LinkedIn Recruiter Phishing Scam
Fake recruiters contact job seekers on LinkedIn with attractive roles, then move the conversation off-platform to harvest personal data, charge fake onboarding fees, or deliver malware disguised as job documents.
Last reviewed: 5 July 2026
What this scam is
This scam uses LinkedIn's professional context to lend false credibility to fake job offers. Because LinkedIn is where genuine recruiters do operate, users are primed to trust unsolicited outreach about jobs far more than they would trust the same message on a general social platform.
Scammers create profiles impersonating recruiters at real or plausible-sounding companies, often copying photos and job titles from genuine employees to appear legitimate. They target active job seekers, especially those who have marked themselves as 'open to work', and use the appeal of a high salary or fully remote role to get a conversation started.
The end goal varies: some variants harvest personal and financial data under the guise of onboarding paperwork, some charge fake fees for equipment, background checks, or visa processing, and others deliver malware through a document sent as a 'job description' or 'assessment task'.
How it works
The fake recruiter sends a connection request or InMail referencing the target's actual skills or job title, making the approach feel personalised. Once connected, they describe an attractive remote role and quickly propose moving the conversation to WhatsApp, Telegram, or personal email, claiming LinkedIn messaging is 'just for initial contact'.
Off-platform, the scammer sends an attachment described as a job description, skills assessment, or onboarding form. In malware variants, this file is designed to install remote-access tools or credential-stealing software when opened. In data-harvesting variants, the file is a form requesting a passport or ID scan, bank account details, and a tax identification number, framed as standard new-hire paperwork.
Some versions add a financial component: the target is told to purchase a laptop, software licence, or visa-processing service themselves and will be 'reimbursed' after starting, with payment sent to an account the scammer controls. Once the requested information or payment is obtained, the recruiter goes silent, and any job offer was never real.
Why this scam works
Job searching is stressful and time-pressured, and an unsolicited offer that seems to match the target's exact skill set feels like validation rather than a sales pitch. Because the approach happens inside a professional network built on the premise of legitimate hiring, the target's guard is naturally lower than it would be for a cold email.
Moving quickly to a private channel also removes the target from LinkedIn's own reporting tools and profile-verification signals, while the promise of onboarding paperwork mimics a process every employee has genuinely gone through before, making requests for sensitive documents feel routine rather than alarming.
A typical pattern
A job seeker updates their LinkedIn profile to 'open to work' and soon receives a message from an account presenting itself as a recruiter at a well-known type of company, offering a remote role at a salary well above market rate. The recruiter moves the conversation to a messaging app within a few exchanges, citing LinkedIn's message limits, and sends a PDF 'job description' to review. The job seeker, excited about the opportunity, opens the attachment, which installs a small background program while displaying a normal-looking document. Over the following days the 'recruiter' asks for a scanned copy of an ID and bank details for 'payroll setup' before the offer, and once these are provided, the recruiter stops responding and the job seeker later finds unfamiliar charges on their account and signs of identity misuse.
Common red flags
- Recruiter pushes to move off LinkedIn to WhatsApp or Telegram almost immediately
- Salary offered is significantly above market rate for the role and experience level
- Interview process skips a live video call entirely
- Request to pay for equipment, training, or visa processing before starting
- Attachment described as a job description or assessment arrives as an executable or macro-enabled file
- Recruiter's LinkedIn profile has few connections, little history, or was created recently
- Request for a passport scan or bank details before any formal offer letter is issued
- Company careers page has no listing matching the advertised role
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Hi [name], I came across your profile and think you'd be a great fit for a remote [role] position at [company] paying [amount]. Let's continue on WhatsApp for faster communication.
Please review the attached job description and skills assessment and let us know your availability for onboarding this week.
Congratulations, you've been selected! To proceed with onboarding, please complete the attached form with your ID and bank details for payroll setup.
You'll need to purchase your work laptop through our approved vendor at [link]; this will be reimbursed in your first paycheck.
Common variations
- Malware-laden 'job description' or 'skills test' attachment that installs remote-access software
- Advance-fee variant demanding payment for equipment, training materials, or visa sponsorship
- Fake background-check or reference-check portal that harvests personal identification data
- Interview-by-chat scam that never progresses to a real video call, avoiding identity exposure
- Reshipping or 'mystery shopper' job offer used to launder stolen goods or money
- Cryptocurrency-based 'signing bonus' that requires the target to first send a small deposit to unlock funds
How to verify before you act
Search for the company's genuine careers page and confirm the role is actually listed there, and try to find the recruiter's profile independently through the company's official website or a general search rather than trusting the LinkedIn profile alone. A real recruiter's history, mutual connections, and posting activity will generally be consistent and long-standing.
Before opening any attachment, verify the sender's identity through a separate channel, such as calling the company's published switchboard number and asking to confirm the recruiter's employment. Legitimate employers never ask candidates to pay for equipment, visas, or background checks upfront, and genuine onboarding paperwork is handled through verified company HR systems, not personal messaging apps.
Payment methods used
- Cryptocurrency
- Bank/wire transfer
- Gift cards
- Money transfer services
- Payment apps to 'friends & family'
Who is usually targeted
- Active job seekers
- Recent graduates
- Remote-work seekers
- Professionals marked 'open to work'
What to do immediately
- Stop all communication and do not open any further attachments from the sender
- Run a full antivirus scan if you already opened a suspicious attachment
- Do not send any ID documents, bank details, or payments if you have not already done so
- If you already shared financial details, contact your bank to monitor or freeze the affected account
- Report and block the recruiter profile through LinkedIn's reporting tools
- Change passwords on any accounts where you reused credentials sent to the scammer
How to prevent it
- Verify any recruiter's identity through the company's official careers page or switchboard before engaging further
- Never open attachments from unsolicited recruiters without independently confirming their identity first
- Refuse to pay any upfront fee for equipment, training, visas, or background checks as a condition of employment
- Keep job-related conversations on LinkedIn's platform where reporting tools and message history are preserved
- Be cautious of salaries significantly above market rate for the stated role and location
- Use antivirus software and avoid opening executable or macro-enabled files from unknown senders
- Report suspicious recruiter profiles to LinkedIn so the account can be investigated and removed
Evidence to preserve
- Full message history with the fake recruiter, including timestamps
- Copies of any attachments received (kept unopened on a secondary device if malware is suspected)
- Screenshots of the recruiter's LinkedIn profile before it is removed or deleted
- Any payment or bank transfer records related to the interaction
- The job posting or offer text as originally sent
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Is it normal for a recruiter to move the conversation to WhatsApp?
Some genuine recruiters do use messaging apps for scheduling, but a legitimate hiring process will still involve verifiable company email addresses, a real interview, and no request for upfront payments or sensitive documents before a formal offer.
I opened a suspicious attachment from a fake recruiter. What should I do?
Disconnect the device from the internet, run a full antivirus and anti-malware scan, and consider having the device professionally checked if you handle sensitive work or financial data on it. Change passwords for important accounts from a different, clean device.
How can I check if a job posting is genuine?
Go directly to the company's official careers page or a well-known job board and search for the exact title. If the role does not appear there, or the recruiter cannot be found through the company's official channels, treat the offer as unverified.