RiskScope
Back to Blog

Job Scams in 2025: Fake Postings, Fake Candidates, and How to Protect Yourself

Job scams now run in both directions. Fraudsters pose as employers to steal your data — and as job seekers to infiltrate companies. Here's what's actually happening, with real examples, and how to protect yourself on either side of the interview table.

RiskScope Team
job scams, recruitment fraud, fake job postings, identity theft, online safety

The Numbers First

Americans lost nearly $300 million to job scams in the first half of 2025 alone — a 19% increase year-on-year, according to FTC data. The typical victim loses around $2,000. One in four job seekers has fallen for a hiring scam. Of those who did, 48% had personal information stolen.

And that's only half the picture.

The threat now runs in both directions. Fraudsters pose as employers to harvest personal data from candidates. And an entirely separate category of attacker — including, in a remarkable development, state-sponsored operatives — poses as job seekers to infiltrate the companies doing the hiring.

This article covers both.

Part 1: Fake Jobs — When the Employer Is the Scammer

How It Works

The setup follows a reliable pattern:

  1. A job posting appears on a legitimate platform — LinkedIn, Indeed, ZipRecruiter — often mimicking a real company, complete with logo and a convincing job description
  2. The "recruiter" reaches out quickly, claiming the candidate is a perfect fit
  3. An interview is scheduled — usually over chat or a low-quality video call
  4. An offer letter arrives fast, with almost no vetting
  5. Onboarding begins — and that's where the data collection starts (Social Security number for tax forms, bank account for direct deposit, driver's licence for ID verification)
  6. The job never existed

The end goal is either identity theft, financial fraud, or both.

Real Examples

J.P. Morgan on ZipRecruiter NBC News documented multiple victims who responded to job postings on ZipRecruiter and LinkedIn for positions at real companies — including J.P. Morgan. There was no employer on the other end. The scammers used the brand name and logo to build credibility, then harvested personal information during fake onboarding.

The equipment deposit trick (May 2024) A victim was told they would receive a $2,000 deposit to purchase work equipment, and would then need to forward $500 to a "vendor." The same day they were contacted, the real company's LinkedIn page posted a warning that scammers were impersonating them. The victim got out in time. Many don't.

Airswift executive impersonation (May 2024) Scammers posed as Airswift's Chief Revenue Officer, telling candidates she had authority to arrange US work visas — for a fee of nearly $470. Airswift had to issue a public warning after multiple victims had already paid.

An 18-year-old loses £3,000 A British woman, 18 years old, was contacted by what appeared to be a legitimate recruiter. She went through a complete fake interview process before her card details were stolen. She lost £3,000. The Identity Theft Resource Center's CEO Eva Velasquez described the problem bluntly: "These fakes look so real and so legitimate, it's almost impossible for would-be job seekers to tell the difference."

The Letterboxd movie trailer scam An Arizona woman named Rachel received a text from someone claiming to be a recruiter from the film review platform Letterboxd, promising up to $9,000 a month for watching movie trailers. She deposited $100 of cryptocurrency. It came back — plus commission. She deposited more. The same happened again. She deposited $110,000 in a single week. None of it came back.

This last example is a "task scam" — a variant where small, real payments are made early to build trust, pulling victims deeper before the collapse.

What Scammers Actually Want From You

Depending on the scheme, the goal is one of the following:

What They Ask For What They Do With It
Social Security number Identity theft, tax fraud, credit fraud
Bank account details Direct withdrawal, account takeover
Driver's licence / passport Synthetic identity creation, sold on dark web
Email and password Credential stuffing attacks
Upfront payment ("training", "equipment", "visa") Direct financial theft
Click on a link for a "Zoom interview" Malware installation

