Beware of Sophisticated Recruitment Scams in the AI Era! NordVPN Reveals New Tactics Impersonating Major Companies
NordVPN's Threat Intelligence Research Department has unveiled a new recruitment scam tactic that impersonates major global companies to steal SNS account credentials from job seekers. This multi-stage attack, which exploits Google AppSheet to redirect victims to fake job sites and then fake Facebook login pages, has been observed globally and a warning has been issued for Japan.
📋 Article Processing Timeline
- 📰 Published: April 23, 2026 at 19:00
- 🔍 Collected: April 23, 2026 at 10:31
- 🤖 AI Analyzed: April 24, 2026 at 03:22 (16h 50m after Collected)
NordVPN (Headquarters: Amsterdam, Netherlands; Japan Representative: Takuro Ohara), a provider of personal security services, announced a new recruitment scam tactic identified by its Threat Intelligence Research Department. This method impersonates major global companies and targets job seekers to steal their SNS account credentials.
The investigation revealed a multi-stage attack that starts with emails impersonating recruiters from prominent companies such as Meta, Disney, Coca-Cola, and Spotify. Victims are then redirected to highly convincing fake job websites, ultimately leading to the hijacking of their Facebook accounts. Such tactics have been confirmed globally and have the potential to spread to job seekers in Japan.
■ Background of the Investigation
In recent years, cyberattacks, including phishing scams, have become increasingly sophisticated, evolving into multi-stage attacks that meticulously mimic real companies, partly due to the widespread adoption of generative AI.
Amidst this, there has been an increase in scams that naturally reproduce corporate websites, recruitment information, and email content, making them difficult to distinguish from legitimate communications. Job seekers, especially those actively looking for employment, tend to be more receptive to contact from unfamiliar parties and may lower their guard when providing personal information. Attackers exploit this situation, targeting SNS account credentials through methods disguised as recruitment processes. To shed light on this reality, NordVPN's Threat Intelligence Research Department conducted this investigation.
■ Investigation Overview
Investigation Name: NordVPN Threat Intelligence Research Department
Investigating Bodies: NordVPN・NordStellar
Investigation Date: March 31, 2026
Investigation Method: Application of advanced search strings to major search engines, and identification of domains, services, and ports using IoT search engines such as Fofa.io and Shodan.io.
■ The 3-Stage Scam Starting with Recruitment Emails
The scam identified this time is a method that cleverly guides victims through multiple steps. It is characterized by being indistinguishable from a normal recruitment process at first glance, making it difficult for even careful users to notice.
The scam begins with recruitment emails sent via legitimate services like Google AppSheet. The emails are written in natural Japanese and are indistinguishable from actual recruitment communications. Since AppSheet is a legitimate service provided by Google, the sender's address is "appsheet.com," which makes it difficult for spam filters to detect and for recipients to be suspicious, a vulnerability that is being exploited.
The list of recipients is believed to have been collected from sources like LinkedIn or from past data breaches. Clicking on a link in the email redirects to an intermediary site (e.g., careers.meta-findyourjob[.]com). This site incorporates mechanisms to bypass security measures, displaying only harmless pages if antivirus software or search engine crawlers access it directly. The "Search for Jobs" button only appears when accessed via a specific link within the scam email.
Clicking the button leads to a fake job site tailored to each company. At first glance, it looks identical to a genuine recruitment page, even listing actual job information. The moment a job seeker clicks the apply button, it switches to a fake Facebook login screen, and the entered ID and password are then transmitted to the attackers.
Examples of confirmed fake sites:
- Meta: plus.jobfusion-mt[.]com / official.professionlaunch-mt[.]com
- Coca-Cola: careers.coca-contactnow[.]info
- Spotify: connect.spotifycareerapply[.]com
- Disney: jobquest.wdcfuturesteps[.]com
■ 3 Countermeasures Recommended by Dominikas Virbickas, NordVPN Product Director, to Protect Against Recruitment Scams
① Always check the URL before logging in
Legitimate companies operate their recruitment pages on their official domains. When you are redirected to an unfamiliar external site or prompted to "Log in with Facebook," always verify if the URL is truly facebook.com. It is crucial to stop entering information if you feel even the slightest discomfort.
