A new report from the leading cybersecurity firm Sublime Security has revealed an ongoing email scam that uses fake job offers from Google to trick people using Google Workspace and Microsoft 365 into giving away their private login details.
This widespread credential phishing scam, which impersonates outreach from Google Careers, was detailed in findings released on October 14 and shared with Hackread.com.
For your information, credential phishing is an online trick where a scammer sends a message that looks official, like a job offer, but its true goal is to steal sensitive information such as usernames and passwords.
This scam begins with an email asking, “are you open to talk?” and is mainly sent to targets using corporate email addresses, as the attackers have even tried to filter out non-business accounts.
The Ever-Changing Attack
What makes this particular threat concerning is the constant changes scammers are making to avoid getting caught. Researchers reportedly observed “threat actors refining and adjusting their tactics and techniques over time, evolving to evade detection.” This continuous effort to improve the scam is clear in the many variations.
For example, the emails aren’t just in English; they have appeared in Spanish, Swedish, and other languages. The sender’s name and email address also frequently change, sometimes using fake recruiter names or departments like GG Careers <[email protected]>.
Researchers noted that the attackers abuse services like Salesforce and Recruitee to send these emails. The malicious links themselves also vary and are generally hosted on domains recently registered through services like NiceNIC and Porkbun.
How the Trap Works
If a recipient clicks the “Book a Call” link, they are taken through a multi-step trap. First, they might see a fake Cloudflare Turnstile verification page. After that, they land on a page designed to look like a Google Careers meeting scheduler, asking for personal details. Finally, they are taken to the credentials-stealing phase, which is a “standard fake login page” mimicking the Google sign-in screen
Further probing revealed the scammers’ sneaky trick to bypass email security scanners; they break up words like Google Careers with hidden web formatting, such as putting every letter into its own separate label element. This simple coding trick makes it hard for security programs to recognise the complete, malicious phrase.
Sublime Security’s detection engine prevented these attacks, flagging them for using links on domains registered within the past 30 days. The continuous changes to this single scam prove that being careful online is now a basic part of professional life, as these scams aren’t new.
Cybersecurity firms like Netcraft recently warned about a significant spike in sophisticated, recruitment-themed scams. Therefore, if a great job offer shows up unexpectedly, you must always verify the source before clicking any links or sharing your private information.
