JOB SCAM GUIDE

Job Scams: How to Spot a Fake Job Offer (2026)

Every major employment scam in one reference: fake remote jobs, "like and earn" task scams, overpayment and fake-check fraud, advance-fee equipment cons, reshipping and money-mule recruitment, fake recruiters on LinkedIn, Telegram, and WhatsApp, and crypto interview malware. Plus the universal red flags and a 60-second way to verify any employer.

SB

SafeBrowz Team Security ResearchJune 6, 202611 min read

Why job scams exploded in 2026

Employment fraud is now one of the fastest-growing categories of consumer crime. The FTC's Consumer Sentinel data shows job and business-opportunity scams costing victims hundreds of millions of dollars a year, with task scams (the "complete simple tasks, earn commissions" pitch) rising faster than almost any other fraud type the agency tracks. The FBI Internet Crime Complaint Center (IC3) reports steady growth in employment-related complaints, much of it now blended with cryptocurrency. The Identity Theft Resource Center (ITRC) warns that fake job listings have become a primary funnel for identity theft, because an "application" is a socially normal way to hand over a Social Security number, a copy of your passport, and your bank details.

Two forces drive the surge. First, remote work made it normal to be hired by people you never meet in person, which removes the friction scammers used to face. Second, generative AI lets a scammer clone a real company's careers page, write flawless recruiter messages, and run a fake video interview at scale. FlexJobs, which vets remote listings for a living, estimates that a large share of "work from home" offers circulating on social media and messaging apps are fraudulent. The job market did not get safer; the bait just got better.

The universal red flags (memorize these seven)

You do not need to recognize every scam variant. Almost all of them trip at least one of these wires.

1. You never applied. An unsolicited offer landing in your DMs, texts, or email for a job you did not seek is the single strongest signal. Real recruiters source candidates, but they do not "hire" strangers cold.
2. Instant hire, no real interview. A legitimate role involves a screening call, an interview, references, and an offer letter on company letterhead. "You're hired, start tomorrow" after one chat message is a scam pattern.
3. Pay to start. Any request for money up front, for equipment, training, certification, software, or a background check, is fraud. Employers pay you, not the other way around.
4. Too-good salary for too-little work. "$35/hour to review products from home, 2 hours a day" is bait. If the pay is far above market for the effort, it is a hook.
5. Off-platform chat. A recruiter who contacts you on LinkedIn or Indeed and immediately moves you to Telegram, WhatsApp, or personal text is hiding from the platform's fraud detection. Real corporate recruiting stays on corporate email and applicant systems.
6. Sensitive data requested early. Social Security number, bank login, copy of your ID, or a one-time passcode requested before you have signed anything is identity theft, not onboarding.
7. Crypto anywhere in the money flow. Being paid in cryptocurrency, asked to buy crypto as part of the job, or asked to move funds through a crypto wallet is a hard stop.

One yes is enough to walk away. Two or more is a guarantee.

Fake remote-job offers

The classic version impersonates a real company. You get a message from a "talent acquisition" account citing Amazon, a bank, or a well-known startup, with a careers-style link. The page looks right because it was copied pixel for pixel, but it lives on a lookalike domain. The goal is either to harvest your login and identity documents or to run the laptop-deposit con, where you are "shipped" equipment and asked to send a deposit or pay a vendor first.

What it looks like: a polished portal at a domain like amazon-careers-onboarding.top or linkedin-careers-verify.xyz, with an "onboarding" form that wants your bank routing details and a scan of your driver's license on day one. Real Amazon hiring lives on amazon.jobs; the impersonators never do.

The fastest tell: a real job at a real company never requires a deposit, a payment, or your bank password to receive a laptop. We break down the equipment con in detail in the fake remote job laptop-deposit scam guide.

Task and "like and earn" scams

This is the fastest-growing variant the FTC tracks. The pitch arrives by text or messaging app: "complete simple tasks, earn commissions." You are added to a group and given a small payout for "rating products" or "boosting" listings. The early money is real, which is the trap. Soon a task requires you to "top up" your own account with your own money to unlock a bigger commission. That deposit is the scam. Every dollar you add disappears, and the "balance" you see in the app is a number on a screen the scammers control.

What it looks like: a WhatsApp or Telegram invite to an "earnings platform," often a generic app like taskreward-earn-daily.app or a number on Telegram with no company behind it. The tell is the deposit-to-withdraw mechanic: you can never cash out without first putting money in. We cover the messaging-app version in the Telegram task job scam breakdown.

