Empty Promises in MENA: How Online Quick Cash Schemes Exploit the Gig Economy

Introduction

Here’s the scenario: You’re doomscrolling social media – as we all do these days – and you come across an ad from a well-known reputable brand looking for part-timers for easy online jobs; take part in some surveys, rate some products, like some posts. Simple stuff. The pay is enticing, the “testimonials” are convincing and the logos look legit. You think to yourself, “there’s no harm starting a chat, you’re safe in your home and the gig economy is the new norm anyway”.

You’re wrong.

The boom for “online jobs” didn’t start out of necessity – it started with COVID. When remote work suddenly became the default, the entire job market flipped overnight. According to this Rcademy report, there was a huge surge in remote work adoption in the Middle East post-COVID, with more than 60% of workers preferring full-time remote work. And with that shift came an obvious side effect: scammers jumped on the new opportunities presented by the trend.

Today, Facebook, Instagram, TikTok, and even Telegram are full of professionally designed ads promising “quick income from your phone.” The messaging is always the same: easy work, fast money, no experience needed. But behind this polished façade sits a very structured, organized scam operation focused on one thing – collecting personal data and money.

Key Findings:

• An organized web of “easy income online job” scams run by highly coordinated groups of scammers across social media and private messaging platforms are observed by Group-IB researchers in the MENA region.
• The fake job ads often impersonate well-known companies, banks and authorities to gain trust of victims.
• The scam is designed to be intentionally broad in order to reach the widest victim range across all age groups and backgrounds.
• Most ads are directed at MENA countries such as Egypt, Gulf States’ members, Algeria, Tunisia, Morocco, Iraq, and Jordan, using local dialects, currencies, and familiar language to look authentic.
• Social media platforms are used to run large-scale ads at low cost. Once victims engage, the conversation moves to private messaging channels where the actual financial fraud and data theft take place.

Group-IB Threat Intelligence Portal

Group-IB customers can access our Threat Intelligence portal for more information about the tactics and techniques used by scammers in online job scams.

Main geographies and industries targeted

These scams are neither random nor generic, they are carefully curated and designed for their intended target victim groups. Group-IB analysis of this campaign shows that the majority of these fraudulent job ads are focused on the MENA region, with E-commerce and retail brands being the most impersonated.

Figure 1. Main targeted geographies for online jobs scam in MENA.

Figure 2. E-commerce platforms are by far the most spoofed.

The Promise of Easy Money

1. The Hook: Online jobs with low effort but high income potential

Scammers promote fake ads on social media platforms like Facebook, Instagram, and TikTok with claims of earning 10 to 170 dollars for completing simple tasks. The message is always the same: quick income with minimal effort. To appear legitimate, they often misuse the names of ministries or well-known online marketplaces.

2. The Target: Everyone

The targeting is intentionally broad, from teenagers to older adults; the offer is designed to attract anyone. The “jobs” do not require any experience, are easy to execute and can be done remotely with just a smartphone. Group-IB researchers have observed these ads spread across multiple countries and often use localized logos, currencies, or ministry names to make the scheme look relevant to each region. This wide targeting makes it easy for scammers to reach thousands of potential victims with minimal effort.

3. The Campaign: How is this scheme different from other frauds?

Unlike smaller one-off scams, these campaigns are usually run by organized groups that operate in a coordinated, structured way. They manage large numbers of ads, localize content for different markets, and use consistent messaging to scale quickly. This level of organization makes the scam more systematic and harder to trace than typical individual fraud attempts.

Figure 3. Flowchart of the fake online job scam observed in the MENA region.

Social media: The attacker’s playground of choice

Social platforms are the perfect hunting ground for scammers. With little cost, they can create professional-looking ads, run them at scale, and micro-target vulnerable demographics.

To appear legitimate, scammers impersonate established companies, well-known brands, and even government ministries. By hijacking the reputation of trusted entities, they make their offers look like official recruitment drives. This impersonation is not just a marketing trick – it’s a calculated move to bypass skepticism and exploit trust in recognized institutions.

Ads are often professionally designed with polished branding, fake company logos, and fabricated testimonials. Social media platforms are used to circulate “success stories” through short videos or screenshots of fake earnings.

Once interest is generated, victims are funneled into direct contact with the scammer – usually via messaging apps – where the real data theft begins.

Examples of Fake Job Ads

The collected ads from this research follow a predictable pattern. They often claim to offer benefits such as:

• “Working from home with no experience required”
• “Daily income that could easily earn $100+ using your phone”
• “Flexible hours and instant approval”
• “Performing simple tasks like liking posts, data entry, or surveys”

Ads are often localized with Arabic language, local currency, and culturally tailored messages. For example, in Egypt, posts emphasize earnings in EGP, while in Gulf countries they highlight GCC countries currency. The use of local dialects makes the scams feel even more convincing.

