● Dark Reading 📅 25/03/2026 à 16:05

Phishers Pose as Palo Alto Networks' Recruiters in Job Scam

Cybersécurité 👤 Elizabeth Montalbano
Illustration
Cyberattacks & Data BreachesEndpoint SecurityRemote WorkforceThreat IntelligenceNewsPhishers Pose as Palo Alto Networks' Recruiters for Months in Job ScamA series of campaigns that began in August aim to defraud job candidates, using psychological tactics and data scraped from LinkedIn profiles.Elizabeth Montalbano,Contributing WriterMarch 25, 20264 Min ReadSource: Panther Media GmbH via Alamy Stock PhotoAttackers have been impersonating recruiters from Palo Alto Networks since last August in a series of phishing campaigns targeting senior-level professionals for financial gain.Palo Alto Networks' Unit 42 researchers have been tracking the sophisticated social engineering campaigns, which use scraped LinkedIn data to create "highly personalized" lures, for the past seven months, according to a threat report published this week."The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate's curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee," Unit 42 senior manager Justin Moore wrote in the post.Unit 42 has fielded "multiple reports" of the attacks, which use flattering language, highly specific details from the victims' LinkedIn profiles, and legitimate company image logos in the email signature block.Related:Attackers Hide Infostealer in Copyright Infringement NoticesThe end result of a successful attack is that victims are asked to pay a fee in the range of $400 to $800 to freeing their résumé from a bureaucratic hold-up and continue with what they think is a legitimate recruitment process. In this way, they are not only duped into thinking they are in line for a position at Palo Alto Networks, they also are defrauded. Recruiting Scheme Attack ChainAttackers initiate the scam by posing as Palo Alto Networks' representatives in emails sent to senior job candidates that appear legitimate. This establishes a rapport and builds trust with potential victims.During this phase, the threat actors use the psychological tactic of flattery in the form of telling the candidates that they were "truly impressed" with their employment history and experience. They also point out milestones in the person's career using data scraped from LinkedIn to appear as if they have been specifically following the victim's trajectory as they consider them for a particular position.Once attackers achieve engagement, they then manufacture a crisis in the form of a stumbling block to the recruitment process. They do this by falsely claiming that a candidate's résumé failed to meet the applicant tracking system (ATS) requirements. An ATS, according to Moore, is an online tool that analyzes résumés for proper formatting, structure, and keyword optimization to make sure the résumés will pass automated checks before being approved for human recruiters."This psychological tactic increases the urgency and willingness of the victim to comply with the attacker's offer of 'executive ATS alignment,'" Moore noted. Related:C2 Implant 'SnappyClient' Targets Crypto WalletsAt this point, the "recruiter" hands off the "candidate" to an expert who offers various price points to provide this alignment and get the recruitment process back on track. The fake offers have three pricing schemes: executive ATS alignment for $400; leadership positioning package for $600; and end-to-end executive rewrite for $800. "In reported incidents, the 'recruiter' then implies that the 'review panel' has already begun, and that the candidate needs to update their CV within a set timeframe," Moore wrote. "The 'expert' then communicates that they can deliver the CV within only a matter of hours, which is within the ostensible review window."Adding this manufactured sense of urgency could push a "candidate" into paying for one of the fake offers and thus being defrauded. Unit 42 did not share if anyone who reported the scam made payments to the attackers.Phishing Vigilance RequiredRecruitment scams like these are not uncommon, yet still they can cause not only financial damage to victims but also reputational damage to the organizations impersonated, Moore noted.Indeed, cybercriminals have dangled what look like legitimate employment offers in phishing scams to increase the likelihood that someone will take the bait. North Korean threat actors such as Lazarus in particular are notorious for various malicious job recruitment campaigns such as "Dream Jobs" and others to gather intelligence and commit other malicious activity.Related:Nation-State Actor Embraces AI Malware Assembly LineUnfortunately, these scams harm the legitimate recruitment process of organizations by weaponizing "the complexity of modern hiring by manufacturing artificial bureaucratic barriers and high-pressure review windows to solicit fees," Moore wrote. He assured prospective candidates that Palo Alto Networks would never ask them to pay for résumé optimization services, and remains "committed to a transparent and ethical hiring process."Any professional who receives employment outreach that creates a sense of financial urgency or directs them to a third-party "expert" for a paid service should view it as "a fraudulent attempt to exploit your professional ambitions," Moore advised.If anyone finds themselves targeted by this scam, they should immediately cease communicating with the individual and report the incident to Palo Alto Networks by emailing infosec(at)paloaltonetworks(dot)com. They also should flag the incident on LinkedIn and secure all professional, social media, and email accounts with new passwords and multifactor authentication (MFA) to ensure they have not been compromised, he said.About the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportThe ROI of AI in SecurityCybersecurity Forecast 2026ThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore Webinars2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space
← Retour