Fake Job Offers Impersonate Netflix, OpenAI, and FIFA to Steal Google Credentials

Fake Job Offers Impersonate Netflix, OpenAI, and FIFA to Steal Google Credentials

Fake Job Offers Impersonate Netflix, OpenAI, and FIFA to Steal Google Credentials

Scrabble tiles spell "SCAM," illustrating a fake recruitment campaign that steals Google account credentials. Credit: Markus Winkler/Unsplash

A fake recruitment phishing campaign impersonates major brands and uses trusted HR platforms to steal Google account credentials.

Jul 8, 2026

What seems to be a job opportunity can turn into a credential theft scam.

Cybercriminals weaponize the names of over 30 brands to carry out a sophisticated phishing operation. Brands like Netflix, Coca-Cola, OpenAI, and FIFA are used to lure marketing professionals into fake recruitment workflows that ultimately steal Google account credentials.

According to BleepingComputer, the campaign routes victims through legitimate HR and marketing platforms before presenting a convincing fake Google sign-in window. By layering trusted platforms into the attack chain, the operation removes many of the phishing signs people have been taught to spot.

The campaign reflects a broader shift in phishing tactics, in which attackers increasingly exploit familiar business workflows and target high-value individuals rather than exploit software vulnerabilities. That increases the impact a single compromised account can have on businesses.

A more sophisticated deceptive tactics

Team Cymru senior advisor Will Thomas estimated that the campaign has been running for at least five months. He also noted that the operators initially used Outlook for their campaign. What makes the campaign stand out is the use of multiple tactics, implemented at each stage to feed into the next, building the pathway for a successful attack.

Abuse of trusted services and platforms

The attackers abused trusted platforms at two stages of the operation. First, they sent fake job outreach messages impersonating 34 brands across industries including airlines, food and beverage, apparel and luxury, staffing and consulting, hospitality, marketing, entertainment, and sports.

This gets more technical for the second stage. Instead of directing victims straight to a phishing site, the attackers routed them through legitimate HR and marketing platforms, including PeopleForce and Salesforce Marketing Cloud, before displaying a fake Google sign-in page to harvest Gmail credentials.

A more sophisticated deceptive tactic used to phish emails.
Image: Will Thomas/GitHub Gist

Impersonation attacks

The operators also impersonated well-known recruiters. The logic is simple: if an outreach comes from a respected recruiter, targets are more likely to hop on it, leaving little room for counterthoughts.

Advertisement
Email impersonating Adidas recruiter Paulina Manzo/ Sergiu George.
Image: Email impersonating Adidas recruiter Paulina Manzo/ Sergiu George

Must-read security coverage

Why marketers?

Thomas also identified marketing professionals as the primary targets. Since marketers routinely receive emails from people outside their existing contact lists, it makes unsolicited recruitment messages less unusual. That familiarity increases the chances that recipients will open phishing emails and engage with them.

Marketers often have access to valuable business-related data and a compromised Google account could provide attackers with a foothold into those resources.

How to know what’s fake?

The campaign shows that recognizable branding alone is no longer enough to establish trust. Job seekers and employees should verify unexpected interview invitations through official careers pages or known recruiter contacts rather than relying on links in emails.

Individuals should use multi-factor authentication (MFA) for Google Workspace and other business-related accounts to reduce the impact of stolen credentials. Although MFA cannot stop every phishing technique, it provides an additional barrier that can prevent a stolen password from leading directly to account compromise.

Brands should also monitor for domain impersonation through threat intelligence. Detecting newly registered domains that closely resemble official company names can help security teams quickly identify phishing infrastructure early and work with registrars or hosting providers to suspend malicious domains before they reach more victims.

With phishing scams stepping up their game, users should adopt good cybersecurity practices and treat unexpected emails and login requests with caution.

Joseph Ofonagoro

Joseph is a technical writer with about three years of experience creating clear, practical content across consumer technology, startups, tutorials, and cybersecurity. He is also advancing a career in cyber threat intelligence, driven by a strong interest in the responsible use of technology and its role in protecting people, organizations, and digital systems. His passion for cybersecurity grew out of a broader commitment to helping others understand technology safely and effectively. As an undergraduate at the National Open University of Nigeria, he leads a community of technology enthusiasts, guiding beginners, sharing learning resources, and helping students build confidence as they explore careers in tech. Joseph’s writing combines technical curiosity with an accessible, beginner-friendly style. In addition to his editorial work, he periodically shares cybersecurity case studies and research reports on social media, covering threat trends, security lessons, and practical insights for readers interested in cyber awareness and digital safety.