Executive Summary

Reports from December 24, 2025, highlight a growing and coordinated threat targeting job seekers in the Middle East and North Africa (MENA) region. Scammers are creating and disseminating fake online job advertisements on a large scale to perpetrate fraud. These campaigns are designed to lure victims with attractive but fictitious employment opportunities. Once engaged, victims are manipulated into providing sensitive personal data, which can be used for identity theft, or are convinced to pay upfront fees for services that are never rendered. This form of fraud capitalizes on individuals' search for employment and is part of a broader global trend of increasingly sophisticated social engineering attacks.

Threat Overview

The scam operates on a simple but effective premise: exploiting the hope and urgency of job seekers. The campaigns are reportedly coordinated, suggesting organized criminal groups are behind them.

The typical attack flow is as follows:

1. Bait: Fraudulent job ads are posted on legitimate job portals, social media platforms, and professional networking sites. These ads often impersonate well-known, reputable companies.
2. Hook: Job seekers apply for the positions. The scammers, posing as recruiters, respond and begin an engagement process that appears legitimate.
3. Reel: The scammers request the victim to either:
   • Pay a fee for application processing, background checks, training materials, or equipment.
   • Provide extensive personal information, including copies of passports, national ID cards, and bank account details, under the guise of HR onboarding.
4. Disappear: Once the payment is made or the data is collected, the scammers cease all communication, leaving the victim with a financial loss and compromised personal information.

Technical Analysis

This is a classic social engineering and phishing campaign that does not rely on sophisticated malware but on human manipulation. The primary TTPs are:

• T1566 - Phishing: While typically associated with email, the principle applies here, where fraudulent ads and communications are used to elicit a response and action from the victim.
• T1598.003 - Phish for Information: Spearphishing via Service: The attackers leverage online services (job portals, social media) to conduct their phishing campaign and collect information.

This activity is notable for its coordination and regional focus, suggesting a campaign tailored to the economic and social context of the MENA region.

Impact Assessment

The primary victims are individuals seeking employment. The impact includes:

• Financial Loss: Victims lose money through fraudulent fees.
• Identity Theft: The theft of sensitive PII can lead to more severe long-term consequences, including fraudulent accounts being opened in the victim's name.
• Erosion of Trust: These scams damage trust in online recruitment platforms and can make it harder for legitimate companies to hire.

Detection & Response

For job seekers, awareness and skepticism are the best defenses. Red flags of a job scam include:

• Any request for payment from the applicant. Legitimate employers do not charge for applications or interviews.
• Vague or poorly written job descriptions with generic requirements.
• Communication from personal email addresses (e.g., recruiter@gmail.com) rather than a corporate domain.
• High-pressure tactics urging a quick decision or payment.
• Offers that seem too good to be true (e.g., very high salary for a low-skill job).

If a scam is suspected, individuals should cease communication, report the posting to the job platform, and report the incident to local law enforcement.

Mitigation

Mitigation focuses almost entirely on user education and platform moderation.

• M1017 - User Training: Public awareness campaigns are needed to educate job seekers in the MENA region about these specific scams. Key advice includes independently verifying company and job opening legitimacy on the company's official website before applying or providing any information.
• Platform Responsibility: Online job portals and social media sites have a responsibility to improve their moderation and vetting processes to detect and remove fraudulent postings more quickly.