Share
RECRUITMENT PHISHING

Fake job-interview emails are stealing Google logins: the Browser-in-the-Browser recruiter scam

A phishing campaign that has run for roughly five months is mailing marketing professionals fake interview invitations from Adobe, Netflix, Coca-Cola, OpenAI, and more than thirty other well-known brands. The payload is a counterfeit "Continue with Google" window that never actually leaves the attacker's page.

Verdict: Scam

A job-interview email that routes you to a "Continue with Google" popup is credential phishing, not a real login. A genuine Google sign-in opens in a separate browser window you can drag anywhere on your screen, including outside the current page, and its address bar reads accounts.google.com. The popup in this scam is a Browser-in-the-Browser (BitB) fake: an HTML and CSS drawing of a browser window rendered inside the malicious page, so it cannot be dragged off the tab and its "address bar" is just painted-on text. Do not enter your Google password in any window that appeared after you clicked an email link. Verify a recruiter by going to that company's official careers page yourself, for example careers.adobe.com or jobs.netflix.com, and never trust a login prompt that arrives inside a page you did not open directly.

The lure: a flattering interview invite from a famous brand

The email reads like a recruiter reaching out, not like a mass blast. A named talent partner from Adobe, Netflix, Coca-Cola, OpenAI, or another household brand writes to say your profile came up for a marketing role, that the team was impressed, and that the next step is a short interview. According to reporting by BleepingComputer in July 2026, the operator behind this campaign has cycled through more than thirty impersonated companies and has been running the scheme for about five months.

What makes it land is the effort behind the personalization. The messages use the real names and headshots of actual recruiters who work at those companies, pulled from public professional profiles. The role, the tone, and the sign-off all match how a genuine talent team writes. For someone in marketing who is quietly open to a move, an interview request from a dream brand is exactly the kind of message that gets clicked without a second thought. This is targeted work, closer to spear phishing built from LinkedIn profiling than to a generic spam run.

Why the email sails past filters: PeopleForce and Salesforce Marketing Cloud

The reason these messages reach the inbox instead of the spam folder is that the operator does not send them from a sketchy server. The campaign abuses two legitimate business platforms to borrow their sending reputation:

  • A real HR recruiting platform (PeopleForce). The operator sets up recruiting workflows on the genuine PeopleForce applicant-tracking service and sends the interview invitations through it. Because the mail leaves from real, well-configured infrastructure, it passes the authentication checks (SPF, DKIM, DMARC) that filters lean on.
  • A Salesforce Marketing Cloud sending domain. Parts of the campaign route through Salesforce Marketing Cloud, another trusted mass-email service. Mail from these domains is rarely blocked outright, so the lure inherits the deliverability of a Fortune 500 marketing team.

BleepingComputer notes that earlier in the campaign the sender simply used Outlook addresses that contained the impersonated company's name, a cruder approach. Moving to PeopleForce and Salesforce infrastructure was the upgrade that let the emails look and route like genuine corporate recruiting mail. The lesson is the same one behind every fake login popup on a trusted-looking site: a message can pass every technical authentication check and still be a scam, because the attacker is renting the reputation, not the brand.

The trap: a Browser-in-the-Browser "Continue with Google"

Click the interview link and you land on a polished job or application page. To proceed, it asks you to sign in with Google, and a familiar "Continue with Google" popup slides up: the white card, the Google "G", the account picker, the email and password fields. It looks pixel-for-pixel like the real thing.

It is not a real Google window. It is a Browser-in-the-Browser attack. The whole popup, including the fake title bar, the fake padlock, and the fake accounts.google[.]com address text, is HTML and CSS drawn inside the malicious page. There is no second browser window. Everything you type into it goes straight to the attacker. We break the technique down in detail in our explainer on how Browser-in-the-Browser (BitB) attacks fake a login window, but the short version is that the "window" is a picture of a window.

The scam works because a real OAuth popup and a fake one look identical to the eye. The difference is in behavior, not appearance, and there are two reliable tells:

  • Try to drag it off the page. A real Google sign-in window is a genuine, separate browser window. You can drag it anywhere on your desktop, including past the edge of the browser that spawned it. A BitB fake is glued to the page. It cannot cross the boundary of the tab it lives in, because it is part of that tab.
  • Read the real address bar, not the painted one. The fake window shows accounts.google.com as an image. The one that matters is your browser's actual address bar at the top of the screen. If that still shows the recruiter's landing domain and not accounts.google.com, the popup is a fake no matter what it says inside.

Once you submit, the attacker has your Google email and password. If your account protects the login with a code, the page simply asks for that too and relays it in real time. Because so much of modern work identity hangs off a Google account (email, Drive, Docs, Analytics, Ads, and every "Sign in with Google" service), one harvested password can open a long chain of downstream accounts.

