Mass Layoffs Fuel Surge in Sophisticated Job Scams Impersonating Coca-Cola and Ferrari

CyberDefender 10 mins0

As global layoffs surge and job seekers flood the market, cybercriminals are exploiting uncertainty with increasingly sophisticated phishing campaigns. Recent investigations reveal alarming scams impersonating trusted brands like Coca-Cola and Ferrari, targeting individuals actively searching for employment.

What makes these campaigns particularly dangerous is not just their realism, but the technical sophistication behind them. These are no longer basic credential-harvesting pages—they are dynamic, real-time phishing systems capable of bypassing multi-factor authentication (MFA) and fully compromising user accounts.

The fake page asking for the details

A Perfect Storm: Why Job Seekers Are Being Targeted

The surge in phishing activity is closely tied to economic conditions. In 2025 alone, over 1.17 million workers were laid off, pushing unemployment to a four-year high. According to the Federal Trade Commission, job scam losses skyrocketed from $90 million in 2020 to over $501 million in 2024.

Experts like Heather Long have warned that the job market remains highly competitive, creating an ideal environment for scams. Organizations such as the Better Business Bureau have also noted a sharp resurgence in employment-related fraud.

In short, job seekers are primed targets: they expect outreach from unknown recruiters, frequently fill out forms, and are motivated by opportunity—making them more likely to overlook subtle warning signs.

Scam 1: Fake Coca-Cola Interview and Google Account Takeover

The first campaign begins with what appears to be a legitimate scheduling link, mimicking tools like Calendly. Victims are invited to book an interview with a recruiter and provide basic information—nothing unusual in a job application process.

However, the attack escalates when users are prompted to “Continue with Google.” Instead of a real authentication window, the page renders a fake browser interface designed to look like a legitimate Google login popup.

This is where the attack becomes highly sophisticated.

Unlike traditional phishing pages that simply collect credentials, this kit operates in real time. Once a user enters their email and password, the data is transmitted to an attacker-controlled backend. The system then continuously communicates with the server, dynamically presenting MFA challenges such as:

  • Authenticator app codes
  • SMS verification codes
  • Email-based OTPs
  • Google push notifications

The victim unknowingly completes each step, believing they are interacting with a legitimate login flow. Meanwhile, the attacker uses the provided credentials and codes to access the real account simultaneously.

The result is a full account takeover—even with MFA enabled.

Interestingly, the phishing kit explicitly blocks @gmail.com addresses, targeting corporate Google Workspace accounts. These accounts are far more valuable, providing access to internal communications, shared documents, and potential lateral attack opportunities within organizations.

Scam 2: Ferrari Career Portal and Facebook Credential Theft

The second campaign impersonates a corporate careers page from Ferrari. The site is visually convincing, complete with branding, navigation menus, and professional content.

The trap lies in a pop-up overlay claiming the user has been “invited” to apply for a role. To proceed, users are asked to log in via Facebook or enter their email with a passcode.

This tactic leverages familiarity with OAuth-based logins, which are commonly used in legitimate job portals. Once the user clicks “Continue with Facebook,” they are redirected to a fake login page designed to steal credentials.

While less technically complex than the Coca-Cola campaign, this attack is highly effective due to its broad appeal. A compromised Facebook account can expose:

  • Personal conversations
  • Linked applications
  • Identity data for further scams
  • Access to victim’s social network for propagation

Key Tactics Used Across Both Campaigns

Both phishing campaigns share several core strategies that make them particularly dangerous:

They rely on strong brand impersonation, using recognizable names to build trust instantly. They also exploit user expectations—job seekers anticipate form submissions, login requests, and recruiter outreach.

Another critical factor is visual deception. The fake browser window technique used in the Coca-Cola scam is especially effective, as it mimics real system behavior rather than just copying a login page.

Finally, real-time interaction with attacker-controlled servers marks a significant evolution in phishing kits. This allows attackers to adapt dynamically, respond to authentication flows, and increase success rates dramatically.

How to Protect Yourself

The best defense against these attacks is awareness combined with cautious behavior.

Always question unsolicited job offers, especially if you never applied for the role. Legitimate recruiters rarely send scheduling links without prior interaction.

Be skeptical of login prompts embedded within unfamiliar pages. No legitimate scheduling service requires your email password to book a meeting.

Pay attention to browser behavior. Fake pop-ups are often confined within the webpage and cannot function like real windows. If something feels off, it probably is.

Most importantly, avoid logging into accounts through links sent via email. Instead, navigate directly to official websites and access services from there.

If credentials have already been entered, immediate action is critical. Change passwords, revoke active sessions, and enable additional security measures.

Indicators of Compromise (IOCs)

  • Domain: hrguxhellito281[.]onrender[.]com (attacker backend)

Our Perspective on This Emerging Threat Landscape

What stands out in these campaigns is not just their sophistication, but their timing. Cybercriminals are no longer operating randomly—they are aligning attacks with economic conditions and human psychology. This shift represents a more strategic and calculated threat model. The Coca-Cola phishing kit, in particular, signals a worrying evolution. Real-time MFA bypass frameworks were once associated with high-value targeted attacks. Their appearance in widespread job scams suggests that advanced tooling is becoming commoditized and accessible to a broader range of threat actors.

Equally concerning is the erosion of traditional security advice. For years, users were told that enabling MFA would significantly protect their accounts. While still essential, these campaigns demonstrate that MFA alone is no longer sufficient against modern phishing techniques.The Ferrari scam highlights another important trend: attackers are diversifying targets. Instead of focusing solely on corporate accounts, they are also exploiting personal platforms like Facebook to expand their reach and persistence.

Ultimately, the biggest vulnerability remains human behavior. In a competitive job market, even cautious individuals may lower their guard when presented with a promising opportunity. This makes education and awareness more critical than ever.The takeaway is clear: cybersecurity is no longer just a technical issue—it’s a behavioral one. And as attackers continue to refine their methods, users must adapt just as quickly to stay protected.

CyberDefender