"The best social engineering attacks don’t ask victims to believe something impossible. They ask them to believe something they already want to be true," Mika Aalto, Co‑Founder and CEO at Hoxhunt, warned — and that observation is at the heart of a Five Eyes advisory about recruitment-style espionage campaigns that exploit mainstream hiring platforms.
Five Eyes alert: what was reported
The intelligence‑sharing alliance known as Five Eyes — which includes the United States, Australia, Canada, New Zealand and the United Kingdom — issued a warning that Chinese actors are targeting people associated with the alliance to gain access to sensitive or classified information. According to the advisory, attackers are using LinkedIn, Indeed and Upwork to pose as human resources consultants, post illegitimate jobs, and press candidates for sensitive information.
The bulletin named several categories of potential targets: security clearance holders, military personnel, and individuals indirectly connected to government information such as journalists or think‑tank workers.
How attackers are using LinkedIn, Indeed and Upwork
The methods described in the advisory are recruitment‑style social engineering rather than blunt malware campaigns. Attackers create what appear to be legitimate hiring interactions — unsolicited outreach, job postings, multiple rounds of interviews — to build trust and extract information. The report says these campaigns can push victims to complete research assignments, share credentials, or move conversations to other platforms.
Security practitioners quoted in the source described multiple technical and social enablers. Maxime Cartier, Vice President of Human Risk at Hoxhunt, said "easily‑available AI tools help attackers research targets, personalize communications, and convincingly impersonate legitimate organizations at scale," and that "the more sophisticated attacks contain highly believable deepfake voice and video conferencing calls."
Recruitment scams, deepfakes and the psychology of trust
Analysts in the source stressed that these are not one‑off scams but relationship‑building operations that exploit career ambitions. Mika Aalto framed the approach as a confidence scam: attackers "aren’t creating trust in a single interaction. They’re building a relationship over time and exploiting a person’s ambitions, expertise, and professional aspirations." Matthew Hartman, Chief Strategy Officer at Merlin Group, said the campaigns demonstrate a repeated tactic by nation‑state actors: using trusted professional platforms to identify and cultivate targets with access to valuable information.
The source notes specific techniques that amplify effectiveness: multiple touchpoints, convincing company websites, deepfake impersonation of recruiters and hiring managers, and interactions that can last weeks or months. Cartier also observed that initial messages in these campaigns often bypass traditional defenses — "they can be effective at bypassing spam filters because the initial email’s link might not be malicious."
Chinese Embassy in London response
The Chinese Embassy in London is quoted in the source condemning the Five Eyes alert as false. The source records the Embassy's statement but does not elaborate further on its reasoning or provide additional comment from other diplomatic or government offices.
What this means for security clearance holders, military personnel, and journalists
- Security clearance holders: Named as potential targets, they should treat unsolicited recruitment contact as a possible intelligence collection effort and verify opportunities through official channels before sharing any sensitive information.
- Military personnel: Because the advisory includes military personnel among potential targets, those approached about consulting roles or research assignments should independently confirm recruiter identities and be wary of multi‑stage interview processes that request classified or operational details.
- Journalists and think‑tank workers: The advisory specifically includes people indirectly connected to government information. As Mika Aalto and Maxime Cartier note, attackers exploit professional ambitions and routine career outreach, so these professionals should validate openings through direct organizational contact and be alert to deepfake audio or video used to impersonate colleagues or recruiters.
Security leaders in the story recommend simple but specific steps grounded in the attack pattern: treat unsolicited recruitment like a suspicious email, contact the organization directly, confirm recruiter identities, and independently validate who you are speaking with. They stress that in an era of AI‑generated content and professional impersonation, identity should not be taken at face value.
The Five Eyes advisory and the reactions captured in the source present a narrow but clear picture: trusted hiring platforms have become a vector for long‑form social engineering aimed at people with access to sensitive information, and attackers are increasingly using AI and deepfakes to close the credibility gap. The alert, the technical descriptions of persuasion and impersonation, and the Embassy's rebuttal leave one practical question central to this story: when professional opportunity arrives unbidden, how will targeted communities and their organizations change verification processes to match the sophistication of the campaigns described?
Source: Security Magazine — LinkedIn, Indeed and Upwork Leveraged for Chinese Spying Threat
