But if they are a security-oriented company, maybe not so much. Hiding potential attack vectors (contact info of technical contact) can prevent or delay spear phishing attempts. Now, if Xrecruiting.com and X.com don't match, then that would be a red flag.
My point (in agreement with TazeTSchnitzel) was essentially this - if X was a large enough company, I would expect them not to hide their registration details, especially, I would argue, in the case of a security company, so that potential clients and employees can be certain of the veracity the communications they receive. If I were to receive a communication from an email adress not associated with the main domain of the company, I would be instantly suspicious if the whois data was obscured or concealed.
Indeed, as would I. But what makes a successful social engineering attack (or scam, in general) is giving people what they want before they have an opportunity to ask questions. While this exact attack wouldn't work on me now, it might have when I was looking to graduate from university. My desire for an industry job (and a prestigious one at that) might have clouded my typical judgment. So, hiding whois information can be immediately justified by "well, they are a security company", with any doubts expelled. Grifters and illusionists work in much the same way; the plot is full of holes, but over and over people see what they want to see.