Overpayment and fake-check scams

You are hired, then "accidentally" overpaid. The employer mails you a check (or sends a mobile-deposit image) for more than you are owed, then asks you to refund the difference, often to buy "supplies" from a specific vendor or to send back via Zelle, Cash App, or gift cards. The check is counterfeit. It may clear provisionally for a few days, but when the bank discovers it is fake, the full amount is clawed back from your account. The money you "refunded" is gone, and it was real.

This is also the core of the fake personal-assistant and mystery-shopper jobs. The rule the banks themselves give: a check that has not fully cleared is not your money, and no legitimate employer ever sends you too much and asks you to wire the difference back.

Advance-fee scams: pay for equipment, training, or certification

You are hired, then told you must buy the company laptop, a software license, a "starter kit," or a mandatory certification before you can begin. Sometimes you are reimbursed the first time to build trust, then hit with a larger fee. The payment usually routes through gift cards, a payment app, or crypto, because those are hard to reverse. The FTC is blunt about this: an offer that requires you to pay to get the job is, by definition, a scam. Legitimate employers cover their own onboarding costs.

Reshipping and money-mule recruitment

These are the most dangerous because they make you the criminal. A "logistics" or "quality control from home" job asks you to receive packages and reship them, or to receive payments into your own bank account and forward them. The packages were bought with stolen cards; the payments are proceeds of other people's fraud. You are laundering money and moving stolen goods. The IC3 has prosecuted unwitting money mules; "I didn't know" does not always prevent frozen accounts, lost funds, or charges. If a job's entire function is to move money or parcels through you, it is a mule operation.

Fake recruiters on LinkedIn, Telegram, and WhatsApp

A profile that looks like a real recruiter, sometimes a cloned identity of an actual employee, messages you about a great role. The conversation moves off-platform fast. The profile may be days old, have few connections, or use a headshot that reverse-image-searches to a stock photo or someone else entirely. On LinkedIn specifically, scammers scrape your public profile to personalize the pitch, the same profiling technique we cover in LinkedIn spear-phishing. The pressure to leave LinkedIn for WhatsApp or Telegram is the single most reliable signal that the "recruiter" is not who they claim.

Crypto and web3 fake-interview malware

A growing campaign, documented by Group-IB and other threat researchers, targets developers and crypto-curious applicants. A "recruiter" for a web3 startup invites you to a technical interview. The catch is a coding task that asks you to clone a repository and run it, or a video-call app you must download to join the interview. The repo or the app is malware, often an info-stealer that empties browser-stored crypto wallets and credentials. North Korea-linked groups have run this play to drain wallets through fake job interviews.

What it looks like: a "careers" or "interview" link at a crypto-branded lookalike such as coinbase-careers-hr.xyz, paired with a request to run code on your own machine or install a niche meeting client. Never run a stranger's code on the device that holds your wallet, and never install an "interview app" from a link. A real engineering interview does not require you to execute an unknown binary.

Data-harvesting "applications"

Some fake listings are not after money at all; they are after you. The "application" form asks, very early, for your Social Security number, date of birth, a photo of your government ID, and bank details "for direct deposit setup," before any offer exists. The ITRC flags this as a leading source of identity theft tied to employment. A real employer collects that information only after a formal offer, through a secure HR system, never via a Google Form or a messaging app. The portal at recruiter-verify-portal.app that demands your full identity on step one is harvesting, not hiring. A fee-first onboarding page like remote-job-onboarding-fee.xyz is the same trap with a payment step bolted on.

How to verify a real employer in 60 seconds

1. Go to the official careers domain yourself. Do not click the recruiter's link. Open a fresh tab, type the company name into a search engine, find the company's own site, and look for the exact role on their careers page. If it is not there, it does not exist. Real Amazon roles are on amazon.jobs; other big employers post on their own company.com/careers.
2. Verify the recruiter independently. Look up the recruiter on the company's actual LinkedIn page or call the company's published main number and ask for HR. A real recruiter will have a corporate email that matches the company domain, not a Gmail address.
3. Never pay to work. No deposit, no equipment fee, no training fee, no certification fee, no "tax" or "clearance" payment. This rule alone defeats most job scams.
4. Guard your data until there is a real offer. No Social Security number, bank login, or ID scan before a written offer through a secure HR portal. Direct-deposit setup happens after you are hired, inside the company's payroll system.
5. Scan any link before you trust it. Paste the careers or onboarding URL into the checker above. A lookalike domain is the giveaway that the whole pipeline is fake.

What to do if you already gave information or money

Move fast; the first hours matter most.

