From Dream Job to Nightmare: The Recruitment Scam That Went Too Far

Intro

Late September 2025 became one of those moments when I had an unexpectedly interesting experience. It all started with a small LinkedIn notification one afternoon. Someone with the initials AP reached out to me and asked if I really knew how to self-host a Signal server, especially since Signal Messenger’s own documentation on this is quite limited.

I confidently said YES, because I had already written about this topic on my blog (here).

A spark of excitement hit me. This felt like a chance to work with Signal Messenger on a larger scale and see it implemented more broadly.

In Short: The Technical Side of Signal Server

As I explained in my blog article, deploying a Signal Server is very challenging. The documentation is limited, the architecture is highly complex, and it relies on many supporting services.

Signal also uses several premium services from cloud providers. For example, BigTable, which I can’t realistically purchase just for a small-scale setup. Their design is clearly optimized for large-scale deployments, which is why many of their components depend on highly scalable services.

Recruitment Contact

I confidently answered every question from the client in our LinkedIn chat. They became interested in implementing the solution and decided to recruit me. Not just on a contract basis, since they noticed I was open to work, they offered me a full-time remote position for an initial duration of one year, with the possibility of extension.

That was quite appealing. A fully remote job, offered right away as a full-time role. They also suggested continuing the conversation over a WhatsApp voice call. I hesitated for a moment and did a quick background check on their profile, company, and track record. Everything looked “real” and legitimate. The profile was verified, and the person was listed as a Co-Founder and CTO of an Indian company.

Over the next two days, I had several WhatsApp conversations with another person, let’s call them MK, who seemed to be part of HR or perhaps an IT team lead. I also had a voice call with MK to discuss my experience and how I handle Signal Server deployments. Up to this point, nothing felt suspicious. Their technical questions were relevant and reasonable.

After that, MK scheduled an interview for me with their Senior Software Engineer based in the United States. They mentioned that the company in India was a branch of their US headquarters.

Red Flags Start to Appear

Nothing seemed strange… until I received a WhatsApp message that said,

Look in your inbox and you will find an email. Reply to it.

I checked my inbox. Nothing. I checked All Mail. Still nothing. Then I opened the Spam folder and there it was.

The email looked like this:

Hi Iriyanto

How are you?

Our reference is from our India company, Which you discussed on the LinkedIn.

so you have to send us your latest CV,

The following points are essential in which your actual full name,, as well as gender, date of birth, full address, contact number, email ID, passort number, as well as the name of the university and the name of the college where you passed graduation and what percentage you passed, and the name of the company in which you have worked in the last three years and the main role in which project you have done the details. Which countries in the world have you visited, which country's visa is in your passport? And whether you have applied to any company in USA or India before, If yes, when did you do it and then why did you not accept the application?

Suspicious? Definitely. They hadn’t even sent me an official offer letter, yet they were already asking for highly sensitive personal data, like passport number, travel history, and visa information.

This felt wrong, so I checked the email domain: tibco-hr-uk@tibco.online. Wait… .online domain? That was odd. I checked the official site tibco.com, it exists, has a verified LinkedIn page, and is a legitimate company with more than 25 years of history. Would a company of that scale really use a .online domain, and from the UK no less, not the US?

I cross-checked the LinkedIn profile of the so-called Senior Software Engineer from the “US branch.” Something didn’t add up. The real TIBCO page was verified, but this one claimed to be TIBCO Software (SA) Pty Limited and was unverified, yet somehow had many followers. Could LinkedIn followers be bought? Possibly.

At this point, my gut told me this was a scam, a clever one, but a scam nonetheless.

Escalation and Manipulation

Of course, I refused to provide such sensitive personal data, especially since I hadn’t even received an official offer letter yet. I politely replied, explaining that I would only share sensitive information once a formal offer was sent and onboarding had begun.

They kept trying to convince me, not through an official tibco.com email address, but by insisting that their Indian company was legitimate. They even sent me what looked like official company documents, including their CIN registration. But at this point, I was already too suspicious. I repeated my stance: I would not share sensitive information unless it came through official tibco.com channels and after receiving an offer letter.

And what did I get in return? Their tone on WhatsApp and email became completely unprofessional, behavior you would never expect from a large, established company.

They began demanding that I verify my LinkedIn account, claiming they rarely make offers to unverified users. Then came the accusations:

When is a LinkedIn CV valid? When you are verified on LinkedIn, then a LinkedIn CV is considered valid.

We suspect that you may be involved in some criminal activity in your country, which is why you are not disclosing your name.

Yap… They actually accused me of being a criminal. My real name, nationality, and phone number (+62) were all clearly listed on LinkedIn, and they already had my email and WhatsApp contact.

The messages escalated further:

you are trying to cheat LinkedIn companies by creating a fake profile on LinkedIn, creating a fake CV, and doing criminal activities on LinkedIn, we have to write it in the LinkedIn report, wait for a while and you will get your result.

We are now feeling that you are not getting a job even in your own country, so you are doing this online because your nature is criminal and arrogant.

And then came the most extreme message:

Hello cheater Iriyanto

Tell me your real name and real country? You seem to be the biggest cheater and fraud of the country, or you are a terrorist of your country because you are hiding your identity and lying to everyone.

dont worry We are taking action with you in your own country.

Yes. They actually called me a terrorist.

The escalation was absurd. In just a few days, I went from being a potential hire to being labeled a criminal and a terrorist, all because I refused to hand over my sensitive personal data.

What I Learned

• Never share sensitive personal data before receiving an official offer letter.

• Always verify the company’s email domain.

• Legitimate companies will never threaten or intimidate candidates.

• Watch for red flags early. Trust your instincts and investigate before moving forward.

Practical Tips for Other Developers

• Verify the company: check their email domain, cross-check on MCA (if it’s an Indian company), look them up on stock exchanges, and confirm through their official website.

• Use safe platforms for communication, such as LinkedIn, Upwork, or reputable job boards.

• Don’t be afraid to say “no” to unreasonable requests.

• Keep all evidence and report suspicious activity as phishing or scam.

Closing

Looking back, I felt disappointed. I was excited at first, but relieved that I got out without becoming a victim.

My message: stay cautious. Even the most convincing job offer can turn out to be a scam.

I encourage you to stay alert and share experiences like this so other developers don’t fall into the same trap.