___  ___    _ _    _  _ _____   _____
 / __|/ _ \  | | |  | || |_ _\ \ / / __|
| (_ | (_) | |_  _| | __ || | \ V /| _|
 \___|\___/    |_|  |_||_|___| \_/ |___|

 --- A GOPHER-LIKE INTERFACE FOR HIVE BLOCKCHAIN ---

Analysis of a Scam

BY: @josephsavage | CREATED: Jan. 16, 2026, 6:20 p.m. | VOTES: 76 | PAYOUT: $5.04 | [ VOTE ]

I recently received the following:

[IMAGE: https://files.peakd.com/file/peakd-hive/josephsavage/23tSyz4DkRQGMU7mA23phxWEqgLrbjdhjAysgtKCL7jb4SKNFniCZ6qFK3imHsuFYhTf6.png]

Seems innocuous, right? Let's get that paper!

But there are several red flags already. The sending email is @ shiftilt.com, but the job is at Gautier Steel? A quick search shows Gautier Steel's process is to submit applications to Heather Carns at an HR email. It also mentions paper applications, which strongly implies they don't support remote listings.

The spelling of the sender's name does not match between their email profile and their signature in the email. Finally, a quick search of my email history shows the original job application was submitted several months ago. (The lag here is deliberate... they want you to have forgotten your application, or to be more desperate, by the time they schedule an interview.)

But let's play along for a bit and give some availability.

[IMAGE: https://files.peakd.com/file/peakd-hive/josephsavage/23u6YQciGY6qS5y2kVT1PtworxCS2XcpuM3GXnqycXwLuB3wbrZrj2HaYUU31cLcruUvT.png]

The next red flag jumps right out. My name is not "Tony". The second red flag in this email is a coincidence, but still amusing. Monday, January 19 is a federal holiday in the US. No US-based hiring manager would casually schedule on a holiday without confirming that it's still okay. Realistically, no hiring manager would be working on a holiday. Even if the steel mill runs 24/7/365 the main office and supportive functions would be closed on a federal holiday.

The biggest red flag you can't see at a glance, you have to hover your mouse over the email link.

[IMAGE: https://files.peakd.com/file/peakd-hive/josephsavage/242Naev326yBCXEUJnoLWLwDURLA1VkbpZk7sB6wnZtGoxdW1AhpQtShX3QSViw5sZybr.png]

This is where they get you. And they try to funnel you into it right away with their "Feel free to test the link ahead of time."

From here I know it's a scam, but I'm curious about their process and knowledge level, so I send one last follow-up. Thank you, looking forward to it. Can you please confirm the timezone for that interview?

[IMAGE: https://files.peakd.com/file/peakd-hive/josephsavage/242DfKyto8CknnUi2uei4vG5WJo9mqegf5GXQ9QYJPBT5DZMaKtvy57zNn8VRtmrhJTdZ.png]

They think they're in the clear, and have me on the hook, but their response actually surfaces more damning evidence. Right after their response where their email threads in what they are responding too, it surfaces the real time zone. My email was sent to them at 12:27 PM EST, but their email is configured 7 time zones east of that, possible somewhere in Eastern Europe or Africa.

Did you count the red flags? If you get to three and still think it might be real, always confirm with the actual company in question.

Still don't believe me? Let's ask Heather!

[IMAGE: https://files.peakd.com/file/peakd-hive/josephsavage/23t8DBnQEwucZMyMJJXQFFrGPmG5F9eTwa2gUT1k1g4VgNGfbwzzYgfaaTBWMkXVW9koi.png]

Be safe, y'all!

TAGS: [ #economy ] [ #phishing ] [ #scams ]

Replies

@denmarkguy | Jan. 16, 2026, 6:51 p.m. | Votes: 2 | [ VOTE ]

It just gets sneakier and sneakier. Sometimes I almost miss the days when all we had to face were Nigerian princes wanting to send us $35 million...

Almost...

@josephsavage | Jan. 16, 2026, 6:59 p.m. | Votes: 0 | [ VOTE ]

Sneaky but also not...

I have seen some pretty good analysis that all the red flags are intentional... if you are willing to look past them and believe it might still be real, you are more likely to fall for the bigger spiel down the road, and it saves the scammer from spending extra time on somebody that would not be gullible enough.

@denmarkguy | Jan. 16, 2026, 7:15 p.m. | Votes: 1 | [ VOTE ]

The ones we're getting around here are "alert" texts from the fraud department of our banks, with the genuine number spoofed as the sender. Looks JUST like the real thing. Then some verbiage about "please confirm Y/N whether you've used your debit card in the last XX hours/days."

Still pretty much how the real thing works.

Then comes the trap: "please enter your PIN to confirm"

HELLs to the no!

In the real deal, it would say "please call our fraud line at the number listed on the back of your card."

@mastergerund | Jan. 16, 2026, 7:20 p.m. | Votes: 0 | [ VOTE ]

I always get those pretending to be Coinbase or Google.

Do not even respond Y/N on these, it's always the hook for whatever comes next. Just block and move on.

Last week I had more than a dozen attempts to access my Microsoft using Authenticator login. I ended up disabling that as an option completely.

These tech companies want us to move on to 'passwordless' login, but then they don't have adequate protection tools on their end. If I say no twice, they should flag the IP, check for patterns attempting access across the rest of their userbase, and work with VPS providers and local law enforcement to block abusive users. If they're not doing that, why am I trusting them with 'passwordless' logins?

[ BACK TO TRENDING ] [ BACK TO MENU ]
CMD>