Last week, I received an email from someone claiming to be an executive headhunter — complete with an impressive title, a professional headshot, and a compelling pitch about a VP Engineering role at a major bank. The salary? $400,000 base plus equity.
It was a scam. But what made it interesting wasn't that it was fake — it's how quickly and cheaply AI tools made it possible to build a convincing persona from scratch. What would have taken days or weeks to assemble a few years ago — a professional identity, a company website, personalised outreach — was done in under an hour with free tools. And it was convincing enough that without some deliberate digging, it could have easily passed as legitimate.
Here's what the scammer had in their toolkit:
An AI-generated headshot. The profile photo was a professional-looking portrait of a woman in business attire — studio lighting, neutral background, confident expression. It looked polished and real. But the giveaway? The filename. It had been saved directly from a German-language social media ad for professional headshot services, complete with the marketing caption baked into the filename: "Seriös & Kompetent — Ein Bewerbungsfoto ist mehr als nur ein Bild — es ist ein Statement." ("Serious & Competent — An application photo is more than just a picture — it is a statement.") The image itself showed all the hallmarks of AI generation: perfect symmetry, slightly uncanny skin texture, and that generic "stock headshot" quality that's become the calling card of tools like Midjourney and Stable Diffusion.
A fabricated email signature. Built using WiseStamp, a free email signature generator. The signature included the AI headshot, a stylised "Best regards" animation, and a professional layout with bold titles. It looked like something from a legitimate recruiter's email. Total effort to create: about two minutes. The signature also repeated "Executive Talent Connector" twice — a small formatting error that hinted at a rushed setup, but one most people would glance right over.
A fake company website. When I asked for proof of her firm, she sent a link to pinnacle-search-group-486.created.app. The domain immediately raised a flag — .created.app is the hosting domain for create.xyz (now called "Anything"), an AI app builder where you describe what you want and get a fully rendered website in seconds. The -486 suffix is an auto-generated project number, meaning this was likely spun up minutes before she sent the link. The real Pinnacle Search Group operates at pinnaclesearchgroup.com, was founded by Joanne Robinson in 2000, and specialises in logistics and supply chain recruitment — nothing to do with AI or executive tech roles. Even more telling, another firm called Pinnacle Executive Search has a scam warning on their own homepage about unauthorised individuals impersonating their company. The irony writes itself.
Bulk email tracking. Hidden in the HTML source of her emails were invisible tracking pixels — tiny 0x0 images loaded from mailmerge.eu, a mass email and mail merge platform. Every email contained a unique tracking URL, but all shared the same user ID: u=13974402. This confirmed two things: first, she was using a bulk email tool, not writing individual messages; and second, this wasn't a one-off outreach — it was a campaign running against many targets simultaneously. The tracking pixels let her see who opened the email, how many times, and when — giving her real-time intelligence on which targets were engaged and worth pursuing further.
AI-generated email copy. Every response was fluent, professional, and structurally sound. The language was polished, the formatting was clean, and the replies came back within minutes — far faster than any human recruiter juggling a pipeline of candidates. But the content had telltale AI patterns: heavy on buzzwords like "high-impact executive opportunities" and "platform-driven organisations," structurally repetitive across messages, and suspiciously adept at addressing my objections with just enough plausibility to keep the conversation going without ever actually answering my questions. Each time I pushed for specifics, the response would acknowledge my concern, offer a vague concession, and then immediately redirect to asking for my documents.
The red flags accumulated quickly once I started probing — but the key was actually probing in the first place. The initial email was well-crafted enough that many busy professionals would have replied without a second thought. Here's the sequence of cracks that appeared:
1. No company name initially. The first two emails described a "high-growth organisation" and a "high-priority role" without ever naming the company. Legitimate recruiters — especially at the executive level — lead with the opportunity. Confidential searches exist, but they're the exception, not the default, and even then the recruiter provides enough context to establish credibility. Vague descriptions of unnamed companies are a hallmark of scam outreach.
2. Pivoted from specific role to data harvesting. When I asked for details about the company, the scope of the role, and the reporting structure, she completely ignored every question and instead asked for my salary expectations and preferred location. This is a classic bait-and-switch: open with flattery and a big number, then pivot to extracting personal information before the target has time to verify anything. A real recruiter would answer your questions first — it's how they demonstrate value and build trust.
3. Named a retired executive as the hiring manager. After I pushed back hard enough, the scammer eventually claimed the role was at Scotiabank, with a named senior executive as the hiring manager. A 30-second Google search revealed that this person had retired from that role at the end of 2023 — over two years earlier. When I pointed this out, the story smoothly adjusted: the retiree was now supposedly involved in an "advisory/hiring capacity alongside the internal team." The speed and fluency of this pivot was itself suspicious — it read like an AI-generated response adapting to new input rather than a human caught off guard.