Once a user clicks, the ad usually redirects them to a WhatsApp or Telegram group, or to a fake website posing as a recruitment portal. From there, the “recruiter” asks for personal details such as:

• Where did you get this ad and screenshot from the ad.
• Bank account numbers or mobile wallet details
• Phone numbers and emails

The scammers often justify these requests by calling them “job applications” or “onboarding procedures.” In reality, they’re building a database of exploitable identities for fraud, phishing, or financial theft. As discovered on this scheme, for each country there is a telegram channel and the responsible person who is responsible for validating the process and adding people.

Detailed Breakdown of the Scheme

1. The victim will find an ad on social media for an online job with the title “really good daily income”. Jobs target anyone seeking to increase their income, as the advertisements promise earnings above each country’s average salary. The offered amounts are consistently higher than local salary ranges, making them more attractive to potential victims. The advertisements also claim that each task only takes 5-10 minutes to complete, and can be done at one’s own pace.

Figure 5. Cybercriminals take out ads across social media channels for the widest reach.

2. The ad will forward to a fake website operated by the scammers with social engineering cues such as false testimonials or limited positions for the jobs. Victims are directed to contact the scammers via WhatsApp to begin work. Once contact is made, the “recruiter” will request personal information including full name, mobile phone number, and banking credentials as part of the recruitment process.

3. At this stage, the scammer probes the victim’s interest to determine whether they are a suitable target and ready to join the “company.” They validate selected information, clarify the nature of the work, and describe the “job,” promising high income for very simple tasks. To lower suspicion and create a casual tone, they may ask general questions, such as how the victim found the ad.

4. The scammer will then redirect victims to register at another fake website that is supposed to be the actual work portal with the personalized jobs and tasks for the individual.

5. After registration on the website and confirming this information, the “recruiter” will direct victims to a second scammer, the “manager”, but on Telegram instead to start the scamming work process. As the recruiter’s role is limited to validating new victims, their involvement ends at this stage.

6. After joining Telegram, the scammer will provide victims with specific Telegram channels in order to participate in the available jobs. The Telegram scammer is the one responsible for managing the victim’s work and collecting their money.

7. The scammer pitches the job as simple marketing work for a big-name brand. However, victims must first deposit money into the trading accounts they previously set up on the fake portal in order to start each job. Victims perform small tasks and get a cut on each one – about 10–20%. It’s sold as quick, easy money, with great returns on the original investment.

8. The scammers will actually send a small payout for the initial task to build trust. They will then push victims to deposit larger amounts to take on bigger tasks that promise even greater returns. When victims do make a big deposit, the payout stops, the channels and accounts disappear and the victim finds themselves blocked, making communication and tracking almost impossible.

Conclusion

The rise of fake online job ads across social media platforms shows how organized and fast-growing this scheme has become. Group-IB researchers have identified more than 1,500 ads targeting MENA countries in 2025, but the full scale is likely much larger. These ads share clear patterns in language, visuals, and promises, often using the same set of attractive keywords such as “daily income,” “easy tasks,” and “work from phone.” They appear on Facebook, Instagram, TikTok, and Telegram, where scammers take advantage of the ability to target users based on region and language.

Throughout this investigation, multiple phishing websites linked to the scam were found, each following the same structure: a fake login page, copied branding, and a workflow that pushes victims to WhatsApp or Telegram. These repeated elements help form a set of indicators that can be used to track and detect similar sites in the future.

Brand impersonation also follows a clear pattern. Scammers repeatedly use the logos of well-known local and global companies, especially banks, online marketplaces, ministries, and service brands. The research clearly shows how scammers rely on trusted institutions to make their fake offers believable.

The scammers themselves also show recognizable behavior. Their WhatsApp and Telegram accounts follow similar naming styles, reuse profile photos, and rely on identical scripts when speaking with victims – from their first “validation” questions to the push toward fake tasks and deposits. These repeated identifiers, including phone numbers, usernames, profile pictures, and admin IDs, can help expand attribution and map connections between different scam groups.

Fake online job ads are more than just an annoyance — they are a sophisticated fraud campaign targeting vulnerable people across multiple countries. They exploit trust, financial need, and the open advertising environment of social media to harvest both personal data and money.

Overall, this scam is not a set of isolated ads. It is a coordinated, multi-step operation with shared infrastructure, repeated phishing methods, and consistent behavioral patterns. By combining ad keywords, platform distribution, brand impersonation, website indicators, and scammer profiles, defenders can better track, block, and dismantle this activity across regions.

Recommendations

For individuals:

• Avoid sharing sensitive documents with unsolicited and unverified recruiters. No legitimate company or ministry will ask for ID documents, bank details, or deposits before even offering an interview.
• Always question unrealistic offers of quick, high income with little or no effort.
• Verify the company’s existence through official websites or any job offers through reputable job posting portals such as LinkedIn.
• Report suspicious ads directly to the social media platform.

For businesses and platforms:

• Strengthen ad verification processes, especially for “job” categories.
• Monitor for impersonation of company branding or ministries.
• Launch awareness campaigns in multiple languages to warn vulnerable groups.

Use a solution such as Group-IB’s Digital Risk Protection service to help monitor any illegal use of your corporate trademarks, logos, content, and design language across the digital landscape.

Group-IB Fraud Matrix