The Recruiter Reaching Out on LinkedIn Might Be AI

A "Senior Talent Acquisition Partner at [real Fortune 500]" sends you a LinkedIn message. They've reviewed your profile, think you'd be a fit for a remote role, and want to schedule a quick call. The profile looks legitimate — clean headshot, 500+ connections, a job history that tracks. The role pays $30K over your current salary. They move fast: a 20-minute video chat the next day, an offer letter on Friday, an onboarding packet over the weekend.

Then they ask for your I-9, your driver's license, your Social Security number, and your direct deposit information. Standard onboarding, they say. You send it.

The company never heard of you. The recruiter never existed. By the time you figure it out, someone has already filed a fraudulent tax return in your name, opened two lines of credit, and applied for unemployment in three states.

This is one of the fastest-growing scams in 2026, and it's working for the same reason every other AI-driven scam works: the production quality is now indistinguishable from the real thing.

Why Job Scams Exploded

The post-2023 tech layoff wave put millions of skilled, motivated people back on the job market simultaneously. Many were desperate enough to move fast on any opportunity that looked real. Scammers noticed.

What changed on the attacker side made it cheap to exploit:

AI personas. Building a convincing recruiter profile used to take effort — finding stock photos, writing job history, getting connections to accept. Now a generative model creates a photo that doesn't exist anywhere on a reverse image search, an LLM writes the bio and the messages, and bots build out the connection graph by sending generic networking requests.

Scraped employee data. Real corporate employee directories, conference attendee lists, and LinkedIn exports are sold on the same forums where stolen credit cards are sold. Scammers use those to copy real employees' job titles and structure their fake recruiter profiles to match the actual hiring teams at target companies.

Real company name spoofing. No one is going to fall for "Senior Recruiter at FakeCorp Inc." So scammers don't bother — they pick real, well-known companies with active hiring pages, and impersonate recruiters at those companies. The brand does the credibility work.

The Four Stages of a Fake Hiring Funnel

The shape of the scam is consistent. Watching for the stages is more useful than watching for individual red flags, because the individual flags are increasingly polished.

Stage 1: Cold contact. A LinkedIn DM, sometimes an email through a near-miss domain (@anthropic-careers.com instead of @anthropic.com). The recruiter is enthusiastic, vague on specifics, and pushes for a call quickly.

Stage 2: AI interview. A 20-minute video call. The "hiring manager" has stiff lip sync, doesn't quite track your eye contact, and avoids holding up anything in front of their face. Questions are generic. They don't probe your actual skills because the model running the call can't evaluate technical depth — it just needs you to feel like you had a real interview.

Stage 3: Fake offer letter. Comes within 24-72 hours. The letterhead looks right. The terms look generous. There's a sense of urgency: sign by Monday or we move to the next candidate. Sometimes there's a small upfront ask — buy your own equipment, we reimburse on your first paycheck. That's already identity theft adjacent, because they're collecting card info.

Stage 4: Identity theft. Onboarding paperwork: I-9, W-4, driver's license scan, direct deposit form, sometimes a passport copy "for the background check." This is the payload. Everything before this was setup.

Once they have the documents, the recruiter goes silent. The LinkedIn profile gets deactivated. The email bounces. There is no recourse because there was never a company on the other end.

Red Flags That Survive AI Polish

The old red flags — bad grammar, weird formatting, mismatched fonts — are dead. AI handles all of those. What's harder for scammers to fix:

Sender domain. Real corporate recruiters send from @company.com. Not @gmail.com. Not @company-talent.com. Not @company.careers. If the domain isn't the company's actual primary domain, treat the message as a scam until proven otherwise.

Recruiter LinkedIn history. Click into the profile. When was it created? A real recruiter at a Fortune 500 has years of history, multiple endorsements from named coworkers, connections to other employees at the same company. A scam profile is usually under 6 months old, has generic endorsements, and connects to almost no one at the company they claim to work for.

No mutual connections inside the company. If a "Senior Recruiter at BigCo" has zero overlapping connections with the BigCo employees who already appear in your network, that's a strong signal the profile is synthetic.

Equipment purchases. Real companies ship laptops. They don't ask you to buy your own and submit a receipt. Any "buy and we'll reimburse" ask in onboarding is a scam, full stop.

Urgency around signing. Real offers have a reasonable window — usually a week, sometimes longer. "Sign in 24 hours or we rescind" is a high-pressure tactic borrowed from the same playbook as every other social engineering attack.

Onboarding before background check. Legit companies run the background check before they ask for your I-9 and direct deposit info, not after. If full identity documents are requested before any verification step, the verification step doesn't exist.

Verification Protocol

When an offer feels real but you want to confirm — or when something feels slightly off — there's a five-minute process that catches almost every scam.

Find the company's main number yourself. Go to the company's actual website. Find the careers page or the main switchboard. Do not use any phone number provided by the recruiter, in the email signature, or in the offer letter. Those numbers route to the scammer.

Call HR or the talent team directly. "I received an offer letter from [recruiter name] for a [role title] position. Can you confirm this is a legitimate offer?" A real recruiter shows up in the company directory. A fake one doesn't.

Cross-check the recruiter on LinkedIn against the corporate directory. Most companies list their recruiting team somewhere — on the careers page, in press materials, or via mutual connections. The recruiter who contacted you should appear in those places. If they don't, they aren't who they said they were.

Reverse-image the profile photo. Google Lens, TinEye. Either the photo shows up nowhere (AI-generated) or it shows up attached to a different name (stolen from someone else's social media). Both are immediate disqualifiers.

Verify the offer letter domain. Check that the email it came from matches the company's actual primary domain. Even one letter off is a scam. The offer letter PDF metadata sometimes also reveals the actual author — right-click, properties, check the "author" field.

Five minutes of verification beats a year of cleaning up identity theft.

What Scammers Do With Your I-9 and W-9

If you send the documents and then realize what happened, you need to know what's coming so you can move fast.

The package — driver's license, Social Security number, address, signature — is everything required to:

• File a fraudulent tax return in your name, claim a refund, redirect it to a prepaid card or controlled bank account. The IRS will reject your legitimate return later because "you've already filed."
• Open lines of credit. Credit cards, store credit, sometimes auto loans. You'll find out via collection letters.
• Apply for unemployment in your name. Multiple states, sometimes simultaneously. Your employer (or former employer) starts getting verification requests they didn't expect.
• Build a synthetic identity — your SSN attached to a slightly different name and date of birth, used to open accounts that will eventually default and trash your credit alongside the real you.

First 24 Hours If You Already Shared It

Move in this order:

1. IRS Identity Protection PIN. Opt in immediately at IRS.gov. This blocks fraudulent tax returns from being processed under your SSN. Free, takes about 15 minutes.

2. Freeze your credit at all three bureaus. Equifax, Experian, TransUnion. Free, online, takes another 15 minutes. New credit cannot be opened in your name while the freeze is active. You unfreeze when you actually need to apply for something.

3. File at IdentityTheft.gov. Federal Trade Commission's official intake. The report itself is useful for disputing fraudulent accounts later, and it triggers automatic notifications to affected agencies.

4. Notify your bank and existing card issuers. Tell them you've been the victim of identity theft. Most will add a fraud flag to your accounts that requires additional verification for new lines.

5. Document everything. Save the original LinkedIn messages, the offer letter, the recruiter's profile URL, all email headers. You will need this for the FTC report and for disputing fraudulent accounts.

Do all five within 24 hours of realizing what happened. Recovery scales with how fast you move.

Treat Every Offer As Guilty

The mental model that survives 2026: any unsolicited recruiter contact is a scam until you've independently verified the company knows who they are. Real recruiters are not bothered by being verified — they expect it. Scammers are. The friction of one phone call to a number you found yourself is what separates a real opportunity from a year of credit restoration.

For the broader audit of what else to lock down before AI gets weaponized against your identity, see Your AI Threat Model — 10 Things to Lock Down Before You Become a Target.

The job market is hard enough without this. Verify everything.