I Gave My Real Email to a Fake Employer. Here's What They Can Do With It and How I'd Do It Differently.
TL;DR - A Reddit post this week described someone losing nearly $5,000 to a fake job posted on Indeed. The financial loss is recoverable. The bigger problem is that their real email address is now attached to a confirmed fraud operation - every phishing campaign, credential-stuffing attempt, and targeted scam that follows arrives in the same inbox they use for their bank, their family, and their next real job application. One alias per job application would have contained the blast radius to a single throwaway address. Below: what scammers actually do with a harvested email, the damage-control checklist if you are already exposed, and the one signup habit that prevents this entire failure mode.
The post that prompted this was on r/Scams this week.
Someone applied for a remote-work position on Indeed. The listing looked legitimate - real company name, plausible role, salary in the expected range. Three rounds of "video interview" followed (no actual video on the interviewer's side, which should have been a red flag and was missed under the pressure of a brutal IT job market). The "company" then asked the candidate to purchase $5,000 of equipment up-front, with the promise of reimbursement in their first paycheque.
You can guess how that ended. The money is gone. The "company" is gone.
But the financial loss is the part that gets attention, and it is not actually the worst part. The worst part is what happens to the candidate's email address from this point forward. They put their real firstname.lastname@gmail.com on the cloned company site. They confirmed the address through three rounds of correspondence. That email is now a confirmed-active, identity-attached, IT-sector-employed contact in the fraud operation's database.
Every phishing campaign that operation runs from now on - and the ones their data brokers sell to - will arrive at the same inbox the candidate uses for their bank, their tax filing, their family, their next real job application, their existing employer's communication, and every account they ever signed up for using that address.
This post is about how to contain that.
What scammers actually do with a harvested email
The $5,000 loss is the visible part. The invisible part is the ongoing exposure. Here is the realistic timeline once a fraud operation has confirmed your real email:
Week 1-2: The address gets sold to second-tier fraud operations, typically as part of a verified-active list (more valuable than raw breach dumps because it is confirmed responsive). Pricing is roughly $0.05 - $0.50 per address depending on demographic targeting.
Month 1-3: Phishing campaigns specifically tailored to your sector. Because the original scam was a job application, the buyer knows you are job-hunting in a specific industry. Expect emails impersonating recruiters, LinkedIn, your existing employer's HR, payroll providers, and anything else that looks contextually relevant.
Month 3-12: Credential-stuffing attempts. Your email address paired with passwords from old breach dumps gets tested against banking, email, cloud storage, and crypto exchanges. If you have re-used any password from a previous breach, accounts get compromised silently.
Year 1+: The address joins the data-broker stitching pipeline (covered in why scammers already know your personal info). Every public-record source, warranty registration, and social signup that touches the address gets correlated against it. A profile of you accumulates that includes addresses, family members, employers, financial behaviour patterns. The original $5K loss becomes a permanent fingerprint that follows the address forever.
The address is the pivot. The scam money is just the entry fee.
Why "just don't fall for fake jobs" is not the full answer
You can read all the warning-sign articles. You can be careful. You can still get caught. The current IT job market is a stress test for human pattern recognition - candidates are applying to 80-150 positions each, recruiter scams have gotten extremely sophisticated (real LinkedIn profiles, real company websites cloned, real-sounding interview process), and the pressure to land a role lowers the threshold for "this seems legitimate enough."
Asking everyone to be perfect at fraud detection is asking them to fail. The better strategy is to limit the damage when (not if) a fraud detection failure happens.
The way to limit the damage is the same way every other "I gave my information to the wrong place" failure mode gets contained: use a different email address for every signup. If the fraudulent employer never had your real email, they have a throwaway you can disable, and the cleanup is two minutes instead of two years.
The one signup habit that prevents the whole failure mode
Use a unique email alias for every job application. Not just job applications - every signup that is not your bank, your tax authority, your closest family.
An alias is a forwarding address that looks like a normal email but routes to your real inbox. The signup site sees m6jxk2fc@alias.example.com. You receive their emails normally. If the alias gets sold, leaked, or attached to a fraud operation, you disable it. The spam stops immediately. None of the other places you use email are affected.
Several services do this. Apple's Hide My Email is built into iCloud and works for free if you have an Apple device. Firefox Relay gives you 5 free aliases on any browser. SimpleLogin is open-source. SecureAlias is the one I built, designed for individuals rather than enterprise teams.
Whichever you pick, the workflow for job applications is:
- Open the job listing.
- Generate a fresh alias (literally one click in any of these services).
- Use the alias on the application form.
- Receive any legitimate correspondence at the alias, which forwards to your real inbox.
- If the role turns out to be fraudulent, or if the company gets breached six months later, or if you just stop wanting to hear from them - disable the alias. Done.
The cost is one extra click during signup. The benefit is that no single fraudulent application can ever attach your real identity-spanning address to a fraud database.
What to do if you are already exposed
If you are reading this after the fact - you applied to a fake job with your real email and now you want to contain the damage - here is the playbook in priority order:
1. Lock the financial loss first (Day 1)
Report the fraud to your bank immediately. If you used a credit card, dispute the charge - most cards reverse fraud charges within 7-10 days when reported within 60 days of the transaction. If you wired money or sent cryptocurrency, the chance of recovery is much lower but report it anyway through your country's fraud agency (Scamwatch in Australia, FTC in the US, Action Fraud in the UK).
2. Report the listing to the platform (Day 1)
Indeed, LinkedIn, Seek, and other job platforms have report-this-listing buttons. Use them. The platform takes the listing down and may flag the operation across other listings. This does not help you directly but stops other people from being caught the same way.
