Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jul 09, 2026 · 8 min read

Fake Job Interviews Are Stealing Your Google Login

A five month phishing campaign has spoofed recruiters at more than 30 brands, including Coca-Cola, Netflix, OpenAI, and FIFA, using a browser in the browser fake Google login to steal credentials from marketing professionals.

You get an email from a Netflix recruiter with a real name, a real headshot, and a job description that fits your resume almost too well. You click through to schedule an interview. Somewhere between that click and the calendar invite, you type your Google password into a window that looks exactly like accounts.google.com, except it isn't a browser window at all. It's a picture of one, drawn on the page you're already standing on.

That's the scam Team Cymru researcher Will Thomas has been tracking for at least five months, and it has already impersonated recruiters at more than 30 real companies, from Coca-Cola to OpenAI. (Source: BleepingComputer)

Key Takeaways

  • A phishing campaign active for at least five months as of July 2026 has used at least 34 lookalike domains impersonating recruiters at Coca-Cola, Netflix, Adobe, OpenAI, McKinsey, FIFA, Adidas, Marriott, and dozens of other brands. (Source: BleepingComputer)
  • The emails route victims through the legitimate HR platform PeopleForce, then through Salesforce Marketing Cloud's exct[.]net domain and the real estate CRM Wise Agent, before landing on an attacker-owned site like adidas-hiring[.]com. (Source: Dark Reading)
  • The final page renders a fake "Sign in with Google" popup entirely out of HTML and CSS, a technique called browser in the browser, so the address bar, padlock, and window frame you see are all fake. (Source: Kaspersky)
  • Marketing professionals are the primary target, and the attackers use the real names and photos of actual recruiters at the impersonated companies to make the outreach feel legitimate. (Source: Malwarebytes)
Laptop showing a floating login popup window that looks subtly spoofed, representing a browser in the browser fake Google login attack

What Is This Job Interview Phishing Scam?

It's a credential theft operation built entirely around one emotion: hope. A marketing professional gets an email that appears to come from a recruiter at a company they'd love to work for, complete with a real job title and a link to what looks like a scheduling page. Researchers have tied the campaign to at least 34 lookalike domains spanning travel (American Airlines, Delta, Booking.com), food and beverage (Coca-Cola, PepsiCo, Red Bull), apparel (Adidas, Louis Vuitton, Sephora), consulting and tech (Adobe, McKinsey, OpenAI), and entertainment (Netflix, FIFA). (Source: BleepingComputer)

None of these companies are compromised. Their names and logos are simply borrowed, the same way a counterfeit handbag borrows a fashion house's stitching pattern without ever touching the real factory.

How Does the Attack Chain Actually Work?

The redirect path is the cleverest part of the operation, and it explains why so many of these emails sail past spam filters. Instead of linking straight to a phishing page, the email points to PeopleForce, a real cloud HR platform used by actual companies to manage hiring. From there, the click bounces through exct[.]net, a domain tied to Salesforce Marketing Cloud's ExactTarget service, then through wiseagent[.]com, a legitimate real estate CRM with no obvious connection to hiring at all. Only after that third hop does the victim land on the actual attacker-controlled page, something like adidas-hiring[.]com. (Source: Dark Reading)

Each intermediate stop is a legitimate, high reputation domain, so email filters that check a link's destination see PeopleForce or Salesforce first, not the phishing site three hops later. It's the digital equivalent of laundering money through several banks before it reaches the account that actually spends it.

Why Is the Fake Google Login Popup So Convincing?

Because it isn't pretending to be a website. It's pretending to be your browser. When the victim reaches the final landing page and clicks "Continue with Google," the site doesn't redirect to accounts.google.com. Instead, it draws a fake popup window directly inside the page using ordinary HTML and CSS, complete with a URL bar that reads "accounts.google.com," a padlock icon, and window controls that look identical to a real operating system window. Security researchers call this a browser in the browser, or BitB, attack. (Source: Kaspersky)

The real address bar, the one belonging to your actual browser, still shows adidas-hiring[.]com or whatever domain the attacker registered that week. But most people don't check the real bar once a familiar looking Google box appears in front of them, they check the fake one, which was built specifically to pass that glance test.

