Looking for a job? It could be a scam — NordVPN uncovers phishing campaign impersonating top brands' recruiters

• NordVPN researchers uncovered a massive recruitment phishing scam
• Scammers impersonate global employers like Meta, Disney, Spotify
• Hackers use fake job portals to steal job seekers' Facebook login credentials

The job market is tough enough without having to dodge cybercriminals. But according to new research from NordVPN, hackers are now impersonating recruiters from some of the world's biggest brands to hijack the social media accounts of unsuspecting job seekers.

The cybersecurity firm’s Threat Intelligence unit has exposed a highly sophisticated phishing campaign that weaponizes the names of major employers, including Meta, Disney, Coca-Cola, and Spotify.

Rather than stealing your money outright, the operation is designed to quietly harvest your Facebook credentials. With social media accounts often linked to other sensitive apps and services, a compromised Facebook login can quickly spiral into a devastating privacy breach.

If you want to protect your personal data while applying for roles online, using one of the best VPN services with built-in anti-malware and malicious tracker blocking is a smart first step. However, staying completely safe from targeted phishing requires a deeper understanding of how these multi-stage scams actually work.

NordVPN: up to $50 of Amazon gift cards with 2-year plans
If you are not a journalist or activist, good news — NordVPN is currently offering a fan-favorite deal to celebrate its 14th anniversary. While its prices haven't been reduced this time round, grabbing a NordVPN deal gives you the chance to get free Amazon gift vouchers on all its non-Basic plans. With any of these plans, you'll get:

🗡️Threat Protection Pro
🔒 NordPass password management
👤 Data breach scanning
📱 10 simultaneous connections
⚡️ Super-quick VPN connections

To get the maximum value gift voucher, you'll need to get the most expensive NordVPN plans. Remember, though, it's only worth upgrading to plans that offer features you think you'll actually use.

View Deal

From fake job offer to full account hijack

The campaign kicks off with a professional-looking cold email, often sent via legitimate platforms like Google AppSheet to slip past standard spam filters.

These messages feature clean grammar and target victims whose contact details were likely scraped from platforms like LinkedIn or exposed in previous data breaches.

Clicking the email link takes victims to a "HUB" domain (such as careers.meta-findyourjob[.]com).

Interestingly, NordVPN found that these sites feature a clever built-in evasion tactic. If a security scanner or an analyst visits the URL directly, they only see a blank, harmless webpage. The malicious "Search for a job" button only activates when the site is triggered by a unique referral link embedded in the original phishing email.

Once the victim clicks through, they land on an intermediate site that flawlessly mimics a legitimate corporate job board. Researchers identified several fake portals, including connect.spotifycareerapply[.]com for Spotify and jobquest.wdcfuturesteps[.]com for Disney.

The trap finally closes when the applicant clicks "Apply." Instead of a standard application form, they are met with a prompt demanding they log in via Facebook to proceed. This fake login page captures the victim’s username and password, handing the attackers total control over the account.

Domininkas Virbickas, product director at NordVPN, explains that job seekers are "uniquely vulnerable" to these types of attacks as they’re already in a mindset of sharing personal information and following instructions from unfamiliar contacts.

"Such campaigns take advantage of that trust using polished communications and convincing fake career portals that are nearly indistinguishable from the real thing," said Virbickas.

How to stay safe during your job hunt

To protect yourself, NordVPN recommends making a habit of verifying the URL before entering any personal data. Legitimate mega-brands will always host their career pages on official, recognizable domains, not unusual third-party links.

The same rule applies to social login prompts. A genuine "Log in with Facebook" button will always securely redirect you to the official facebook.com domain. If the URL bar shows anything else, close the tab immediately.

If you still have doubts, I recommend running the link through NordVPN's URL checking tool or similar software. It's completely free to use for anyone, even those who don't have an active NordVPN subscription.

Finally, NordVPN suggests always activating two-factor authentication (2FA) across your social media profiles. Even if a sophisticated phishing page manages to steal your password, 2FA serves as a vital safety net that blocks attackers from accessing your account.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!