Phishers Pose as Palo Alto Networks' Recruiters for Months in Job Scam

CYBERATTACKS & DATA BREACHES ENDPOINT SECURITY REMOTE WORKFORCE THREAT INTELLIGENCE NEWS Phishers Pose as Palo Alto Networks' Recruiters for Months in Job Scam A series of campaigns that began in August aim to defraud job candidates, using psychological tactics and data scraped from LinkedIn profiles. Elizabeth Montalbano,Contributing Writer March 25, 2026 4 Min Read SOURCE: PANTHER MEDIA GMBH VIA ALAMY STOCK PHOTO Attackers have been impersonating recruiters from Palo Alto Networks since last August in a series of phishing campaigns targeting senior-level professionals for financial gain. Palo Alto Networks' Unit 42 researchers have been tracking the sophisticated social engineering campaigns, which use scraped LinkedIn data to create "highly personalized" lures, for the past seven months, according to a threat report published this week. "The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate's curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee," Unit 42 senior manager Justin Moore wrote in the post. Unit 42 has fielded "multiple reports" of the attacks, which use flattering language, highly specific details from the victims' LinkedIn profiles, and legitimate company image logos in the email signature block. Related:Attackers Hide Infostealer in Copyright Infringement Notices The end result of a successful attack is that victims are asked to pay a fee in the range of $400 to $800 to freeing their résumé from a bureaucratic hold-up and continue with what they think is a legitimate recruitment process. In this way, they are not only duped into thinking they are in line for a position at Palo Alto Networks, they also are defrauded.  Recruiting Scheme Attack Chain Loading... Attackers initiate the scam by posing as Palo Alto Networks' representatives in emails sent to senior job candidates that appear legitimate. This establishes a rapport and builds trust with potential victims. During this phase, the threat actors use the psychological tactic of flattery in the form of telling the candidates that they were "truly impressed" with their employment history and experience. They also point out milestones in the person's career using data scraped from LinkedIn to appear as if they have been specifically following the victim's trajectory as they consider them for a particular position. Once attackers achieve engagement, they then manufacture a crisis in the form of a stumbling block to the recruitment process. They do this by falsely claiming that a candidate's résumé failed to meet the applicant tracking system (ATS) requirements. An ATS, according to Moore, is an online tool that analyzes résumés for proper formatting, structure, and keyword optimization to make sure the résumés will pass automated checks before being approved for human recruiters. "This psychological tactic increases the urgency and willingness of the victim to comply with the attacker's offer of 'executive ATS alignment,'" Moore noted.  Related:C2 Implant 'SnappyClient' Targets Crypto Wallets At this point, the "recruiter" hands off the "candidate" to an expert who offers various price points to provide this alignment and get the recruitment process back on track. The fake offers have three pricing schemes: executive ATS alignment for $400; leadership positioning package for $600; and end-to-end executive rewrite for $800.  "In reported incidents, the 'recruiter' then implies that the 'review panel' has already begun, and that the candidate needs to update their CV within a set timeframe," Moore wrote. "The 'expert' then communicates that they can deliver the CV within only a matter of hours, which is within the ostensible review window." Adding this manufactured sense of urgency could push a "candidate" into paying for one of the fake offers and thus being defrauded. Unit 42 did not share if anyone who reported the scam made payments to the attackers. Phishing Vigilance Required Recruitment scams like these are not uncommon, yet still they can cause not only financial damage to victims but also reputational damage to the organizations impersonated, Moore noted. Indeed, cybercriminals have dangled what look like legitimate employment offers in phishing scams to increase the likelihood that someone will take the bait. North Korean threat actors such as Lazarus in particular are notorious for various malicious job recruitment campaigns such as "Dream Jobs" and others to gather intelligence and commit other malicious activity. Related:Nation-State Actor Embraces AI Malware Assembly Line Unfortunately, these scams harm the legitimate recruitment process of organizations by weaponizing "the complexity of modern hiring by manufacturing artificial bureaucratic barriers and high-pressure review windows to solicit fees," Moore wrote. He assured prospective candidates that Palo Alto Networks would never ask them to pay for résumé optimization services, and remains "committed to a transparent and ethical hiring process." Any professional who receives employment outreach that creates a sense of financial urgency or directs them to a third-party "expert" for a paid service should view it as "a fraudulent attempt to exploit your professional ambitions," Moore advised. If anyone finds themselves targeted by this scam, they should immediately cease communicating with the individual and report the incident to Palo Alto Networks by emailing infosec(at)paloaltonetworks(dot)com. They also should flag the incident on LinkedIn and secure all professional, social media, and email accounts with new passwords and multifactor authentication (MFA) to ensure they have not been compromised, he said. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES What Should the US Do About Salt Typhoon? by Alexander Culafi, Senior News Writer, Dark Reading APR 10, 2025 CYBERATTACKS & DATA BREACHES Oracle Appears to Admit Breach of 2 'Obsolete' Servers by Jai Vijayan, Contributing Writer APR 09, 2025 CYBERATTACKS & DATA BREACHES Malaysian Airport's Cyber Disruption a Warning for Asia by Robert Lemos, Contributing Writer APR 02, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE