The recruitment industry has a pretty damaged reputation. You might have heard about recruitment scams where agents fish personal information or references out from candidates through fake job offer calls or emails on LinkedIn and other professional networks. In the case of some recruitment agencies (IT or other), ethics and professionalism don’t play a role. Luckily, not everyone in the industry stoops this low.

Disclaimer: We do not in any way support the practices described in this post. They are dangerous, borderline illegal and highly unethical.

While some agencies stick to ethics and professionalism in their work, others do not. This is true especially for those recruitment agencies whose employees are driven by input metrics rather than long-term goals. This ultimately drives the type of behaviour that is despised by both candidates and clients.

Examples of metrics that drive negative behaviours include: to acquire a certain number of CV’s over a certain time, or to contact a number of prospective clients, or to spend a certain amount of time calling candidates every day. Ever wonder why recruiters cold-call you all the time? This is your answer. It stems from pre-internet practices of boiler room sales.

If input numbers are what agency recruiters and sourcers are getting paid for, they often embark on the following three types of phishing: CV phishing, affiliate phishing, and phishing for clients.

How is it different from phishing in a broader sense?

While what we usually call phishing involves obtaining passwords and sensitive personal information, phishing in recruitment is aimed at acquiring CV’s (which also contain personal information about candidates) or contact information of executives. Either a job ad or a job offer promise becomes a bait for the unsuspecting job seeker.

So how to recognise recruitment phishing?


“Hey! I just saw your profile, and it looks impressive. Send me your CV, and I’ll get back to you once I have a perfect role for you.”

Often, you might have an impression that they haven’t read your profile properly. Many phishers don’t even bother to personalise their message, which is why it usually looks or sounds generic.

Why are they doing it?

Such recruiters are building their CV databases. This way, they always have something to show to the existing and prospective clients. In the worst case, they are collecting resumes to sell them to a third party.

What should they do differently?

A decent recruitment professional who works ethically (and is aware of legal implications regarding data collection) would write you a personalised email, so that you know they’ve taken the time to learn about you. They will also tell you about the position they contacted you about.

They normally won’t write you unless they have a particular role in mind. Not to mention that they would care to run a spell check before clicking “Send.”


“Hey! We have [this role] currently open. Are you maybe interested in it? Or maybe you know someone who would be a great fit for the job?”

Why are they doing it?

Usually, the role in question is quite distant from what you are doing. You might ask yourself, “So why did they contact me?”

The answer is obvious: these recruiters are not interested in you, they want your contacts. If you work in tech, you must know other people in your company or industry, including developers. It makes their search easier—you are doing their job for you.

What should they do differently?

First of all, they should have not contacted you regarding an irrelevant job. They should have found a more suitable candidate (on their own).

It is normal for people to look for recommendations in their social circle. However, it is expected that you are acquainted with the person you are approaching. So if a recruiter whom you trust asks you if you know anyone suitable for the position, that’s one thing. But when an outsider asks you for the same favour, there is a reason for suspicion.


“Hey! I just looked at your profile/CV. It looks great. Before I forward it to my client, we would need a few references. Send me the contact details of your supervisors (Team Lead, CTO, CEO), and we’ll talk to them.”

After getting the requested contact details, they usually don’t get back to you. And it’s not because you weren’t a good match for the job.

Why are they doing it?

Like in the previous case, a recruiter is most likely interested in your connections. This time, it’s not about candidates, it’s about potential clients. Once provided with the desired contacts, they will probably approach your company’s management and try to sell their services to them.

What should they do differently?

They should search for their clients on their own. For example, good recruiters would take their reputation seriously and work on their business brand instead.

By providing their services in an ethical way and by proving to be reliable and professional in their search for talent, a recruitment agency will gain trust among hiring managers and candidates alike. The former will recommend the agency to their colleagues, and the latter will likely become their clients in the future.


To not fall victim of phishing in recruitment, you don’t have to stop working with all third-party recruiters. You just need to know a bit about the person who you are working with and have sufficient information about the role you’re applying for.

Here’s a quick checklist for you:

  • Research your recruiter before working with him or her.
  • Don’t send your personal information (a CV) to anyone before you know there is a real position you’re applying for.
  • Make sure you are given the name of the company your CV will be sent to.
  • Make sure your recruiter explains what he or she does with your information (contact details, CV, info from your conversations) and keeps transparent about the entire recruitment process.

Ask questions.

Unfortunately, there are lots of people in IT recruitment who aren’t qualified enough or simply don’t follow the legal and ethical guidelines. But there are also great professionals who care about the reputation of both their agency and the client they are working for.

If you do your research properly and make sure that your recruiter is trustworthy, it can result in a fruitful long-term relationship.

3 Commonly Used Phishing Techniques In Recruitment To Avoid