② Enable two-factor authentication (2FA) on all SNS accounts
Even if your password is leaked, two-factor authentication can prevent unauthorized logins. It only takes a few minutes to set up and can significantly reduce potential damage.
③ Be cautious of sudden job offers/contacts
The investigation revealed a multi-stage attack that starts with emails impersonating recruiters from prominent companies such as Meta, Disney, Coca-Cola, and Spotify. Victims are then redirected to highly convincing fake job websites, ultimately leading to the hijacking of their Facebook accounts. Such tactics have been confirmed globally and have the potential to spread to job seekers in Japan.
■ Background of the Investigation
In recent years, cyberattacks, including phishing scams, have become increasingly sophisticated, evolving into multi-stage attacks that meticulously mimic real companies, partly due to the widespread adoption of generative AI.
Amidst this, there has been an increase in scams that naturally reproduce corporate websites, recruitment information, and email content, making them difficult to distinguish from legitimate communications. Job seekers, especially those actively looking for employment, tend to be more receptive to contact from unfamiliar parties and may lower their guard when providing personal information. Attackers exploit this situation, targeting SNS account credentials through methods disguised as recruitment processes. To shed light on this reality, NordVPN's Threat Intelligence Research Department conducted this investigation.
■ Investigation Overview
Investigation Name: NordVPN Threat Intelligence Research Department
Investigating Bodies: NordVPN・NordStellar
Investigation Date: March 31, 2026
Investigation Method: Application of advanced search strings to major search engines, and identification of domains, services, and ports using IoT search engines such as Fofa.io and Shodan.io.
■ The 3-Stage Scam Starting with Recruitment Emails
The scam identified this time is a method that cleverly guides victims through multiple steps. It is characterized by being indistinguishable from a normal recruitment process at first glance, making it difficult for even careful users to notice.
The scam begins with recruitment emails sent via legitimate services like Google AppSheet. The emails are written in natural Japanese and are indistinguishable from actual recruitment communications. Since AppSheet is a legitimate service provided by Google, the sender's address is "appsheet.com," which makes it difficult for spam filters to detect and for recipients to be suspicious, a vulnerability that is being exploited.
The list of recipients is believed to have been collected from sources like LinkedIn or from past data breaches. Clicking on a link in the email redirects to an intermediary site (e.g., careers.meta-findyourjob[.]com). This site incorporates mechanisms to bypass security measures, displaying only harmless pages if antivirus software or search engine crawlers access it directly. The "Search for Jobs" button only appears when accessed via a specific link within the scam email.
Clicking the button leads to a fake job site tailored to each company. At first glance, it looks identical to a genuine recruitment page, even listing actual job information. The moment a job seeker clicks the apply button, it switches to a fake Facebook login screen, and the entered ID and password are then transmitted to the attackers.
Examples of confirmed fake sites:
- Meta: plus.jobfusion-mt[.]com / official.professionlaunch-mt[.]com
- Coca-Cola: careers.coca-contactnow[.]info
- Spotify: connect.spotifycareerapply[.]com
- Disney: jobquest.wdcfuturesteps[.]com
■ 3 Countermeasures Recommended by Dominikas Virbickas, NordVPN Product Director, to Protect Against Recruitment Scams
① Always check the URL before logging in
Legitimate companies operate their recruitment pages on their official domains. When you are redirected to an unfamiliar external site or prompted to "Log in with Facebook," always verify if the URL is truly facebook.com. It is crucial to stop entering information if you feel even the slightest discomfort.
② Enable two-factor authentication (2FA) on all SNS accounts
Even if your password is leaked, two-factor authentication can prevent unauthorized logins. It only takes a few minutes to set up and can significantly reduce potential damage.
③ Be cautious of sudden job offers/contacts