3. Audit your other signups using that email (Week 1)
The fraud operation has your address. They will test it against every breach corpus they have. Run haveibeenpwned.com on the address. For every breach the address appears in, change the password on that service. If you have re-used the password anywhere, change it everywhere.
4. Enable 2FA aggressively (Week 1)
Specifically on email, banking, password manager, primary cloud storage, payment processors. This week's PayPal 2FA bypass story shows that enabling is not enough - verify 2FA actually works using the four-minute check on each account.
5. Set up an alias service for everything going forward (Week 2)
You cannot un-expose the existing email. You can stop creating new exposures. From now on, every job application gets its own alias. Every signup that is not your tax authority, bank, or family gets an alias. The old email keeps receiving the inevitable phishing fallout from this incident, but no new exposure adds to it.
6. Watch for sector-targeted phishing for 6-12 months (Ongoing)
Treat any unsolicited email related to job-hunting, your sector, or your existing employer as suspect for the next 6-12 months. Especially watch for: fake recruiter follow-ups, fake "we received your application" emails from companies you did not apply to, fake "action required on your account" emails from job platforms.
What to do if you have not been hit yet
If you are mid-job-search and want to prevent the failure mode upstream, three habits:
1. Generate a fresh alias for each application before you click submit. One alias = one job application = isolated blast radius. Most alias services let you generate them in two clicks from a browser extension.
2. Verify the recruiter and company through a separate channel. If a recruiter messages you on LinkedIn about a role, do not respond on LinkedIn. Search the company name independently, find the company's careers page directly, and apply there. If the role is not listed on the company's own page, that is a strong red flag.
3. Never pay anything to a prospective employer. Real employers do not ask candidates to purchase equipment, training, certifications, or anything else up-front. They reimburse you for legitimate costs after you start. Any "purchase first, reimburse later" structure is the fingerprint of this exact scam class.
The mental shift
Most people use one email address for everything. It feels simpler. It is also the single biggest preventable source of long-term identity exposure in 2026.
The shift is to treat your real email like a passport - shown only to institutions where the relationship is permanent and high-trust (your bank, your tax authority, your inner circle). Everyone else gets an alias, because everyone else is either going to be breached, get acquired, or turn out to be fraudulent over a long enough timeline.
If you only do one thing differently after reading this, set up an alias service today and use it for the next signup you make. Not tomorrow's. The next one. The change happens at the margin, and the margin is the next time you click "Apply" on a job listing.
FAQ
Can the scammer actually do anything with just my email address?
Yes. The email address alone is enough to (1) sell to other fraud operations as a verified-active contact, (2) test against every breach corpus to find re-used passwords, (3) target with sector-specific phishing because they know what role you applied for, (4) feed into data-broker stitching to build a full identity profile over time. The financial loss is the visible damage; the address exposure is the ongoing damage.
What's the difference between an email alias and a temporary email service?
A temporary email (10-Minute Mail, Guerrilla Mail, etc.) is a throwaway inbox that exists for one signup. An alias is a permanent forwarding address that you control - emails sent to the alias arrive in your real inbox, and you can disable the alias whenever you want. For job applications, you want an alias rather than a temporary email because the recruiter will send follow-ups over weeks; a temporary email expires before the legitimate communication finishes.
Are aliases hard to manage if I have a hundred of them?
No. Modern alias services have a single dashboard listing every alias, what site you registered it for, and how much spam each is receiving. Disabling an alias is one click. Most services also have browser extensions that auto-generate an alias when you fill out a signup form. The management overhead is lower than maintaining the same email everywhere and dealing with the spam that follows.
What about my existing accounts that already use my real email?
Leave them. Migrating existing accounts to aliases is a long, error-prone project (forgotten signups, multi-account auth recovery issues, missed notifications). The high-leverage move is using aliases for new signups from this point forward. Over years, the proportion of your signups using aliases grows, and the exposure surface of your real email shrinks.
How does this work with Apple Hide My Email vs SecureAlias vs SimpleLogin?
Apple Hide My Email: free if you have any Apple device, integrated into Safari and the OS, works only with Apple's own forwarding. Firefox Relay: 5 free aliases, paid tier for unlimited. SimpleLogin: open-source, $30/year for unlimited. SecureAlias: free tier with limited aliases, paid tier with custom domains and unlimited aliases, designed for individuals (not enterprise). Pick based on which one you will actually use - the best alias service is the one you do not have to think about.
What if a job platform only allows my real email?
Some platforms (LinkedIn, Indeed, Seek) require a real email for the account itself. That is fine - your platform-account email is a higher-trust relationship and an alias for it is unnecessary. The risk is the applications you submit through the platform, which often forward to the listing employer. If the platform allows you to set a different "contact email" for applications, set an alias there. If not, the platform-level account remains your real email, and the alias hygiene still applies for direct-to-company applications outside the platform.
Is this overkill for someone who is not in IT?
No. The scam patterns described here target every sector. Hospitality, healthcare, construction, retail - every industry has its own version of the fake-employer-on-Indeed scam. The aliases discipline is the same whether you are applying for security engineer roles or warehouse manager roles. The technology is identical; the sector-specific phishing that follows is what changes.
If this was useful, the Secure In Seconds newsletter covers one specific story like this every Thursday. Practical, calm, no fear-mongering. Just the thing to do this week.
And if you want to start cutting off the email exposure today, SecureAlias is the simple version of what is described above. Free tier, no credit card, generate your first alias in 30 seconds.
Stay safe out there.
