Insights & perspectives on modern recruitment

In March 2018, the US Department of Justice indicted nine Iranian nationals affiliated with the Mabna Institute for one of the largest state-sponsored cyber-theft campaigns ever prosecuted. Over more than four years, they compromised around 144 US universities, 176 foreign universities across 21 countries, and dozens of government agencies and private companies. They made off with research worth an estimated $3.4 billion.

Their weapon of choice? A spearphishing email with an attachment.

The hackers studied their targets' published research, impersonated colleagues, and sent carefully crafted messages with a single attached file. One click, one download, one compromised password — and years of academic work walked out the door. No zero-day exploits. No sophisticated malware. Just an attachment that looked harmless.

This story should make every recruiter pause. Because right now, the standard way to share a candidate with a hiring manager is to attach a Word doc or PDF to an email.

The Objection That Keeps Coming Up

When we talk to recruiters about moving away from attachments to shareable candidate profiles, the pushback is almost always the same: "But won't a link in an email look phishy? Won't the hiring manager's security tools block it?"

It's a fair question — and in 2025 and 2026, it's also largely backwards.

Yes, some enterprise email filters like Proofpoint and Mimecast rewrite or sandbox external links. Yes, a hiring manager at a large bank might hesitate if they don't recognise a domain. And yes, a handful of regulated sectors — finance, defence, government — do have policies about unsolicited external links.

But compare that to the reality of attachments, and the concern falls apart fast.

Why Attachments Are the Actual Attack Vector

Word documents and PDFs are the number one malware delivery vector on the internet. Macro-enabled Office documents have been behind some of the largest ransomware outbreaks of the last decade. Modern email scanners now flag attachments more aggressively than they flag links — because the data says attachments are where the danger lives.

A link to a well-structured HTTPS page on a known domain is trivially verifiable. A .docx is not. One is a reference to a controlled, updatable resource; the other is an executable package of unknown provenance that gets copied, forwarded, and downloaded with zero visibility into where it ends up.

If a hiring manager's IT team is genuinely worried about security, they should be more worried about the recruiter's attachment than the recruiter's link.

Control, Auditability, and Compliance

Here's the part most recruiters haven't thought through: once you attach a candidate's CV to an email, that person's personal information is out of your hands forever.

You can't un-send it. You can't update it if the details change. You have no idea who the hiring manager forwarded it to, whether it's been printed, downloaded to a personal laptop, or is sitting in someone's Downloads folder six months after the role was filled.

A link flips that entirely. You can see when it was opened, how long someone spent with it, and whether it was shared. You can revoke access. You can update the profile in place. No copies of personal data floating through inboxes you'll never audit.

For agencies working with GDPR, the Australian Privacy Act, or any of the growing patchwork of data protection regimes, this isn't a nice-to-have. It's the difference between being able to honour a right-to-erasure request and having to send awkward emails to every hiring manager who might still have a PDF somewhere.

The Reframe: This Isn't Less Secure, It's More Controlled

The best way to handle the "links look phishy" objection is to stop conceding the premise. Sharing a candidate profile by link isn't a lesser version of sending an attachment — it's the grown-up version.

A few talking points that land with hiring managers:

No loose files. When you attach a PDF, that candidate's personal information lives in someone's inbox forever. With a shared profile, you stay in control of the data and so does the candidate.

Enterprise-grade, not a cold email. The link goes to a verified HTTPS profile on a known domain — the same way DocuSign, LinkedIn, Calendly, and every modern SaaS tool works. Hiring managers click links from trusted tools every single day.

You actually know who looked at it. Attach a Word doc and it disappears into a black hole. Share a profile and you can see engagement in real time. That's a feature, not a liability.

Attachments are the actual attack vector. If the concern is security, the conversation should start with the .docx, not the URL.

The Real Question

The recruiter's worry about links isn't really about security. It's about perception — the fear that a hiring manager will see a URL and hesitate.

But hiring managers don't hesitate when LinkedIn sends them a profile link. They don't hesitate when DocuSign sends them a contract link. They don't hesitate when their own calendar tool sends them a meeting link. The modern web runs on links to controlled resources, and has done for a decade.

The Mabna Institute didn't get into 320 universities because those academics clicked links. They got in because those academics opened attachments. The lesson the security industry has been trying to teach for years is finally catching up with recruitment: the attachment is the problem, not the link.

If you're still emailing candidate PDFs in 2026, you're not being cautious. You're handing your candidates' personal information to whoever ends up in the forward chain, and taking on all the compliance risk that comes with it. A controlled, branded, auditable profile link isn't the risky option. It's the professional one.

Sources:

• Nine Iranians Charged in Hacking Scheme — FBI
• Nine Iranians Charged With Conducting Massive Cyber Theft Campaign — US DOJ
• Why you should never send another email attachment — DocSend