Red Flags: Fake Job Postings

  • The offer comes too fast — a real hiring process takes days or weeks, not hours. An offer before a proper interview is a red flag
  • The recruiter uses a personal email — @gmail.com, @yahoo.com, or a domain that's slightly off from the real company (amazoncareers.com vs. amazon.com)
  • They move you off-platform — 71% of scam contacts push victims to WhatsApp or Telegram, where there's no platform monitoring
  • They ask for financial information during "onboarding" — before you've done any work, before you've met anyone in person
  • The pay is unusually high for minimal work — "$200–$3,000 a day for reviewing products" is not a real job
  • No verifiable online footprint — the recruiter has a sparse LinkedIn profile, no mutual connections, and joined the platform recently
  • Senior people contact you unsolicited — cybersecurity expert Steven Weisman: "If you are being contacted by someone in a senior position, it is most likely a scam. CEOs don't generally contact people on LinkedIn."

How to Protect Yourself as a Job Seeker

Before you apply:

  • Verify the company's website independently — don't click links in the job posting. Type the domain yourself. Run it through RiskScope if you're not sure it's real
  • Check that the job posting also appears on the company's official careers page
  • Search the recruiter's name + the company name. Do they appear in any real context?

During the process:

  • Never provide your SSN, bank details, or government ID until you have a signed contract, have verified the company is real, and have spoken with HR through a verified company email
  • Conduct a reverse image search on the recruiter's profile photo — scammers frequently use stock images or stolen photos
  • If the interview is video-only and the camera is "broken" on their end, treat it as a red flag
  • Legitimate employers never ask you to pay for equipment, training, background checks, or visas

If something feels wrong:

  • Check the company's official LinkedIn or website for any fraud warnings (many companies post them when impersonation is active)
  • Report the posting to the platform (LinkedIn, Indeed, ZipRecruiter all have reporting mechanisms)
  • File a report with the FTC at ReportFraud.ftc.gov and the FBI's IC3 at ic3.gov

Part 2: Fake Candidates — When the Job Seeker Is the Scammer

This is the less-discussed direction of job fraud, and in some respects the more alarming one.

The North Korea IT Worker Programme

Since approximately 2017, North Korea has been running a large-scale operation in which trained IT workers — many recruited as teenagers from state schools — use stolen identities and AI-generated profiles to apply for remote tech roles at Western companies.

The scale is significant:

  • Security firm Pindrop estimates 1 in every 343 job applicants is now a North Korean operative
  • The UN estimates the programme generates $250 million to $600 million per year for the regime
  • Nine security officials who spoke to Axios all said they had yet to find a Fortune 500 company that hadn't inadvertently hired one
  • CrowdStrike (which tracks the group as "Famous Chollima") recorded 304 incidents in 2024 alone

These workers are not simply collecting a salary. They:

  • Hold multiple jobs simultaneously — sometimes six or seven at once — using AI tools to manage workloads across different companies
  • Exfiltrate proprietary code and source files during their employment
  • Extort their former employers after leaving, threatening to leak stolen data if ransoms aren't paid (the FBI confirmed this pattern in January 2025)
  • Use deepfake video and voice-altering tools during interviews to pass as local candidates

In November 2025, CNN reported that North Korean operatives had set up a fake recruitment platform mimicking Lever (a widely-used headhunting tool) to target job seekers at US AI companies — flipping the scam entirely: now they're targeting candidates too.

The Department of Justice has documented at least $88 million in losses to US businesses from this programme across six years.

Other Fake Candidate Patterns

Beyond the North Korea operation, companies face:

  • Fake CVs generated by AI — tools now produce realistic work histories, complete with plausible company names, roles, and tenure
  • Stolen professional identities — real LinkedIn profiles scraped and cloned with minor alterations
  • Candidate farms in Southeast Asia — organised groups providing fake references, answering technical screening tests, and coaching operatives through interviews in real time

One company (Socure) noted that a senior engineering role that previously attracted 150–200 applications over several months suddenly received over 1,999 applications in two months. Nearly all were fraudulent.

