Recruitment phishing: new scams impersonate major brands like FIFA

As excitement builds around the 2026 World Cup, scammers are exploiting FIFA’s trusted brand to target unsuspecting victims. But while many fraudsters are leveraging the hype through World Cup ticket scams, others take a different route: fake job opportunities.

Threat researchers at Gen (the company behind Norton) are finding fake hiring pages that impersonate FIFA, as well as other well-known brands, in order to phish for login credentials. These polished pages use familiar elements such as a recruiter profile, a scheduling prompt, and a “Continue with Google” button, making them more believable than clumsy pop-ups or email spam.

According to the most recent available FTC fraud data, business and job opportunity scams are a major fraud category in the U.S., resulting in $150.4 million in total losses during the last quarter of 2025 alone. Norton survey research on job scams found that 33% of U.S. respondents have encountered one, with one in four people who saw one falling victim.

How these recruitment scams work

From the job seeker’s perspective, these recruitment scams often look like a routine step in the hiring process. You click a link and land on a branded recruitment page that shows FIFA’s logo, a recruiter profile, and a prompt to schedule an interview or introductory call.

In some cases, the “recruiter’s” name and picture are lifted directly from the public LinkedIn profile of a real person, adding a veneer of legitimacy.

The page then prompts you to sign in using a familiar option, usually your Google account. Some versions even reject personal email addresses and request business credentials instead. For scammers, corporate accounts are far more valuable, as they can provide access to company systems, internal files, and coworkers who can be targeted next — potentially leading to broader data breaches.

Once you enter your login details, they go straight to the scammers. The page looks routine, but the goal is simple: to move you from “interested in a job” to “entering credentials” with as little friction as possible.

Revealing your Google login credentials could expose you to account compromise, data theft, identity theft, and follow-up scams targeting your contacts or coworkers.

Behind the scam: What our threat researchers found

When Norton threat researchers investigated these fake FIFA hiring pages, they found pages that look polished on the surface but display major warning signs under closer inspection. Here’s an in-depth look at one such fake job posting.

The first clue was the domain. The fake page didn’t sit on FIFA’s official hiring web domain. Instead, it lived on fifahiring[.]com, which combines FIFA’s name with a hiring-related term to look legitimate.

Other examples our threat researchers found included careers-fifahiring[.]com and fifajobs[.]com. These pages are often ephemeral: when they’re taken down, they’re quickly replaced by new scam pages with similarly spoofed or typosquatted domains.

Other technical signals raised concern. The domain and certificate were newly created, and the site used common web-hosting services such as Vercel and Render instead of infrastructure that looked like a corporate hiring environment.

But the clearest red flag was the sign-in experience. The Google sign-in prompt was not a real Google authentication window. It was rendered inside the page itself, meaning the user never actually left the fake hiring site for a Google-controlled login page. The visible buttons and links did not work as expected, and the page appeared to load only Google’s favicon (the small browser icon representing Google) to make the fake login box look familiar.

The smoking gun? Login details were sent to a malicious domain not connected to Google or FIFA — meaning any data entered was exfiltrated straight to fraudsters.

Examples beyond FIFA

When our threat researchers investigated further, they found that these fake recruitment pages extend well beyond FIFA imitations, affecting at least a dozen employers. The brands varied, but the setup stayed largely the same: The scam page impersonates a trusted company, urges job seekers to schedule a meeting, and pushes them toward a fake sign-in step.

Since May 1, 2026, Gen products, including Norton, have blocked these recruitment scam attacks more than 250 times, according to internal product data, although the true scale of the problem remains unknown. New malicious URLs are being created as quickly as others can be taken down.

These recruitment pages were found impersonating companies including:

• Aquent.
• Coca-Cola.
• Delta.
• Hays.
• Heineken.
• Hilton.
• Netflix.
• PepsiCo.
• Spotify.

Some examples varied slightly from the main pattern. For instance, a few used a fake Facebook sign-in button instead of a fake Google sign-in button.

How to spot fake recruitment pages before you enter credentials

A polished hiring page does not prove a job is real. Scammers can copy logos, photos, job language, and sign-in buttons from legitimate sites. And, thanks to AI, malicious websites are becoming disturbingly easy to create — giving rise to what our threat researchers have dubbed “VibeScams.”

Before entering your email or password, pause and check the page itself. Look for warning signs like these:

• The domain does not match the company’s official careers site.
• The web address adds words like “jobs,” “careers,” “hiring,” “talent,” or “opportunities” around a brand name.
• The page pushes you to provide a business email before you have verified the job.
• The sign-in box appears inside the hiring page instead of opening on the real Google, Microsoft, Facebook, or LinkedIn domains.
• Since the sign-in box is fake, your password manager won’t recognize it and won’t autofill your login credentials — which is another security advantage of password managers.
• Buttons, links, or menu items on the sign-in window do not work.
• The job page came from an unsolicited message, social post, or ad.
• The page pressures you to schedule quickly or uses urgent language.

The safest way to check a job page is to start from the company’s official website. Do not rely only on a link someone sent you. Enter the company’s URL directly into your browser’s address bar and find the careers page from there. In some cases, even a Google search may surface fraudulent results, because scammers can use SEO poisoning tactics or paid ads to place fake job listings near the top of search results.

What to do if you fell for a recruitment phishing scam

If you entered a password on a fake recruitment page, act quickly:

• Change the password for the account you entered. If you reused that password anywhere else, change it there too. Then touch up on password security basics.
• Check your account recovery settings for new emails or phone numbers you don’t recognize. To do this on Google, tap your profile icon, tap Manage your Google account, then Security & sign in. Check that the Recovery phone and Recovery email are yours. If a scammer added their own recovery option, they may be able to reset your password even after you change it.
• Check if unknown devices are logged in to your account: Review the list of devices currently signed in to your account and log out of any you don’t recognize. On Google, you can find this under Security & sign in — scroll to Your devices to see where you’re signed in and remove anything suspicious.
• Turn on multi-factor authentication. Enable 2FA or MFA for potentially affected accounts. This can help prevent someone who has your password from gaining access to your accounts, as they’ll need an extra code sent to your SMS inbox or authenticator app.
• Report it to your employer’s IT or security team if you entered a work email or work password. They can help secure the account and check for suspicious activity.
• Watch for follow-up scams from people pretending to be recruiters, HR staff, background-check companies, or payroll teams.
• Be careful with requests for sensitive information, including ID documents, tax forms, bank details, or payments for training and equipment.
• Report the fake page to the platform where you found it, the impersonated company, and the relevant fraud reporting authority in your country.

What this all means for consumers

Fake job postings are a reminder that job scams are not limited to suspicious emails or too-good-to-be-true offers: some now look like ordinary hiring pages from trusted brands. The FIFA example is timely, but the lesson is broader: any major brand can be copied, a recruiter profile can be faked, and a familiar sign-in button can be used as bait.

Knowing who to trust online can feel increasingly difficult, which is why AI-powered scam protection is so helpful. These tools add an extra layer of security to your digital life, helping flag suspicious links, malicious websites, and scammy messages.