Fake job offers are the fastest-growing scam category GACS triages in 2026 — overtaking romance scams in monthly report volume for the first time. The pattern is consistent: a recruiter you never applied to, a salary that's 30–50% above market, and a "simple task" or "onboarding fee" that quietly turns into the extraction step. This guide is the same step-by-step verification checklist GACS analysts use before clearing a job offer as legitimate.
The two scam shapes you'll meet
Almost every fake job offer in 2026 falls into one of two operational shapes. Knowing which one you're looking at decides what red flag matters most.
1. Remote work task scams. You're "hired" to like videos, rate hotels, boost product listings, or complete "data entry" on a slick dashboard. The dashboard shows your balance climbing. To "unlock" withdrawals you're asked to top up with crypto — USDT-TRC20, almost always — to cover a "negative balance", "tax", or "VIP upgrade". There is no employer, no client, and no withdrawal. The dashboard is theatre.
2. Recruitment fraud (classic fake-offer). You receive a polished offer letter from what looks like a real company (Amazon, Deloitte, Google, a regional bank). Before you start, you're asked to pay for "equipment", a "background check", a "training course", or to receive and forward a cheque (money-mule recruitment). Sometimes the goal is your ID documents and bank details for identity theft, sometimes it's the upfront fee, sometimes it's both.
Both shapes share four tells. If three or more are present, treat the offer as fraudulent until proven otherwise.
The 6-step job scam check
Work through these in order. The first failure is enough — you don't need to complete every step before walking away.
### 1. Did you apply?
If the recruiter contacted you cold on WhatsApp, Telegram, Signal, iMessage, or a random LinkedIn DM for a job you never applied to, your prior probability of fraud is already above 80%. Real recruiters at real companies almost never first-contact candidates on WhatsApp. They use LinkedIn InMail, the company ATS, or corporate email — and they expect you to apply through an official careers page before any interview.
### 2. Does the company email domain match the company website?
Open the company's real website in a separate tab (Google the company name, don't click any link the recruiter sent). The recruiter's email must end in @companyname.com — not @gmail.com, @outlook.com, @companyname-careers.com, @companyname.work, or any lookalike. Lookalike domains (extra hyphens, swapped letters, .co instead of .com, .careers instead of .com) are the single most common recruitment-fraud tell.
Run the recruiter's domain through the GACS Safe Scanner — it cross-checks 250k+ flagged domains in under 4 seconds and flags lookalike-domain typosquats automatically.
### 3. Does the job exist on the company's real careers page?
Every legitimate role is posted on the company's own careers page or ATS (Workday, Greenhouse, Lever, SmartRecruiters). Search the exact job title there. If the role does not appear, ask the recruiter for the official posting URL on the company domain. "It's not public yet" or "it's an internal referral" is a near-perfect scam confession — legitimate referrals still produce an internal ATS link the candidate can see.
### 4. Are you being asked for money, crypto, or a cheque to deposit?
A real employer never asks a candidate to pay anything. Not for equipment, not for training, not for a background check, not for a software licence, not for "onboarding". Any version of "send us USDT and we'll reimburse on your first paycheque" is a scam. Any version of "deposit this cheque and wire 90% to our vendor" is money-mule recruitment — you become criminally liable when the cheque bounces.
### 5. Is the "task platform" asking for a top-up to withdraw?
This is the remote work task scam confession. The dashboard shows a positive balance. You try to withdraw. You're told you need to deposit crypto to "unlock VIP tier", "clear a negative balance", or "pay completion tax". There is no withdrawal. Every top-up makes the next one larger. The moment you stop paying, the account locks and the "supervisor" disappears.
### 6. Does the interview process look real?
Real interviews involve video calls with named humans, technical or behavioural rounds, and an HR handoff before an offer. Scam "interviews" are text-only on Telegram or WhatsApp, last 10–20 minutes, and end with an immediate offer letter. If you've never seen the interviewer's face, you have not been interviewed.
Red flags that show up across both shapes
These don't appear on every fake offer, but when they do, they're decisive:
- Salary 30–50% above market for the role and your experience level.
- Same-day offer with no second round and no reference check.
- The "company" uses a free email address (@gmail.com, @outlook.com, @yahoo.com) for the recruiter, HR, and "manager" — all three.
- Pressure to sign and start within 24–48 hours — "we have other candidates", "the slot expires tomorrow".
- Requests for your passport, driver's licence, full bank details, or a selfie holding ID before any contract is signed and verified.
- Payment in crypto only, especially USDT-TRC20, with a wallet address that changes each conversation.
- A "manager" who only communicates by voice note or text and refuses any video call.
- An offer letter with mismatched logos, broken formatting, or a signature image that's pixelated — copy-paste artefacts from a template the scam crew bought on a fraud forum.
What to do if you've already engaged
If you've sent documents, money, or crypto, treat it as a live incident and move fast — the first 24–72 hours decide whether anything is recoverable.
- Stop all communication with the recruiter. Do not "confront" them — they will pivot to threats or a fake "fraud department" follow-up scam.
- Screenshot everything — the offer letter, the WhatsApp/Telegram thread, the dashboard, the wallet address, every email header.
- If you sent crypto, contact the receiving exchange's fraud team immediately with the transaction hash. Binance, OKX, Bybit, and Coinbase all have a 24–72 hour window in which they can freeze a deposit if it's still on the platform.
- If you sent bank funds or deposited a cheque, call your bank's fraud line and request a recall or chargeback. Cheque-deposit scams in particular need to be flagged before the bounce hits your account, or you owe the full amount.
- If you sent ID documents, place a fraud alert with your country's credit bureaus (Equifax/Experian/TransUnion in the US/UK; Schufa in Germany; equivalents elsewhere) and freeze new credit applications.
- Report the entity to GACS in 60 seconds via the report form. Three independent reports auto-promote a new fake-employer entity to critical severity on the public blacklist, which protects the next candidate searching the same recruiter name.
- Report to authorities. Use the report-to-authorities finder to match your country: IC3/FTC in the US, Action Fraud in the UK, the Canadian Anti-Fraud Centre, ACCC Scamwatch in Australia, your national CERT or police cybercrime unit elsewhere.
Don't pay a "recovery agent"
Within hours of being scammed you will be contacted — on the same WhatsApp number, on LinkedIn, in your inbox — by a "recovery specialist", "blockchain forensics expert", or "lawyer who's tracked this exact group". They are the second wave of the same operation. Real recovery, where it's possible at all, runs through exchanges, banks, and law enforcement — not a stranger who finds you within 48 hours of a loss. If a recovery offer is unsolicited, it is the scam.
Verify before you accept
Before you sign anything, run the recruiter's domain, the "company" website, and any wallet address through the free GACS Safe Scanner — 4 seconds, four verification layers, 250k+ flagged signals. If the offer clears every step of the checklist above and the scanner returns green, the prior probability of fraud drops dramatically — but only after every step. A real job offer survives every question on this page. A fake one fails by step three.