To close the loop, the attackers add one more layer of social proof: the phishing emails carry the actual names and headshots of real recruiters employed at the companies being spoofed, pulled from public sources like LinkedIn. (Source: Malwarebytes)

Why Are Marketing Professionals the Target?

This isn't a random spray. Team Cymru's Will Thomas identified marketing professionals specifically as the primary targets, and the reasoning tracks with how that job function behaves online. Marketers are trained to click through funnels for a living, landing pages, gated content, calendar links, all day. (Source: BleepingComputer)

Many are also actively job hunting, which means an unsolicited recruiter email doesn't read as suspicious the way it might to someone who isn't looking. A marketing role at Coca-Cola or Netflix is aspirational enough that the pull of the opportunity can override the caution someone would normally apply to an unexpected login prompt. A phishing kit that works on hope is, in a strange way, more reliable than one that relies on fear.

Why Email Users Should Care

The end goal of this operation is a Google account password, and a Google account is rarely just a Google account. For most professionals, it's Gmail, Drive, Calendar, saved payment methods, and often the recovery email tied to half a dozen other logins. Once an attacker has it, they can read years of email history, reset passwords on connected services, and impersonate the victim to coworkers or clients, all without ever touching a "compromised company" headline.

Gblock is built to strip tracking pixels and click tracking redirect layers out of the emails you open in Gmail, which cuts down on some of the link redirection tricks marketers and attackers both rely on. Gblock does not detect or block phishing pages, and it won't stop a browser in the browser popup once you've already reached a malicious site. It's one layer in a defense that still needs your own judgment and the steps below.

How Can You Tell a Real Popup From a Fake One?

The single most reliable check takes about three seconds: try to drag the login popup outside the edges of your browser window. A real browser popup is a genuine operating system window, and you can drag it anywhere on your screen, even past your browser entirely. A browser in the browser fake is just a <div> sitting inside the webpage, it's physically anchored to that page and cannot cross the boundary of the browser window, no matter how you drag it.

A second test: minimize your actual browser window. If the "Google login" disappears along with it, it was never a separate window, it was part of the page you minimized. And a third: right-click on the popup. Real browser chrome doesn't respond to your page's right-click menu; a fake one, being part of the page, often will.

What Should You Do to Protect Yourself?

A few habits close most of the gap this campaign is designed to exploit:

  • Hover over any link before clicking, and read the actual destination domain, not just the button text, this matters even more here since the first hop often looks legitimate.
  • Verify that the sender's email domain matches the real company's domain exactly. A message from a "Netflix recruiter" sent from a Gmail address or a domain like netflix-careers-hr[.]com is not from Netflix.
  • Use a password manager and let it do the checking for you. Password managers only autofill credentials on the exact saved domain, so on a lookalike site like adidas-hiring[.]com, nothing will fill in, that silence is your warning. (Source: BleepingComputer)
  • Turn on two step verification for your Google account, and use a physical security key rather than SMS codes. A hardware key performs origin verification at the protocol level, so it simply won't authenticate on a phishing domain, even one wearing a convincing fake popup. (Source: Kaspersky)
  • If an interview invitation seems real, verify it independently through the company's official careers page or a known recruiter contact instead of the link in the email.

The Bigger Picture

FIFA showed up on this campaign's brand list for a reason: the same kind of large scale impersonation has already been running ahead of the 2026 World Cup, with thousands of fake domains built to sit in inboxes waiting for a click. Nested redirects through legitimate SaaS platforms and browser in the browser popups are becoming standard kit for credential phishing generally, which means the drag test habit is worth building now, before the next campaign borrows a different set of logos.

The people running this operation didn't need to breach Coca-Cola, Netflix, or McKinsey to use their names. They only needed those names to be recognizable enough that a tired job seeker would stop reading closely. That's a cheaper attack than any data breach, and it's why the burden of catching it currently sits with the person reading the email.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.