A new phishing campaign targets job seekers with fake roles at brands like KFC and Red Bull to harvest Facebook credentials.
According to Hackread, researchers have uncovered a widespread credential phishing campaign in which attackers send fake job offers impersonating well-known companies such as Red Bull, KFC, and Ferrari. The scam, reported on October 16, 2025, lures victims with bogus listings for roles like Social Media Manager and tricks them into handing over their Facebook login credentials.
The emails, often sent from seemingly trusted services like Google Workspace or Microsoft 365, direct users to a fake job listing that mimics platforms like Glassdoor. After clicking to apply, the user is shown a fake security challenge followed by a deceptive login prompt requesting Facebook credentials.
Researchers noted that all emails in the campaign used the same format, suggesting the use of templates or a large language model (LLM) to generate convincing phishing content at scale. LLMs, which can produce realistic human-like text, allow attackers to adapt quickly and maintain a steady flow of credible-looking bait.
Victims who click through the links are first shown what appears to be a job ad, then prompted to log in. If their email login attempt fails, they are presented with a fake Facebook login page. Once credentials are entered, a looping loading screen appears. At this point, the data has already been captured.
The emails often feature logos and branding to appear legitimate, with names like “Alexa from Red Bull Talent” in the message. However, email metadata reveals discrepancies, such as mismatched sender and reply-to addresses and misleading URLs (e.g., www.redbull@rebrand.ly).
Bryan Campbell of Sublime Security explained that scammers are exploiting people’s eagerness for employment by offering fake opportunities that feel “too enticing to pass up.” The effectiveness lies in the use of trusted brand names and well-crafted emails that appear professional and urgent.
Sublime also reported a nearly identical phishing attempt just two days earlier, which impersonated Google Careers to steal login credentials. The back-to-back campaigns illustrate how quickly attackers adapt their methods to target different platforms and user bases.
Fake job offer scams show how phishing has shifted toward exploiting human trust rather than relying on malicious links or attachments. Attackers use familiar company names, professional email templates, and AI-generated writing to appear credible while quietly stealing login credentials. The realistic branding and structured job application flow make these scams especially convincing for job seekers eager to respond quickly.
Paubox recommends Inbound Email Security to identify and block phishing emails that imitate legitimate brands or internal contacts. Its generative AI analyzes tone, intent, and relationship context, catching fraudulent messages that look authentic to both users and traditional filters. That capability helps organizations intercept socially engineered threats before they lead to account compromise.
Facebook logins can grant access to personal information, business pages, ad accounts, and linked apps, making them useful for identity theft, ad fraud, or further phishing attacks.
Rebrand.ly is a legitimate link shortening service. Scammers abuse it by masking malicious URLs behind shortened links that appear to come from trusted domains.
Check for inconsistencies in the email domain, avoid clicking on shortened or suspicious links, and verify listings by visiting the company’s official careers page directly.
Immediately change your Facebook password, enable two-factor authentication, and review active sessions under account settings to revoke unauthorized access.
LLMs help attackers generate convincing and varied email content quickly, allowing them to scale operations and tailor messages to different audiences with minimal effort.