1. If you sent money (wire, Zelle, Cash App, gift cards, or crypto), contact your bank or the payment provider immediately and report it as fraud. Ask about recall or chargeback. Gift-card and crypto transfers are hard to reverse, but report them anyway; speed occasionally helps.
2. If you deposited a check and sent part back, tell your bank now. The check will bounce and you will owe the amount, so flag it as fraud before it cascades.
3. If you gave your Social Security number or ID, place a free fraud alert or credit freeze with the three credit bureaus, and start an identity-theft recovery plan at the FTC's identitytheft.gov.
4. If you reshipped packages or moved payments, stop immediately and keep all records. You may be an unwitting mule; preserving evidence and reporting it yourself helps.
5. If you ran code or installed an "interview app," disconnect the device, move any crypto to a new wallet from a clean device, change passwords from a different machine, and run a full malware scan. Assume browser-stored credentials are compromised.
6. Change reused passwords and turn on two-factor authentication, preferring an authenticator app or hardware key over SMS.

How to report a job scam

• FTC: file at reportfraud.ftc.gov. This feeds the Consumer Sentinel network used by law enforcement.
• FBI IC3: report at ic3.gov, especially if money or crypto was lost or if you suspect a money-mule operation.
• Identity theft: if you handed over personal data, start recovery at identitytheft.gov.
• The platform itself: report the fake recruiter or listing on LinkedIn, Indeed, or wherever it appeared, so they can take down the account and warn others.
• The impersonated company: most large employers have a security or "report a scam" page; flag the fake so their legal team can pursue takedowns.

For judging any suspect page beyond a job link, see how to tell if a website is a scam, and to verify a recruiter's email sender, see how to tell if an email is really from a real company.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection engine: Local + APIs + AI. It cannot read your inbox or your DMs; it activates the moment you click a careers or onboarding link and a fake portal tries to load.

• Layer 1 - Local detection: 60+ URL patterns plus a 550+ brand-specific signature database (including Cyrillic and Punycode homograph variants) and a community whitelist/blacklist, all running inside the extension before the page renders. Catches lookalikes like amazon-careers-onboarding.{tld}, linkedin-careers-verify.{tld}, and coinbase-careers-hr.{tld} instantly.
• Layer 2 - API checks: aggregates threat-intelligence feeds (Google Safe Browsing, PhishTank, URLhaus) plus 30+ scam-TLD heuristics to flag domains already known to be malicious.
• Layer 3 - AI deep scan (Premium): content analysis in 100+ languages reads a fake careers or task-earning page and flags brand impersonation, credential harvesting, and fee-first onboarding in seconds, even on a domain registered minutes ago that is on no blocklist yet.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Frequently asked questions

How do I know if a job offer is a scam?

Check it against the universal red flags: you never applied, you were "hired" with no real interview, you are asked to pay for equipment or training, you are told to deposit a check and refund part of it, you are asked for your Social Security number or bank login before any offer, the pay is far above market, or the recruiter pushes you off LinkedIn into Telegram or WhatsApp. One of these is enough to walk away. To confirm, ignore the link you were sent and find the role on the company's official careers page yourself.

Should a real employer ever ask me to pay for equipment or training?

No. This is the clearest line in the FTC's guidance. Legitimate employers cover their own onboarding costs and pay you, not the other way around. Any request for an up-front payment, for a laptop, software, certification, or a background check, especially through gift cards, a payment app, or crypto, is a scam. There is no legitimate exception.

I deposited a check from an "employer" and sent some back. What now?

Contact your bank immediately and report it as fraud. Fake checks may clear provisionally for a few days, but when the bank finds the check is counterfeit it claws back the full amount from your account, and the money you "refunded" was real and is gone. Reporting it now limits the damage and protects you from being blamed for the bounced check.

A recruiter messaged me on LinkedIn and wants to continue on Telegram. Is that normal?

It is a major warning sign. Real corporate recruiting stays on corporate email and the company's applicant system. Moving you to Telegram, WhatsApp, or personal text is how scammers escape platform fraud detection. Verify the recruiter independently on the company's official page, confirm they use a corporate email, and never share personal data or money through a side channel.

Why would a fake interview ask me to download an app or run code?

Because the app or code is malware. A campaign documented by Group-IB and other researchers targets developers and crypto applicants with fake interviews that require running a repository or installing a niche meeting client. The payload steals browser-stored credentials and drains crypto wallets. Never run a stranger's code or install an "interview app" on a device that holds your wallet or passwords.

How does SafeBrowz catch fake job and recruiter links?

SafeBrowz does not read your messages; it activates when you click a link. A 3-layer engine (Local URL patterns plus threat-intel APIs plus AI content analysis) checks the destination before a fake careers or onboarding page can load. The 550+ brand database flags lookalikes of major employers, and the AI layer catches novel fee-first or credential-harvesting pages in over 100 languages. Free on Chrome, Firefox, and Edge.