Lusa Verifica Cracks Open a 2,000-Plus Fake-Page Recruitment Network Through a Counterfeit Cabo Verde CNE Site — Seventy-Five Phantom Hiring Portals Across Twenty-Six Countries Frame the Cluster

The fact-checking unit of Portugal's national wire service published the most consequential cybercrime forensic of the week on Saturday 23 May 2026 at 17:00 Lisbon time. Lusa Verifica's investigators traced a single counterfeit recruitment page impersonating the Comissão Nacional de Eleições de Cabo Verde outward across the open web and surfaced an international network of more than 2,000 fraudulent pages — including 74 additional phantom recruitment portals impersonating public institutions across 26 countries. The cluster sits inside the same template, the same hosting architecture and the same on-page solicitation flow, which is what allowed the unit to pivot from one verification request into a continental mapping exercise.

The Trigger and the Method

The investigation began with a reader-submitted verification request flagging a recruitment page that purported to be hiring on behalf of the Cabo Verdean electoral authority. The CNE in question is the Cabo Verde Comissão Nacional de Eleições — not the Portuguese homonym — but the page's distribution profile inside Portuguese-language WhatsApp and Telegram channels brought it under Lusa Verifica's jurisdiction. Once flagged, the unit ran the page's hosting fingerprints, on-page solicitation copy and lookalike-domain pattern against the broader open web and identified 75 recruitment-themed pages sharing the same operational signature. Those 75 fakes — fronting electoral commissions, ministries and other state hiring desks — span 26 jurisdictions and sit inside the wider 2,000-page tier the unit is still cataloguing.

The Solicitation Loop

The recurring mechanic across the cluster is a fake job application that escalates into a payment ask. The victim lands on what looks like an official recruitment page — government logos, plausible job titles, regional offices — and submits a CV plus identity documents. The follow-up sequence routes through messaging apps and asks for an upfront payment of a registration, training or processing fee, with the payment rail typically running through informal money-transfer networks rather than card processors that would trigger fraud-screening. The personal-data harvested in the application step is the secondary monetisation lever — names, document numbers, photographs and contact channels suitable for downstream phishing or identity-theft resale.

Why Portugal Sits Inside the Threat Surface

Even though the trigger page targets a Lusophone-African institution, the Portuguese threat-surface read is direct. Lusa Verifica's distribution footprint covers CPLP-language communities inside Portugal — Brazilian, Cabo Verdean, Angolan, Mozambican, São Toméan, Guinean and Timorese — for whom a fake "home-country recruitment" page is exactly the kind of social-engineering hook that bypasses the standard "unsolicited foreign-language email" red flag. The same cluster has the template inventory to swap the impersonation target into a Portuguese institution — AIMA, IEFP, the Portuguese CNE, the IRN — without re-engineering the underlying solicitation rails. The mid-2024 to mid-2026 wave of AIMA-themed phishing documented by the Centro Nacional de Cibersegurança (CNCS) follows the same template logic, which is what gives the Lusa Verifica mapping operational rather than purely informational value.

What This Means for Expats and Residents

• Government-recruitment red flags: No legitimate Portuguese or PALOP public-sector recruitment process requires upfront registration, training or processing fees — paywalled application is the single most reliable scam tell.
• Verify through the institutional domain: Cross-check any recruitment page against the official .gov.pt or equivalent country-domain — lookalike domains using hyphenated or extended TLDs (.org, .careers, .jobs) are the dominant infrastructure in the catalogued cluster.
• Treat WhatsApp/Telegram referrals as suspect: The cluster's distribution surface is messaging-app forwards inside diaspora groups — official recruitment never opens with a personal-channel ping.
• Document-photo leakage matters: A CV plus a passport scan submitted to one of these pages enters a resale pipeline that surfaces in identity-fraud attempts six to eighteen months later — file a CNCS or Polícia Judiciária Cybercrime Unit report if you suspect exposure.
• The Lusa Verifica unit is the durable Portuguese-language reference point: Bookmark the unit for verification rather than relying on social-media fact-check tags, which decay quickly inside diaspora distribution flows.

The next-step question for Portuguese authorities is whether the CNCS, the Polícia Judiciária's cybercrime unit or the Centro Europeu de Cibercrime (EC3) at Europol formally adopt the Lusa Verifica catalogue as the seed for a take-down request — that escalation has not been announced in the 22-23 May window, and the 2,000-page tier remains operational at the time of publication.