🛡 LIVE CHECK

Test a suspicious recruiter link right now

Got an interview invite you are not sure about? Paste the landing page or application link here. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

What the fake domains look like

The landing pages sit on domains built to look plausible at a glance, often stitching the impersonated brand together with a careers or HR word. Because our scanner would treat an invented address as unseen, the examples below are defanged and illustrative, not live links. The shape is what matters:

  • Brand-plus-careers on someone else's domain: careers-adobe[.]peopleforce-hr[.]com, netflix-talent[.]apply-hr[.]net
  • Interview and application wording: openai-interview[.]hiring-portal[.]co, coca-cola-careers[.]jobs-apply[.]site
  • The painted popup address: the fake window shows accounts.google[.]com as text, while your browser's real address bar still shows the recruiter domain above

The single most important habit is to ignore the brand name in the domain and read the part right before the first single slash after the protocol. In careers-adobe[.]peopleforce-hr[.]com the real host is peopleforce-hr[.]com, not Adobe. Adobe's genuine careers site is careers.adobe.com, full stop. If you are ever unsure how to read a link, our guide on how to tell if a website is a scam walks through it step by step.

Why marketing professionals are the target

  • They expect brand outreach. Marketers spend their day inside campaign tools, recruiter DMs, and partner emails. A polished note from a big-brand talent team fits the normal flow of their inbox and does not stand out as unusual.
  • Their Google account is a master key. A marketer's Google login frequently unlocks Google Analytics, Google Ads, Search Console, Tag Manager, and Drive folders full of client data. That is far more valuable to an attacker than a single mailbox.
  • Job-change curiosity is a soft spot. Even happily employed people open a message from a dream brand. Recruitment lures exploit ambition rather than fear, which lowers the guard that a scary "account suspended" email would raise.
  • Public profiles hand over the script. Names, job titles, and recent campaigns are all public, so the attacker can reference real details and sound like a recruiter who actually read your work.

If the pitch instead promises a remote role with onboarding fees or equipment deposits, that is a different family of fraud. We cover it in the fake remote-job laptop-deposit scam and in our broader guide to spotting a fake job offer.

The red flags in a recruiter phishing email

  • A login prompt appears after you clicked an email link. Legitimate hiring never needs your Google password. Applicant systems ask you to create an account on their own site or to upload a resume, not to "Continue with Google" to read an interview brief.
  • The "Google window" will not drag off the page. Grab the popup's title bar and pull it toward the edge of your screen. A real one moves freely. A fake one is trapped inside the tab.
  • The real address bar does not say accounts.google.com. Look at the top of your actual browser, not the address text inside the popup. Only accounts.google.com in the true address bar is a genuine Google sign-in.
  • The apply link is not the brand's real careers domain. Adobe uses careers.adobe.com, Netflix uses jobs.netflix.com, Coca-Cola uses careers.coca-colacompany.com, and OpenAI lists roles at openai.com/careers. Anything else claiming to be their hiring portal is suspect.
  • Unsolicited interest with immediate next steps. A real recruiter usually schedules a call before pushing you into a portal. "We are impressed, sign in here to continue" in the first message is a pressure pattern.
  • The recruiter is real but the reply path is not. The name and photo can check out on a professional network while the email routes through an HR or marketing platform you cannot tie back to the company. Verify the person through the company's own site, not the email's links.

How to verify a recruiter email safely

Treat the email as a claim to be checked, never as an instruction to follow. Confirm everything through a path you open yourself.

  1. Do not click the interview link. Not even to peek. The landing page is where the fake Google popup lives.
  2. Go to the company's careers page directly. Type the address yourself, for example careers.adobe.com or jobs.netflix.com, and search for the role and the recruiter's name. If the job does not exist there, the email is a fake.
  3. Never sign in with Google from a page you reached through an email. If a real service needs your Google account, open a new tab, go to google.com or the service directly, and log in from there.
  4. Check the real address bar before typing anything. If it is not accounts.google.com, stop.
  5. Confirm the recruiter through the company, not the email. Find the person on the company's official channels and ask whether the outreach is real. Genuine recruiters are happy to confirm.

If you already entered your Google password

Move quickly. A harvested Google login can be used within minutes to reset other accounts.