4. No verifiable online presence. I searched for the recruiter's name across LinkedIn, Google, and professional directories. Nothing. No LinkedIn profile, no website, no company affiliation, no conference appearances, no articles — zero digital footprint. An executive recruiter placing $400K VP-level roles at major banks without a LinkedIn presence doesn't exist in reality. When I raised this, she claimed she was "consolidating her online footprint" — a creative excuse, but not one that holds up to scrutiny.
5. The website was freshly generated. As noted above, the .created.app domain with a random number suffix is the hallmark of an AI-generated throwaway site. No legitimate recruitment firm operates from a subdomain on a free website builder. The site existed solely to provide a URL when asked — a prop in a performance, not a real business presence.
What struck me most wasn't the scam itself — recruitment scams have existed for years, and the pattern of flattery followed by data harvesting is well-documented. What's genuinely concerning is how dramatically AI has lowered the barrier to entry for this kind of operation.
Five years ago, running a convincing executive recruitment scam required real effort: sourcing or stealing a professional photograph, building a credible website with hosting and a domain, crafting personalised emails manually for each target, and maintaining consistent correspondence over multiple exchanges. The cost in time, money, and skill was significant enough to limit the scale of these operations.
Today, the entire persona — headshot, website, email signature, and tailored correspondence — can be assembled in under an hour using entirely free tools. The scammer's modern toolkit looks like this:
The cost of all of this? Essentially zero. And the output is good enough to fool professionals who aren't actively looking for it. That's the uncomfortable shift: AI hasn't just made scams cheaper — it's made them qualitatively better. The grammar is perfect, the formatting is professional, the responses are contextually appropriate, and the turnaround time is instant. The tells that used to make scam emails obvious — broken English, generic greetings, formatting errors — are disappearing.
If you receive an unsolicited recruitment email — especially one offering a suspiciously senior role with a generous salary — here's a practical checklist before you engage:
Verify the recruiter exists. Search their name on LinkedIn. If they claim to be placing executive-level roles and have no professional presence online, that's not a recruiter who "values discretion" — that's a fabricated identity. Real headhunters live on LinkedIn; it's how they build their network and reputation.
Demand specifics early. A legitimate recruiter will name the company (or at minimum the industry and company profile), the hiring manager, the reporting structure, and provide verifiable details about the role. If the first two emails are heavy on flattery and light on facts, you're being warmed up, not recruited. Push for concrete information before investing any time.
Independently verify everything they tell you. When the scammer in my case named a hiring manager, a 30-second search revealed the person had retired two years earlier. Don't take claims at face value — check them. Google the company, the person, and the role. If nothing corroborates what you're being told, trust your instincts.
Inspect the email source. In Gmail, click the three dots on any message and select "Show original" to view the full email headers. Look for tracking pixels from bulk email platforms (like mailmerge.eu), check whether the email was sent from a personal Gmail account rather than a corporate domain, and note whether SPF/DKIM authentication matches what you'd expect from a professional firm.
Scrutinise the profile photo. AI-generated headshots often have telltale signs: perfect facial symmetry, unnaturally smooth skin, slightly off earrings or accessories, and that generic "stock photo" quality. Reverse image searching can sometimes reveal the source, and checking the filename (as I did) can occasionally reveal where the image was scraped from.
Check their website's domain. Subdomains on free platforms like .created.app, .carrd.co, .wixsite.com, or .webflow.io with random numbers or generic slugs are red flags. A legitimate recruitment firm will have its own domain, a history of web presence, and content that predates their outreach to you.
Never share documents before full verification. Your resume might seem harmless — especially if it mirrors your LinkedIn — but sharing documents with an unverified contact establishes a pattern of trust that scammers exploit. The resume is rarely the end goal; it's a stepping stone to requests for fees, sensitive information, or access to your network.
AI is a remarkable tool. I use it every day in my consulting work — for development, analysis, content creation, and client delivery. The productivity gains are real and significant. But the same capabilities that help legitimate businesses move faster are also making fraud more scalable, more convincing, and harder to detect.
The arms race between scammers and their targets is accelerating. The traditional advice of "look for spelling errors" or "check if the email sounds generic" is increasingly obsolete when AI can produce flawless, personalised, contextually appropriate communication on demand. The new baseline for protection is active verification: don't just read the email — investigate the sender, check their claims, inspect the metadata, and verify independently before engaging.
If something feels too good to be true — a $400K role landing in your inbox from someone you've never heard of, with no public listing and no verifiable recruiter — it probably is. Take five minutes to verify before you engage. It's the best ROI you'll ever get.
As AI makes both opportunity and risk more accessible, having the right technology leadership matters more than ever. Whether it's building secure systems, evaluating AI tools, or advising your team on emerging threats, a Virtual CTO can help you stay ahead.
If you're navigating the AI landscape and want strategic guidance grounded in real-world experience, get in touch — we'd love to chat.
