Real Recruiter Email vs Phishing Email
How to tell a genuine recruiter outreach from a phishing email using job-offer language to steal credentials or data.
Last reviewed: 1 June 2026
Phishing emails using recruitment language are effective because job seekers — and even professionals not actively searching — are often receptive to outreach about new roles. These emails mimic real recruiter communications, name real companies, and link to convincing but fake login portals or document downloads. Their goal is to steal credentials by directing you to a fake job-application portal, or to install malware via a CV or job-description attachment. Genuine recruiter emails can always be verified by checking the sender's domain, the role on the company's official careers page, and the recruiter's profile through independent channels.
Side-by-side comparison
| Real recruiter email | Phishing email | |
|---|---|---|
| Sender domain | Sent from a recognisable company or agency domain, not a free provider | Sent from a generic free-email domain or a lookalike company domain |
| Role verification | Role verifiable on the company's official careers page | Role not listed anywhere publicly; details are vague |
| Attachment | No attachment in a first-contact email; links go to official careers site | PDF or Word attachment to 'view the full job description' |
| Link destination | Application links go to the company's recognised careers domain | Link goes to an unfamiliar domain asking you to log in |
| Credential request | Applies via official jobs portal; no password required via email | Asks you to log in to a new portal to 'view the offer' |
| Personalisation | References specific experience relevant to your background | Generic opener; could have been sent to anyone |
Common red flags
- Sender email from a free provider (such as Gmail or Yahoo) rather than a company domain
- Lookalike company domain with subtle misspellings
- Attachment in a cold-outreach email — PDF, Word, or ZIP
- Link to an unfamiliar login portal asking for credentials
- Job description vague or completely generic
- Urgency to click or respond within hours or 'the opportunity will be filled'
Verification steps
- Search the recruiter's name on a professional networking site independently to verify they work at the stated company
- Check the company's official careers page for the role mentioned
- Navigate to the careers portal directly from the company's official website — not via the email link
- Do not open attachments from unknown senders; request that documents be shared via the official portal
- If in doubt, contact the company's HR team directly using contact details from their official website
What not to do
- Don't open attachments in a first-contact recruiter email without verifying the sender independently
- Don't log in to a portal reached via an email link without verifying it is the company's official domain
- Don't provide personal data, documents, or bank details early in the process without verification
- Don't assume a professional email signature makes a sender legitimate
A safe response
Verify the recruiter and the role independently before clicking any links or opening any attachments. If the role exists and the outreach appears genuine, contact the recruiter via the contact details on their verified professional profile rather than replying directly to the email.
Frequently asked questions
Why would phishers use job-offer themes?
Recruitment emails have high open rates and prime people to share personal information and click application links. The job-offer context lowers suspicion and provides a natural reason to request data.
Should I ever open attachments from recruiters?
It is safer to request that any document be shared via the company's official portal or a known professional service rather than opening email attachments from a first contact. Macro-enabled Office documents and PDFs can carry malware.
What if the email came from a real company domain?
Domains can be spoofed in display names while the actual sending address differs, or an attacker may have compromised a real account. Always verify the recruiter and role independently regardless of how the sender address appears.