How a Fake Job Interview Stole My Google Password
I got the email on a Tuesday. "Paulina Manzo, Recruiter at Adidas," it said. Subject line: "Your Marketing Role Is Finalized — Let’s Schedule?" I’d been looking. So I clicked.
The calendar link took me to adidas-hiring[.]com — a domain that looked real enough. The logo, the font, even the subtle shadow under the "Apply Now" button — all perfect. I thought, "This is what modern hiring looks like."
Then came the pop-up.
Not the kind that says "Allow notifications?" — the kind that says "Sign in with Google." Same blue button. Same Google logo. Same "Sign in" field. Even the slight delay before the cursor blinked — it felt human. I typed my email. Then my password.
I didn’t notice it wasn’t Google.
It was HTML. CSS. JavaScript. A ghost window inside a real browser. This isn’t malware. It’s performance art.
The campaign behind this? It’s been running for five months. At least 34 brands are being impersonated — Adobe, Netflix, Coca-Cola, OpenAI, Louis Vuitton, Delta Airlines. Not because they’re hacked. Because they’re used. The attackers don’t need to break into Salesforce or PeopleForce. They just sign up. Legally. Then they route you through Wise Agent, ExactTarget, and finally, the fake site — each leg of the journey stamped with a trusted domain. Your browser doesn’t scream. Your spam filter doesn’t blink.
This isn’t phishing. It’s brand hijacking.
I’ve seen phishing. The ones with bad grammar. The ones with .ru domains. The ones where the sender’s name is "[email protected]." This? This is the new normal. And it’s working.
Why? Because it doesn’t ask you to do anything suspicious. It asks you to do what you already do: apply for jobs. Trust recruiters. Click calendar links. Sign in with Google.
The attacker didn’t need a zero-day. They needed a resume.
I know what you’re thinking: "I’d never fall for that."
I thought that too.
The Ghost in the Redirect Chain
Let’s talk about how this works.
It starts with an email. Not spam. Not bulk. Targeted. Sent to marketing professionals. The subject line? "Follow-up: Your Interview with [Brand]." The sender? A real name. A real photo. Will Thomas from Team Cymru confirmed this. These aren’t bots. These are identities lifted from LinkedIn, company websites, press releases. The attacker didn’t hack anyone. They just copied.
The link? It looks like this: https://peopleforce.com/invite/12345. You click. It redirects to https://exct.net/redirect?to=wiseagent.com/track/abc. Then to https://wiseagent.com/campaign/xyz. Then — finally — to adidas-hiring[.]com.
Each domain? Legitimate. Owned by real companies. Salesforce bought ExactTarget. Wise Agent is a real CRM for real estate agents. PeopleForce? Used by Fortune 500s for hiring.
The attacker didn’t compromise them. They exploited trust.
Your browser sees salesforce.com and thinks, "Safe." It sees wiseagent.com and thinks, "Professional." It sees adidas-hiring.com and thinks, "Oh, they’re hiring? Cool."
No firewall blocks this. No EDR flags it. Because nothing’s malicious — until it is.
This is the real threat: legitimacy as a weapon.
I asked myself: How do you detect this? The answer is: you don’t. Not with tools. Not with rules. You detect it with doubt.
Why Your Security Team Can’t Stop This
I talked to a CISO last week. He said, "We have 17 security tools. We run daily scans. We train employees monthly."
I said, "Did any of those tools stop this?"
He paused. Then: "No."
Here’s why.
Security tools look for malware. Suspicious domains. Unusual outbound traffic. This campaign has none of those. It uses legitimate services. It doesn’t drop a file. It doesn’t open a port. It doesn’t even use PowerShell.
It uses you.
Your trust in Google. Your trust in LinkedIn. Your trust in corporate branding.
The attacker didn’t build a botnet. They built a narrative.
And narratives don’t show up in SIEM logs.
This is why phishing is no longer a technical problem. It’s a human one.
Your team can patch every vulnerability. They can encrypt every database. But they can’t patch your instinct to say, "Oh, this looks legit."
I’ve seen companies spend millions on email gateways that catch 99% of spam. And then lose everything because someone clicked a link that looked like it came from Netflix.
The truth? The best defense isn’t a firewall. It’s a pause.
What You Can Actually Do
I’m not going to tell you to enable MFA. You already do. I’m not going to tell you to report phishing. You know how.
Here’s what actually works:
- Don’t click calendar links from recruiters. If they want to schedule a meeting, they’ll use a calendar invite. Not a link. Not a redirect. A calendar invite. Period.
- If a pop-up asks for your Google password — stop. Google doesn’t ask you to sign in on third-party sites. Ever. If you’re on a job site and a Google window pops up? Close it. Then open a new tab. Type
google.comyourself. - Check the URL. Not the domain. The full path.
adidas-hiring.comis not adidas.com. It’s not even a subdomain. It’s a domain bought by someone who doesn’t work there. - Ask: "Why now?" Why is a recruiter reaching out after you’ve applied? Why are they using a third-party service to schedule? Why not Zoom? Why not Teams? If it feels off — it is.
- Teach your team this: Trust isn’t a feature. It’s a vulnerability.
I didn’t get the job.
I got a notification from Google: "Your account was accessed from a new device."
I changed my password. I enabled MFA. I reported it.
But here’s the thing — I didn’t lose my account.
I lost my trust.
And that’s harder to fix.
The Bigger Picture
This isn’t just about job seekers.
It’s about how we’ve outsourced trust.
We trust LinkedIn to vet employers. We trust Google to protect our identity. We trust CRM platforms to be secure.
But none of those platforms are responsible for what happens after you click.
The attacker didn’t break into Salesforce. They just used it like a bus stop.
And we’re all getting on.
I’m not saying don’t apply for jobs. I’m saying: don’t trust the interface.
The logo isn’t proof. The design isn’t safety. The URL isn’t a guarantee.
Real security isn’t about blocking threats.
It’s about questioning them.
I still get emails from recruiters.
But now? I don’t click.
I open a new tab.
And I type the company name myself.
It’s slower.
It’s safer.
And honestly?
It’s the only thing that works.