Cybercriminals are impersonating recruiters from more than 30 major companies—including Netflix, OpenAI, Adobe, Coca-Cola and Adidas—in a sophisticated phishing campaign designed to steal Google account credentials from marketing professionals and other job seekers.
The operation was detailed in a technical analysis published by Will Thomas, Senior Threat Intelligence Adviser at cybersecurity firm Team Cymru, who found that attackers are sending personalized recruitment emails that appear to come from legitimate hiring managers at well-known companies.
Unlike traditional phishing emails, the messages are tailored to each recipient by name, profession and career background, making them significantly more convincing.
One example cited in the report impersonated a recruiter from McKinsey & Company, congratulating the recipient on their professional experience and inviting them to schedule a 30-minute interview.
The email included what appeared to be a legitimate scheduling link.
Instead of directing victims to a real interview portal, however, the link redirected them through several legitimate online services before ultimately arriving at a fraudulent login page designed to capture Google account credentials.
Thomas said the attackers are abusing trusted business platforms, including PeopleForce, a legitimate applicant-tracking system, along with infrastructure connected to Salesforce Marketing Cloud.
Because the emails originate from authentic commercial services, they can often bypass standard email security filters that would normally identify phishing attempts.
Security researchers emphasized that neither PeopleForce nor Salesforce appears to have been hacked. Instead, criminals likely created legitimate accounts—or gained access to existing ones—to launch the campaign.
The fake Google login page uses a technique known as Browser-in-the-Browser, which recreates Google’s authentication window entirely within a webpage using HTML and CSS.
To unsuspecting users, the login box looks identical to Google’s real sign-in screen even though it is completely controlled by the attacker.
Researchers also found that the campaign uses photographs and names of real recruiters while registering internet domains that closely resemble official company career websites.
For businesses, the risks extend far beyond a single compromised password.
A stolen Google account can provide access to Gmail, Google Drive, saved passwords, calendars, cloud storage and numerous connected workplace applications, allowing attackers to expand their access throughout an organization.
According to the FBI’s Internet Crime Complaint Center, employment scams generated more than 24,000 complaints and approximately $362 million in reported losses during 2025.
The bureau has also warned that criminals increasingly use artificial intelligence to enhance hiring scams through realistic voice cloning, deepfake video interviews and personalized communications.
The campaign also creates reputational challenges for the companies being impersonated.
Although firms such as Netflix, OpenAI and Adobe are themselves victims of brand impersonation, job seekers may mistakenly believe those companies were responsible for the fraudulent communications.
Cybersecurity experts recommend that organizations actively monitor newly registered internet domains resembling their corporate brands and quickly pursue their removal.
For individuals, security professionals advise verifying unexpected interview invitations directly through a company’s official careers website rather than clicking links contained in unsolicited emails.
Users should also confirm that any Google login page begins with the official accounts.google.com web address before entering credentials.
Enabling multi-factor authentication provides an additional layer of protection by making stolen passwords significantly less valuable to attackers.
Anyone who believes they entered credentials on a fraudulent website should immediately change their Google password, review recent account activity, revoke unfamiliar sessions and update recovery information.
For businesses, the campaign reflects a broader evolution in cybercrime.
Rather than relying on poorly written phishing emails, attackers increasingly exploit trusted cloud platforms, recognizable corporate brands and highly personalized messages to bypass both technology and human skepticism.
As remote hiring and online recruiting continue expanding, cybersecurity experts expect fake recruiter campaigns to remain one of the fastest-growing methods used to steal corporate credentials.
JBizNews Desk | New York
© JBizNews.com All Rights Reserved. Reproduction or Distribution without Written Permission is Prohibited.



