SusCruit

Suscruit: Because “you’re a great fit for this role” should not ruin your life.

Comment

Inspiration

This project is very personal to me. Over the last several months, I have been actively job hunting, and I kept running into recruiter scams that looked convincing enough to pass a first inspection. Some of them had verified LinkedIn profiles, premium-looking accounts, company branding, and messaging that sounded completely normal. To a non-technical user, many of these messages would look legitimate. Even to a technical user, verifying them manually takes time. As someone with a cybersecurity mindset, I do not trust surface-level presentations. Before engaging with any recruiter, I tend to perform the same checks a security analyst would during triage: DNS lookups, domain registration checks, raw header analysis, public footprint verification, OSINT correlation, and infrastructure validation. I realized that while I could do those checks manually, most people cannot, and they should not have to. People like one of my friends, a project manager, who realized that she had trusted the wrong people and given scammers her Social Security number because everything looked perfect on the surface. She is smart. She is capable. And still, the scam looked professional enough to get through. That stayed with me. Another friend of mine, an accountant, keeps getting messages about amazing remote opportunities with great pay. Get excited, then wait for me to find time to do a full analyst-style review of the recruiter. Every time, it reminded me how unfair the current situation is: ordinary people are expected to defend themselves against increasingly polished social-engineering attacks with tools and knowledge they were never given. I also wanted this project to reflect something I care deeply about: accessibility. The people most vulnerable to scams are also the ones most frequently excluded by technical tools. That is why I added an ElevenLabs-powered accessibility layer, so findings can be read aloud through a unified voice interface. I wanted Suscruit to be usable not only by cybersecurity-minded people, but also by non-technical users, low-vision users, and people who simply need clearer or faster guidance.

What it does

My mission is to reduce the risk burden on the user by packaging the full verification workflow, content checks, identity checks, infrastructure checks, reputation checks, and OSINT into one place instead of forcing people to do it piece by piece. At its core, Suscruit is my attempt to close even a small part of the gap between how sophisticated scams have become and how unsupported ordinary people often are when trying to defend themselves.

How we built it

For the frontend, I used Lovable to generate the initial UI structure and code baseline. It helped me move quickly in the early stage by giving me a strong starting point, but I did not leave it as-is. I went back and edited and refined the generated code heavily to better match my product vision, improve the user flow, and make the interface feel more polished, dynamic, and accessible. From there, I structured the project around a multi-layer analysis pipeline. The application takes in recruiter-related inputs such as the recruiter’s name, email, claimed company, company domain, message text, and raw email headers, then correlates them into one explainable result. On the backend and analysis side, I built the logic to combine multiple trust surfaces:

  1. content analysis for social-engineering indicators such as urgency language, money requests,
  2. credential harvesting, fake-check patterns, and suspicious wording
  3. identity validation for sender-domain alignment, free-provider misuse, and lookalike domain detection
  4. email-security analysis through raw header parsing for SPF, DKIM, and DMARC
  5. Domain registration intelligence using RDAP
  6. DNS analysis for MX, TXT, A, AAAA, SPF, and DMARC-related signals
  7. Site reputation context using the Google Safe Browsing API
  8. public-web OSINT enrichment using Tavily to correlate recruiter identity, company footprint, public mentions, and job-posting consistency
  9. additional certificate / website-history / infrastructure context to strengthen the trust model
  10. I also wanted the project to be accessible, so I built an ElevenLabs-powered voice layer that can read the findings aloud through a unified playback interface. That way, the tool is not only useful for technical users but also more inclusive for users who benefit from spoken guidance.

Challenges we ran into

  1. In cybersecurity, a tool becomes useless very quickly if it either underreacts to real threats or overreacts to weak evidence. I spent a lot of time refining the trust model, so Suscruit would not produce misleading conclusions. For example, a real company being mentioned in scam warnings is very different from the company itself being fraudulent. In many cases, the company is actually the victim of impersonation. That meant I had to make the logic smart enough to separate impersonation risk from direct fraud signals, rather than collapsing everything into a single red flag.
  2. Balancing technical depth with human usability. I wanted Suscruit to use real cybersecurity-style checks, such as SPF, DKIM, DMARC, RDAP, DNS records, infrastructure clues, Safe Browsing reputation, and OSINT correlation, but I also wanted the output to be understandable to someone who is not technical. Translating those kinds of signals into clear, useful language without oversimplifying them was one of the hardest parts of the build.
  3. Dealing with mixed or messy evidence. Real-world signals are not clean. A recruiter message might sound professional, but come from a mismatched domain. A header might show mixed authentication results because of forwarding or security filtering. A real organization might appear in scam-related search results because scammers are pretending to represent it. Building a system that could handle that ambiguity without sounding reckless was a major part of the project.
  4. Making the system feel like one cohesive workflow instead of a pile of disconnected checks. I did not want users to feel like they were running ten separate tools. I wanted Suscruit to package all that trust analysis into one place, with the signals working together rather than feeling fragmented.
  5. Getting users to provide raw email headers. Header analysis is one of the strongest trust signals in Suscruit, but many non-technical users do not know how to access it. To reduce that friction, I added a simple help icon with screenshots showing exactly how to get headers from Gmail. I chose screenshots because they are faster and clearer than long instructions or videos. This is something I want to expand later to other email providers as well.
  6. Finally, accessibility was also a challenge I took seriously. I did not want this to be a tool that only helped technical users. Building the ElevenLabs-powered voice layer and shaping the interface to be useful to people who need spoken guidance added another layer of complexity, but it was important to me because cybersecurity should protect everyone, not just those who already know the jargon.

Accomplishments that we're proud of

I'm proud that I built something with real heart behind it, a one-of-a-kind tool designed to protect not only people in my inner circle but also anyone who feels vulnerable, overwhelmed, or uncertain when trying to trust recruiter outreach online. Suscruit was built to make people feel safer, more informed, and less alone.

What we learned

What surprised me while researching this space is that there are plenty of articles telling people to “watch out,” but far fewer tools that actually do the analyst work for them in one place. That is very saddening, because this problem is clearly in demand as more and more people apply for jobs online and receive recruiter outreach, while their personal information remains at constant risk. That is exactly why I built Suscruit, the only tool of its kind.

What's next for SusCruit

Next, I want to make Suscruit available on smartphones so it can become a truly practical tool people can use anywhere, especially in the moment when they receive a suspicious recruiter message. I also want to expand the educational side of the project by adding more tutorials, more screenshots, and clearer guidance for non-technical users, for example, showing how to find email headers across multiple email providers, not just Gmail. I also want to add helpful explanation points throughout the interface. My long-term goal is for Suscruit to become a full package: not just a tool that analyzes risk, but also one that teaches people, empowers them, and helps close the gap between cybersecurity knowledge and everyday users. In the future, I would also like to keep expanding the trust-analysis engine itself with more data sources, stronger signal correlation, and even more accessible design choices so the tool can support as many people as possible.

Built With

Share this project:

Updates