Fake job offers published on portals such as Infojobs or Indeed are being used by cybercriminals to capture personal data from people looking for work in Spain. The scammers impersonate companies like Lidl and request sensitive documentation by email, including a photograph of the identity document from both sides.
The scam affects people actively seeking employment, but also those who have just arrived in the country and are unaware of the usual selection processes. Juan, a pseudonym for one of the victims, recounted that he handed over his documentation when he had been in Spain for barely a month and needed to work.
In his case, suspicion arose later. He noticed that the email domain did not match the company's official ones, @lidl.es or @lidlplus.es, and ended up reporting it to the Guardia Civil.
"The most valuable thing you have is your identity, but they took advantage of the fact that I had been in Spain for a short time and needed a job" - Juan, victim
The emails requested the DNI from both sides and used Gmail accounts
The method was direct. Cybercriminals would contact victims by email, present themselves as human resources personnel, and request a photograph of the identity document from both sides to continue with a supposed selection process.
Lorena, another affected person, received five emails since April 2026 from supposed Lidl human resources managers. They offered her vacancies as a sales assistant, auxiliary, or sales representative and asked her to send her resume to an address with the @gmail.com domain.
Lidl Spain warned of the impersonation in a statement disseminated on LinkedIn and asked candidates to check the official logo, the full profile description, and to consult vacancies only on their official employment portal.
This pattern coincides with cases of phishing and impersonation in which the sender appears to belong to a recognized company to obtain personal information or open the door to subsequent fraud.
A second offer promised 3,000 euros per month for remote work with cryptocurrencies
After reporting the incident, Juan was contacted again through Indeed by a supposed company called AxiorWorld. The proposal offered 3,000 euros per month for total remote work and did not require prior experience to assist in the purchase of cryptocurrencies.
The National Cybersecurity Institute warns that this type of claim repeats a very specific combination of risk signals. High salary, work from home, and a link to a website are among the most common lures.
"If you receive an email with the combination high salary + work from home + link to a website, be suspicious" - National Cybersecurity Institute, INCIBE
The recruitment of victims does not end with the initial surrender of the DNI. It can also lead to subsequent uses of that identity in remote procedures, including financial operations or hiring carried out without the affected party's knowledge, as has already happened in digital identity frauds.
Asufin warns that the victim may appear as investigated until the fraud is clarified
The Association of Financial Users points out that impersonation with the DNI continues to occur frequently in telematic hiring, despite the existence of authentication protocols. The problem is not just the loss of personal data.
Asufin indicates that the affected person may appear as investigated in criminal proceedings until it is proven that they had no responsibility in the events. Therefore, it recommends acting quickly as soon as the deception is detected.
Juan summarized the mistake he made when responding to the first message. He had only been in Spain for a month when he sent his documentation and did not check if it was common for a company to request these documents at that stage of the process.
"I had only been here for a month and I wanted a job, in my country personal documents are not requested, but I didn't check how it was done in Spain" - Juan, victim
Among the protection measures are reporting to the authorities, requesting a new identity document, and consulting the Bank of Spain's Information Center on Risks to check if anyone has applied for credits or loans using the victim's data.