Cybersecurity experts warn of fake job portals that perfectly impersonate well-known brands

Zoom

The platforms are designed to hijack the social media accounts of people looking for a job

Almudena Nogués

Tuesday, 7 April 2026, 17:14

The latest job scam is so sophisticated that even the most cautious can fall for it. NordVPN's threat intelligence research unit is raising awareness about a complex phishing scheme targeting job seekers that impersonates some of the world's most well-known companies. The operation uses the names of Meta (and its subsidiaries), Disney, Coca-Cola and Spotify to steal victims' Facebook credentials and take control of their accounts.

According to experts, the scammers are using hidden 'HUB' domains, referral link activation mechanisms and realistic job offer interfaces to guide victims through a carefully crafted process. In the final step, they redirect them to a fake Facebook login page designed to steal their credentials.

"Job seekers are especially vulnerable because they are willing to share personal information and follow instructions from unknown contacts," NordVPN Product Manager Domininkas Virbickas says. "These schemes exploit that trust through highly sophisticated communications and convincing fake job portals that are almost impossible to distinguish from the real thing."

Account hijacking

The scheme begins with a cold email, often sent through legitimate services like Google AppSheet to bypass spam filters. "These messages look impeccable and professional, with no grammatical errors and a tone that mimics real recruitment communications. The contact lists are likely gathered through automated data mining from platforms like LinkedIn or originate from previous data breaches," NordVPN says.

The email link directs victims to a 'HUB' domain (such as careers.meta-findyourjob[.]com). These web pages incorporate an evasion mechanism. If someone, whether a security analyst or an automated scanner, visits the domain directly, they will only see a generic, inactive web page without any interactive functionality.

"The dangerous content is only activated when accessed via a specific referral link in the phishing email. This referral link acts as a key, granting access to a clickable 'Find a Job' button that would otherwise remain hidden," cybersecurity experts say.

Related story