Tech Made Simple

Hot Topics: All Roku Players Compared | Best iPad Keyboard Cases | The Best Open Ear Earbuds of 2026

We may earn commissions when you buy from links on our site. Why you can trust us.

author photo

Fake recruiters from Adidas, Netflix, Adobe are stealing passwords

by Suzanne Kantra on July 07, 2026

A concept image shows a woman checking her phone for new email.

Suzanne Kantra/Techlicious generated by ChatGPT

Security researchers just uncovered a phishing operation that has run for five months, dangling fake job offers at well-known brands to steal people's Google passwords. If you're job hunting, or even just the kind of person who keeps half an eye on LinkedIn, this is one to be on guard against.

BleepingComputer broke the story yesterday, based on research by threat intelligence firm Team Cymru. The scale here is broader than most phishing campaigns that cross my desk. Attackers are impersonating recruiters at more than 30 real companies, including Adidas, Netflix, Adobe, Coca-Cola, OpenAI, Marriott, FIFA, and McKinsey, all to target marketing professionals with fake job offers.

In one documented case, the phishing email arrived under the name of a real Adidas recruiter, complete with her actual photo, lifted from LinkedIn. The email asks you to schedule a call about a marketing role. Click the link, and you land on a domain built to look official, something like adidas-hiring[.]com, where you're asked to sign in with your Google account before you can book the meeting.

The "Sign in with Google" pop-up that appears isn't a real browser pop-up. It's HTML and CSS built directly into the phishing page, designed to look exactly like the separate authentication window Google normally shows you. Security researchers call this a browser-in-the-browser attack, or BitB. There's no second window and no real address bar, just a convincing illustration of one, sitting on top of the fake job page.

The usual advice, verify the URL in the address bar before you enter your information, gets thrown for a loop here. The fake popup is drawn to include what looks like one, showing "accounts.google.com" even though the real address bar behind it still says adidas-hiring[.]com or whatever domain the attacker is using that week.

Since checking the address bar won't help, try a different test: drag the pop-up. A genuine browser window will move independently if you click and drag its title bar outside the edge of the browser. A fake one, because it's just an image rendered inside the page, stays locked in place or gets cut off at the browser's edge. It's a physical test that works even when you're too rushed or too excited about a job lead to scrutinize a URL.

The redirect chain that leads you to the fake login page also explains how the campaign went unnoticed for so long. It bounces through PeopleForce, a legitimate cloud-based HR platform, then through a domain tied to Salesforce's Marketing Cloud service, then through Wise Agent, a real estate CRM tool. None of those services did anything wrong. Attackers are simply routing traffic through trusted platforms so that nothing in the chain looks suspicious to email filters or a wary recipient glancing at a link.

The same instincts that have always applied to recruiter outreach still hold here. A real recruiter from Adidas or Netflix isn't going to interview you cold over email with no prior contact, and they're certainly not going to require you to sign into your Google account just to schedule a phone call.

If you use a password manager, this campaign is a good reminder of why that policy pays off. Password managers only autofill credentials on the real saved URL for the site. On a lookalike domain like adidas-hiring[.]com, your password manager won't offer to fill anything in, which is an immediate warning that something is wrong.

If you've received one of these emails and already entered credentials on one of these pages, change your Google password immediately on your Google Account security page and set up two-factor authentication (2FA) if you haven't done so already. An account protected by 2FA keeps attackers out even if your password is stolen. Then, in the “Your devices” section, check the list of connected devices for anything unfamiliar. Click any unfamiliar device to see when and where it last connected, then click “Sign out on device.” If you’re at all unsure, sign out of the device. If you own it, you can always sign in again.

Read nextThe best password managers to protect your accounts


Topics

News, Computers and Software, Computer Safety & Support, Blog


Discussion loading

Home | About | Meet the Team | Contact Us
Media Kit | Newsletter Sponsorships | Licensing & Permissions
Accessibility Statement
Terms of Use | Privacy & Cookie Policy

Techlicious participates in affiliate programs, including the Amazon Services LLC Associates Program, which provide a small commission from some, but not all, of the "click-thru to buy" links contained in our articles. These click-thru links are determined after the article has been written, based on price and product availability — the commissions do not impact our choice of recommended product, nor the price you pay. When you use these links, you help support our ongoing editorial mission to provide you with the best product recommendations.

© Techlicious LLC.