TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit by Jai Vijayan Mar 24, 2026 5 Min Read Application Security How AI Coding Tools Crushed the Endpoint Security Fortress How AI Coding Tools Crushed the Endpoint Security Fortress by Rob Wright Mar 24, 2026 5 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyberattacks & Data Breaches Endpoint Security Remote Workforce Threat Intelligence News Phishers Pose as Palo Alto Networks' Recruiters for Months in Job Scam A series of campaigns that began in August aim to defraud job candidates, using psychological tactics and data scraped from LinkedIn profiles. Elizabeth Montalbano , Contributing Writer March 25, 2026 4 Min Read Source: Panther Media GmbH via Alamy Stock Photo Attackers have been impersonating recruiters from Palo Alto Networks since last August in a series of phishing campaigns targeting senior-level professionals for financial gain. Palo Alto Networks' Unit 42 researchers have been tracking the sophisticated social engineering campaigns, which use scraped LinkedIn data to create "highly personalized" lures, for the past seven months, according to a threat report published this week. "The specific attack vector uses social engineering to manufacture a bureaucratic barrier regarding the candidate's curriculum vitae (CV) and push the candidate toward taking actions such as reformatting their resumes for a fee," Unit 42 senior manager Justin Moore wrote in the post. Unit 42 has fielded "multiple reports" of the attacks, which use flattering language, highly specific details from the victims' LinkedIn profiles, and legitimate company image logos in the email signature block. Related: Attackers Hide Infostealer in Copyright Infringement Notices The end result of a successful attack is that victims are asked to pay a fee in the range of $400 to $800 to freeing their résumé from a bureaucratic hold-up and continue with what they think is a legitimate recruitment process. In this way, they are not only duped into thinking they are in line for a position at Palo Alto Networks, they also are defrauded. Recruiting Scheme Attack Chain Attackers initiate the scam by posing as Palo Alto Networks' representatives in emails sent to senior job candidates that appear legitimate. This establishes a rapport and builds trust with potential victims. During this phase, the threat actors use the psychological tactic of flattery in the form of telling the candidates that they were "truly impressed" with their employment history and experience. They also point out milestones in the person's career using data scraped from LinkedIn to appear as if they have been specifically following the victim's trajectory as they consider them for a particular position. Once attackers achieve engagement, they then manufacture a crisis in the form of a stumbling block to the recruitment process. They do this by falsely claiming that a candidate's résumé failed to meet the applicant tracking system (ATS) requirements. An ATS, according to Moore, is an online tool that analyzes résumés for proper formatting, structure, and keyword optimization to make sure the résumés will pass automated checks before being approved for human recruiters. "This psychological tactic increases the urgency and willingness of the victim to comply with the attacker's offer of 'executive ATS alignment,'" Moore noted. Related: C2 Implant 'SnappyClient' Targets Crypto Wallets At this point, the "recruiter" hands off the "candidate" to an expert who offers various price points to provide this alignment and get the recruitment process back on track. The fake offers have three pricing schemes: executive ATS alignment for $400; leadership positioning package for $600; and end-to-end executive rewrite for $800. "In reported incidents, the 'recruiter' then implies that the 'review panel' has already begun, and that the candidate needs to update their CV within a set timeframe," Moore wrote. "The 'expert' then communicates that they can deliver the CV within only a matter of hours, which is within the ostensible review window." Adding this manufactured sense of urgency could push a "candidate" into paying for one of the fake offers and thus being defrauded. Unit 42 did not share if anyone who reported the scam made payments to the attackers. Phishing Vigilance Required Recruitment scams like these are not uncommon, yet still they can cause not only financial damage to victims but also reputational damage to the organizations impersonated, Moore noted. Indeed, cybercriminals have dangled what look like legitimate employment offers in phishing scams to increase the likelihood that someone will take the bait. North Korean threat actors such as Lazarus in particular are notorious for various malicious job recruitment campaigns such as "Dream Jobs" and others to gather intelligence and commit other malicious activity. Related: Nation-State Actor Embraces AI Malware Assembly Line Unfortunately, these scams harm the legitimate recruitment process of organizations by weaponizing "the complexity of modern hiring by manufacturing artificial bureaucratic barriers and high-pressure review windows to solicit fees," Moore wrote. He assured prospective candidates that Palo Alto Networks would never ask them to pay for résumé optimization services, and remains "committed to a transparent and ethical hiring process." Any professional who receives employment outreach that creates a sense of financial urgency or directs them to a third-party "expert" for a paid service should view it as "a fraudulent attempt to exploit your professional ambitions," Moore advised. If anyone finds themselves targeted by this scam, they should immediately cease communicating with the individual and report the incident to Palo Alto Networks by emailing infosec(at)paloaltonetworks(dot)com. They also should flag the incident on LinkedIn and secure all professional, social media, and email accounts with new passwords and multifactor authentication (MFA) to ensure they have not been compromised, he said. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Face a Tighter Insurance Market in 2026 Jan 5, 2026 | 7 Min Read Threat Intelligence 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child Jan 30, 2026 | 8 Min Read Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Webinars Building a Robust SOC in a Post-AI World Thurs, March 19, 2026 at 1pm EST Retail Security: Protecting Customer Data and Pa