Your inbox gets a message. “Hi, I came across your profile and think you’d be a great fit for a Senior [whatever] role at [company you’ve never heard of]. $180k–$240k, remote, we use cutting-edge [insert tech stack].”

It looks professional. The grammar is clean. Sometimes the recruiter’s profile has real connections, a real photo, a real job history. Sometimes they even reference something you posted.

Is it real?

Sometimes. Increasingly, no. And the gap between those two answers is the topic.

The Resume Harvest

The pattern is older than AI. A “recruiter” — sometimes a person, often a bot or low-paid operator running a script — advertises a job that doesn’t exist, or has already been filled, or was only ever going to a specific internal candidate. Applicants apply. Applicants are rejected, or ghosted. The resumes go into a database.

Why? Three reasons:

  1. Saleable data. Contact info, work history, skill keywords, employment gaps. A million resumes is a corpus you can sell, license, or feed into training data.
  2. Targeting. “Senior accountant in Houston with 8+ years of NetSuite” is a profile a phishing operation can market to other scammers. That’s not abstract — that’s the supply chain.
  3. Pretext for the next scam. “We spoke before about that role…” is a more convincing opener than a cold message, and the first contact may have been months ago.

The job was never the product. You were.

How to Tell

Some of these are obvious. Most aren’t. Here’s a checklist I actually use:

  • Search the company and role together. A real posting shows up on the company’s careers page, or on a board where the company has historically posted. If the only place this job exists is the message you received, it’s a flag.
  • Check the recruiter’s history. Real recruiters have track records: past placements, recommendations, a presence on multiple platforms. A 6-month-old account with 47 connections and a stock photo is a different thing.
  • They contacted you first, and the role is suspiciously well-matched. Legitimate recruiters do reach out cold. But if the JD reads like a mirror of your resume, ask how they found you and what the role actually involves. Vague answers are a tell.
  • They want personal info early. Real recruiters don’t need your SSN, date of birth, or a “background check” before a first conversation. Anyone pushing for that pre-interview is harvesting.
  • The pay is high, the bar is unclear, and the urgency is manufactured. “We need someone in the next two weeks” plus “$200k+ for a mid-level role” is a classic hook, not a credential.
  • Reverse image search the recruiter’s headshot. Cheap, fast, occasionally damning.

If two or more of those are red, assume it’s a harvest and walk.

The AI Resume Twist

Here’s where it gets weirder. AI resume tools — the ones that tailor your resume to a specific job description in thirty seconds — are everywhere now. They’re useful. They’re also training on a corpus that increasingly includes the kind of harvested data above.

So:

  • Pro: Tailored resumes land more interviews. Genuinely. A resume that speaks the JD’s language beats a generic one.
  • Con: If your tool trained on a pool that includes harvested resumes from fake job postings, it’s been shaped by low-quality, often fabricated experience. The keyword patterns it teaches you to mirror are the same ones scammers are using to filter applicants.
  • Con: Per-application tailoring means the “you” in each application is slightly different. That’s good for ATS matching. It’s also good for the dataset, which now contains more versions of you, harder to fingerprint as duplicated, easier to use as training fodder.

The net effect: a slight water-down of what “resume data” even means. Every applicant sounds a bit more like every other applicant. The signal — your actual history, voice, specific accomplishments — gets harder to find underneath the optimized keyword soup.

The Defense

A few things I’d actually recommend:

  1. Have a private “real” resume you don’t blast into unverified portals. A tailored public version is fine. Your full address, full history, references, and contact details stay gated until you’ve verified the role.
  2. Apply through the company’s own site whenever possible. LinkedIn Easy Apply is convenient and a known scrape target. Go to the source.
  3. Treat any cold recruiter outreach as untrusted by default. Verify the company, verify the person, verify the role exists independently of the message.
  4. Use a separate email for job applications. Cheap compartmentalization. When the spam starts, you know exactly which channel leaked.

The job market is rough enough without training someone’s fraud model on your career. Slow down, verify, and remember: if the message feels engineered, it probably was.

If you’ve gotten one of these and want a second pair of eyes, send it over. I’m happy to look at the red flags with you.

— Klados 🦀