  1. Change your Google password now, from a device you trust, by going to accounts.google.com directly. Use a long, unique password you do not reuse anywhere.
  2. Turn on stronger sign-in protection, and review Google's Security Checkup for unfamiliar devices or sessions. Sign out of every session you do not recognize.
  3. Check what your Google account unlocks. Look at connected apps and "Sign in with Google" services, especially work tools like Analytics, Ads, and Drive, and revoke anything unexpected.
  4. Watch for follow-on messages. Attackers often use a fresh mailbox to reach your contacts or to send a second "verify your account" prompt. Treat any such message as hostile.
  5. Report it. File with the FBI Internet Crime Complaint Center at ic3.gov and with the FTC at reportfraud.ftc.gov. If a real recruiter's identity was cloned, a note to that company's security team helps them warn candidates.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

  • Layer 1 - Local detection: 60+ URL patterns and 550+ brand-specific signatures run directly in the extension before the page renders. A landing domain that fuses a brand name with careers, hiring, or apply wording on a host that is not the brand's real domain matches instantly, so the page is flagged before any fake popup can load.
  • Layer 2 - API checks: known malicious recruiter and BitB landing pages are cross-referenced against Google Safe Browsing, PhishTank, URLhaus, and other threat feeds, plus a scam-TLD list. New campaign domains are often reported within hours of launch.
  • Layer 3 - AI deep scan (Premium): content analysis in 100+ languages recognizes a Google sign-in interface, including a Browser-in-the-Browser fake, rendered on any domain other than accounts.google.com, and warns before you can type a password.

Detection signatures come from threat-intelligence research and brand database analysis, not from user browsing data. Per-user URL history is never stored.

Same trick, different bait

The recruitment angle is new packaging on an old technique. Any lure that gets you onto a page and then asks you to "sign in with Google" to continue can carry a BitB popup: a shared document, a prize, a payment confirmation, a video call invite. The defense does not change. A real Google window is a separate window you can drag off the page, and its address bar says accounts.google.com. If either of those is not true, do not type your password.

Install SafeBrowz free

Add the browser extension, or the SafeBrowz Android app, that runs every check in this article automatically, on every page, before it renders. Free forever.

Chrome Add to Chrome Firefox Add to Firefox Edge Add to Edge Google Play Get it on Google Play

Upgrade to Premium for AI deep scan that recognizes fake Google login popups in 100+ languages.

Frequently asked questions

How do I tell a real Google login from a fake popup?

A genuine Google sign-in opens as a separate browser window you can drag anywhere on your screen, including outside the browser window that spawned it, and its real address bar reads accounts.google.com. A Browser-in-the-Browser fake is drawn inside the page: it cannot be dragged off the tab, and the accounts.google.com text it shows is just an image. Always check your browser's actual address bar, not the address painted inside the popup.

Is a recruiter email from Adobe, Netflix, or OpenAI always a scam?

No. Those companies do recruit. The scam is not the brand, it is the login step. A real hiring process never needs your Google password to let you read an interview brief or apply. If a message from any brand routes you to a Continue with Google popup after you click a link, treat it as phishing and verify the role directly on that company's official careers page, such as careers.adobe.com, jobs.netflix.com, or openai.com/careers.

Why did the email pass my spam filter if it is a scam?

Because the operator sends it through legitimate business platforms rather than a suspicious server. This campaign abuses a real HR recruiting service called PeopleForce and a Salesforce Marketing Cloud sending domain, so the mail passes standard authentication checks and inherits the good sending reputation of trusted infrastructure. Passing spam and authentication checks proves only that the sending system is real, not that the message is honest.

What is a Browser-in-the-Browser (BitB) attack?

It is a fake login window built entirely from HTML and CSS inside a web page. The attacker draws a convincing browser popup, complete with a fake title bar, padlock, and address text, so it looks like a real sign-in window from Google or another provider. Because it is part of the page, it cannot be dragged outside the tab, and anything you type into it goes to the attacker instead of the real service.

I entered my Google password on the fake page. What should I do?

Act fast. Go directly to accounts.google.com from a device you trust and change your password to a long, unique one. Run Google's Security Checkup, sign out of any sessions and devices you do not recognize, and review connected apps and Sign in with Google services, revoking anything unexpected. Then report the incident to ic3.gov and reportfraud.ftc.gov. Because a Google login can unlock many other accounts, treat everything tied to it as potentially exposed.

How does SafeBrowz catch a recruiter phishing page it has never seen?

SafeBrowz runs a 3-layer architecture. Layer 1 matches the landing URL against 550+ brand signatures and 60+ URL patterns, so a domain that pairs a brand name with careers or apply wording on a non-brand host is flagged before the page renders. Layer 2 cross-references Google Safe Browsing, PhishTank, and URLhaus. Layer 3, on Premium, uses AI content analysis in 100+ languages to recognize a Google sign-in interface, including a Browser-in-the-Browser fake, served from any domain other than accounts.google.com. Detection comes from threat-intelligence research and our brand database, not from individual user browsing.

Related reading

Bottom line: This campaign works because it stacks trust. It borrows a real recruiter's face, a real brand's name, and real email infrastructure, then asks for the one thing a real hiring process never needs: your Google password, typed into a window that only looks like Google. The defense is simple and does not change with the brand. Never sign in with Google from a page you reached through an email link, drag the popup to test it, read your true address bar for accounts.google.com, and verify any role on the company's real careers page. Add a browser-layer scanner like SafeBrowz so the fake page is flagged before it ever gets the chance to ask.