Red Flags: Fake Candidates

  • Résumé addresses are in remote or implausible locations — rural areas with no plausible tech scene
  • Generic American-sounding names — an unusually common pattern noted by security researchers (e.g. "Mike Smith", "Thomas Williams")
  • Reluctance to be on camera, or camera that's perpetually "broken" during video interviews
  • Inconsistent accent or speech patterns — voice-altering tools are imperfect, particularly under stress
  • GitHub or portfolio that was set up recently with suspiciously polished, generic projects
  • Surge in applications for a single role — beyond what is plausible for the market
  • Requests to use personal devices or unusual software once hired

How to Protect Yourself as a Hiring Company

During hiring:

  • Require live video interviews with camera on. Ask candidates to hold up a piece of paper with today's date and their name written on it at the start of a call
  • Conduct identity verification against government-issued documents — and match them against the face on the call
  • Ask location-specific, spontaneous questions ("What's the weather like where you are right now?", "What's your nearest major airport?") — scripted operatives often struggle with improvisation
  • One CrowdStrike researcher recommends asking candidates to comment on North Korean leadership. Operatives have reportedly hung up rather than answer

After hiring:

  • Monitor access logs — are large volumes of code or documentation being downloaded?
  • Limit access to sensitive repositories until the employee has been verified and established
  • Use endpoint monitoring for remote employees, particularly in the first 90 days
  • Implement strict offboarding procedures: revoke all access immediately on departure, before any exit conversation

For your recruitment process:

  • Verify third-party staffing firms — Microsoft has identified them as one of the largest attack vectors
  • Cross-check candidate profiles across multiple platforms. A real professional has a trail that's consistent over time
  • Run the candidate's claimed employer domains through a threat intelligence tool if anything feels off

The Overlap: Scam Sites Posing as Employers

A subset of job scams involves entirely fabricated company websites — built to look like real businesses, complete with fake employee directories, LinkedIn pages, and job listings.

If you receive an unsolicited job offer from a company you've never heard of, run their domain through RiskScope before engaging. Scam employer sites often share common signals: domains registered recently, no SSL, addresses that don't match any real business registration, and threat database flags.

Quick Reference

Job Seeker Checklist

  • Found the job on the company's official careers page, not just a job board
  • Recruiter's email uses the company's real domain
  • Company website passes a basic legitimacy check
  • No request for payment, SSN, or bank details before a contract is signed
  • Interview involved a real, verifiable person on camera
  • Offer timeline was realistic (days, not hours)

Hiring Company Checklist

  • Video interview with camera-on requirement enforced
  • Government ID verified against the face on the call
  • Candidate's professional history cross-checked across platforms
  • New hire access to sensitive systems is staged, not immediate
  • Offboarding procedure revokes all access on the day of departure
  • Third-party recruiters have been briefed on fake candidate risks

Check Any Website Involved in a Job Process

If you've received a job offer from a company you can't verify, run their website through RiskScope before sharing any personal information.

Check a website now

Sources: FTC — Job Scams, NBC News, Axios — North Korea IT Workers, Fortune — Famous Chollima, CNN — Fake Job Portal, Pindrop / Fortune, Bitdefender, PasswordManager.com, The Register

Check Any Website Yourself

RiskScope is free. No signup required. Enter any domain and get an instant risk assessment.

Check a WebsiteAPI Documentation

Related Articles

The 'What's Your Real Body Age?' Scam Targeting Finland and the Nordics

A fake health assessment has generated nearly 1,000 complaints across Finland, Sweden, Norway and Denmark. It starts with a Facebook ad. It ends with an invoice you legally don't have to pay. Here's exactly how it works — and who is behind it.

Read more

How to Spot AI-Generated Videos, Fake Ads, and Deepfakes: A Visual Guide

AI scams are everywhere — fake product ads, deepfake celebrity endorsements, AI-generated books. Learn the visual tells that VFX professionals use to spot AI-generated content before it costs you money.

Read more

Free Website Safety Checker API for Developers — Integrate Scam Detection in Minutes

Looking for a free API to check if a website is safe? RiskScope's REST API aggregates 14+ threat intelligence sources into a single risk score. Here's how to integrate it.

Read more