Since August of last year, threat actors have conducted a series of targeted social engineering campaigns aimed at senior-level professionals. By impersonating recruiters from Palo Alto Networks, these unauthorized parties seek to establish trust and ultimately defraud candidates under the guise of the hiring process.
Researchers at Palo Alto Networks’ Unit 42 have monitored this activity over the past seven months. According to a recently published threat report, the campaign relies heavily on data gathered including LinkedIn to craft highly personalized communications.
"The specific attack vector uses social engineering and manufacture a bureaucratic barrier regarding the candidate's curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee," Unit 42 senior manager Justin Moore explained.
Unit 42 has documented multiple reports of this methodology. The outreach typically incorporates flattering language, specific career milestones from the targeted professionals' LinkedIn profiles, and legitimate corporate logos within email signatures to simulate authenticity.
If the sequence proceeds, the targeted candidates are instructed to pay a fee ranging from $400 to $800 to clear an administrative hurdle. The goal is to deceive professionals into believing they are advancing in a genuine recruitment process while extracting financial payments.
Recruitment fraud methodology
The threat actors initiate contact via emails that appear as legitimate outreach from Palo Alto Networks representatives. This initial stage is designed to build rapport with the candidate.
During this phase, the unauthorized parties use psychological tactics, expressing admiration for the candidate's work history. By referencing specific career milestones scraped from public professional networks, they create the impression that the company has been actively monitoring the candidate’s trajectory for a specific role.
Once engagement is established, the individuals manufacture a crisis to halt the supposed recruitment process. They falsely notify the candidate that their resume failed to pass the company's applicant tracking system (ATS). An ATS is a standard online tool used to evaluate resumes for formatting, structure, and keyword optimization before a human review.
"This psychological tactic increases the urgency and willingness of the victim to comply with the attacker's offer of 'executive ATS alignment,'" Moore noted.
The "recruiter" then introduces a purported third-party expert who offers tiered pricing to resolve the formatting issue. The fraudulent packages include an "executive ATS alignment" for $400, a "leadership positioning package" for $600, and an "end-to-end executive rewrite" for $800.
"In reported incidents, the 'recruiter' then implies that the 'review panel' has already begun, and that the candidate needs to update their CV within a set timeframe," Moore wrote. "The 'expert' then communicates that they can deliver the CV within only a matter of hours, which is within the ostensible review window."
This artificial sense of urgency is designed to pressure the candidate into paying for the unnecessary service. Unit 42 has not publicly disclosed whether any reporting individuals completed the payments.
Maintaining vigilance in hiring
Recruitment fraud causes immediate financial harm to targeted individuals and can affect the reputation of the impersonated organizations. Similar social engineering campaigns have been documented across the industry to increase the success rate of malicious outreach. For instance, North Korean threat groups, including Lazarus, frequently utilize fraudulent job recruitment operations—such as the known "Dream Jobs" campaigns—to gather intelligence and support unauthorized activities.
These campaigns disrupt legitimate hiring processes. As Moore explained, they succeed by weaponizing "the complexity of modern hiring by manufacturing artificial bureaucratic barriers and high-pressure review windows to solicit fees." He confirmed that Palo Alto Networks remains committed to a transparent hiring process and will never require candidates to pay for resume optimization services.
Any professional receiving employment communications that establish a sense of financial urgency or direct them to a paid third-party service should treat the interaction as a fraudulent attempt to exploit their professional ambitions.
If an individual encounters this specific campaign, Unit 42 recommends ceasing all communication immediately and reporting the event to Palo Alto Networks at infosec(at)paloaltonetworks(dot)com. Additionally, candidates should flag the offending profiles on LinkedIn and secure their professional, social media, and email accounts by updating passwords and enabling multifactor authentication (MFA) to safeguard their digital identity.
About the Author Elizabeth Montalbano is a contributing freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. She has previously worked as a full-time journalist in Phoenix, San Francisco, and New York City, and currently resides in Portugal.