Layoffs Provide the Perfect Opportunity to Strike
I know phishing isnāt as exciting as niche malware, a supply chain attack, or ground breaking data breaches, but this is commonly a precursor to all of these in some way, shape, or form. In 2026 the tech industry has seen more than 114,000 tech employees laid off across 150 organisations according to layoffs.fyi and weāre not even half way through the year yet. Itās no surprise then that threat actors have begun playing on this theme to target unsuspecting tech employees in highly tailored phishing attempts, myself included. The fact is that with the rise of AI these are being created faster, on a broader scale, and more tailored to an individual than ever before.
Threat Actors Posing as Recruiters
I previously spoke about a phishing email I had received from someone posing as a tech recruiter, and the risks associated with making your LinkedIn account publicly visible (e.g. when someone doesnāt need an account to view it). Iāve included this phishing email below to give you a sense of how it is formed and how they are posing as a legitimate recruiter. This was received on the 22nd of April 2026.
Note: The recruiter is in no way compromised, but rather this specific campaign uses LinkedIn to find recruiters, and then impersonate them in newly created Gmail accounts.
Itās worth noting that this also had legitimate company branding and a tracking pixel in the email footer to help determine when the email was opened. When received the image was also a picture of the legitimate recruiter. Palo Alto Networks on the 24th of March 2026, 1 month before I received the phishing email, wrote about phishing campaigns impersonating their recruiters which shines some more light on what these phishing attempts are trying to achieve.
Now I donāt make my LinkedIn publicly visible (you need an account to see my profile), nor do my previous or current job roles talk much about what I actually do, and as a result it seems like this attempt is fairly generic in nature citing progression, hands on expertise, and problem solving qualities all of which could be targeted at pretty much anyone in any job over time.
After speaking about this publicly multiple people on LinkedIn began sharing their stories, and one of my connections Minh Tran actually shared a phishing attempt they had received a month prior which is likely to have been from the same threat actor. The content of this email differs significantly, the threat actor was not posing as a Palo Alto Networks recruiter, and it appears that the threat actor was able to scrape their LinkedIn for more information and create a more realistic lure. I thank Minh for allowing me to share these here publicly to help inform others.
Note: In this case we will blur the innocent recruiter being impersonated as Minh hadnāt received a response when contacting them to inform them of the campaign.
Besides noticing this is far more detailed and targeted at Minh, you will also notice it explicitly uses an Em dash. Although one could argue this was intentional, the use of such a dash in an email from a recruiter is more or less unheard of, no recruiters Iāve ever spoken to would include such a thing; however, use of this is still common when Artificial Intelligence/Large Language Models are involved. The threat actor has also created an account on a web service called blinq which is used to create digital business cards and capture leads, and in these emails tracking pixels were also embedded for blinq to determine when an email was opened, so besides using this to create a fake digital business card of the recruiter, they may also be using this in capturing leads and interactions of potential victims.
Supporting Open Source Intelligence with ChatGPT
Whilst being aware of the attempted phish, Minh began replying to the threat actor to see what they would attempt to do. The subsequent emails also used Em dashes, but besides this take a look at just how professional these sound compared to phishing emails you may have received in the past.
Youāll see that this attacker also asked for a resume, the same scam as was reported by Palo Alto Networks. This not only then allows them to gather more information about you, but also try and scam you out of money claiming they can fix your CV for a cost.
Now go back and see besides Em dashes what other unusual aspects there are to the emails, besides it changing from signing off with Kind regards, to signing off with Warm regards, and it going from talking about an opportunity to talking about 2 possible opportunities, itās likely miles ahead of phishing emails you may have seen in the past, but what about those links?
If we read the emails in plaintext, besides getting more context of the links and where they are going, we can also see the tracking pixels embedded for blinq.
What stands out in the above is that the links shown have a UTM source for tracking where they originated from, and this identifies itself as ChatGPT, much like ChatGPT would if someone asked it what job postings are available for Goldman Sachs.
You may have noticed that one of the roles mentioned didnāt have a UTM source of ChatGPT and the threat actor was steering away Minh from this role. This role in itself appears to not have been checked over because the link goes to a completely different role for that of a VP of Legal in Artificial Intelligence Attorneys rather than the one mentioned in the email.
Locking Down LinkedIn
All of this isnāt to say steer away from LinkedIn or go underground, but rather be aware of how easy it is to scrape and aggregate information in bulk now through the use of AI, and how easily this can be used to make phishing attempts appear far more legitimate.
By performing some simple steps in your LinkedIn security and privacy settings you can add more friction to an attacker. For example look at the following attempt to scrape my LinkedIn with AI.
Compare this instead by using the same prompt, except on a public profile. It only takes a few key terms and context from someoneās LinkedIn profile to make creating these types of phishing emails in bulk extremely easy, and this is from a single prompt given, not one that has been refined by an attacker.
Stay safe out there, and thanks again for sharing this with me and the community Minh.
