Indeed, as would I. But what makes a successful social engineering attack (or scam, in general) is giving people what they want before they have an opportunity to ask questions. While this exact attack wouldn't work on me now, it might have when I was looking to graduate from university. My desire for an industry job (and a prestigious one at that) might have clouded my typical judgment. So, hiding whois information can be immediately justified by "well, they are a security company", with any doubts expelled. Grifters and illusionists work in much the same way; the plot is full of holes, but over and over people see what they want to see.