lives. Because social media accounts are often linked to other sensitive apps and services, a compromised Facebook login can quickly escalate into a devastating privacy violation.
If you want to protect your personal data when applying for jobs online, using one of the best VPN services with built-in anti-malware and malware tracker blocking is a smart first step. However, to stay completely safe from targeted phishing, you need to better understand how these multi-step scams actually work.
From fake job offer to complete account hijacking
The campaign starts with a professional-looking cold email, often sent through legitimate platforms like Google AppSheet to bypass standard spam filters.
These messages feature clear grammar and target victims whose contact details were likely harvested from platforms like LinkedIn or exposed in previous data breaches.
By clicking on the email link, victims are redirected to a “HUB” domain (such as careers.meta-findyourjob[.]com).
Interestingly, NordVPN discovered that these sites have a clever built-in evasion tactic. If a security scanner or analyst visits the URL directly, it only sees a blank, harmless web page. The malicious “Search Jobs” button only activates when the site is triggered by a unique referral link embedded in the original phishing email.
Once the victim clicks, they land on an intermediary site that perfectly mimics a legitimate company job site. Researchers have identified several fake portals, including connect.spotifycareerapply[.]com for Spotify and jobquest.wdcfuturesteps[.]com for Disney.
The trap finally closes when the candidate clicks “Apply”. Instead of a standard application form, they receive a prompt asking them to log in via Facebook to continue. This fake login page captures the victim’s username and password, giving attackers full control over the account.
Domininkas Virbickas, product director at NordVPN, explains that job seekers are “particularly vulnerable” to these types of attacks. This is because they are already in a mindset that sharing personal data and following instructions from unknown contacts is the normal process for landing an interview.
“Such campaigns leverage this trust by using slick communications and convincing fake career portals that are almost indistinguishable from the real ones,” Virbickas said.
How to Stay Safe During Your Job Search
This campaign proves that cybercriminals are constantly finding new ways to weaponize professional contexts to circumvent our natural skepticism. Because this attack flow so closely mimics a real corporate recruiting process, even cautious Internet users can be caught off guard.
To protect yourself, NordVPN recommends getting into the habit of checking the URL before entering any personal data. Legitimate mega-brands will always host their career pages on official, recognizable domains, not unusual third-party links.
The same rule applies to social login prompts. A real “Log in with Facebook” button will always redirect you securely to the official website. facebook.com domain. If the URL bar shows anything else, close the tab immediately.
If you still have doubts, I recommend running the link through NordVPN’s URL checker tool or similar software. It is completely free to use for everyone, even for those who do not have an active NordVPN subscription.
Finally, NordVPN suggests always enabling two-factor authentication (2FA) on your social media profiles. Even if a sophisticated phishing page manages to steal your password, 2FA provides a vital safety net that prevents attackers from gaining access to your account.
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
