IT Security News 28 January 2020

LinkedIn Phishing Attacks

LinkedIn: The professional network which can't always be trusted

Anthony Roberts, Infrastructure Manager, Fabric

Why are people phishing with LinkedIn?

LinkedIn now has over 500 million members and is the largest professional network as well as the most trusted social media platform.

But all isn’t as it seems. LinkedIn is now one of the most popular sites for criminals to harvest user credentials and other personal information with phishing attacks and more.

What is Phishing?

Phishing is an attempt to obtain sensitive information online. This could be for usernames, passwords, bank details, or more. Many phishing attacks are done in disguise where the attacker attempts to appear like it’s coming from a legitimate source.

Recently there has been a rise in LinkedIn phishing attacks. Here are some of the Linkedin phishing attack methods to look out for. Attackers might use some or all of these methods.

Read more… on the top tips for spotting phishing emails

LinkedIn Phishing Scam Methods:

1. Connections with Fake LinkedIn Profiles

On LinkedIn, users are encouraged to build and engage with other users on a professional level and you assume everyone has good intentions. That’s not always the case.  Fake profiles are common on social media platforms; this form of scam works well on LinkedIn because of the professional nature of the platform.

What’s bad about fake LinkedIn members? Phishing hackers have been known to build a rapport with their targets through likes/comments/messages/posts then will request sensitive information from you. With the professional nature of LinkedIn, it’s easier to feel trusting of all profiles.

2. Pretending to be LinkedIn and Requesting Information

If you use LinkedIn, you’ll know that they send a lot of emails. Hackers have used this to their advantage by sending emails pretending to be LinkedIn.

This form of a scam will typically be in the form of a fraudulent email sent from an account masquerading as the administrative team. This email may contain a hyperlink that is requesting more personal information. Once visited, you could be taken to a page that looks like the LinkedIn website. The site will ask you for your email address and password, once entered this will give your credentials to the scammer.

3. LinkedIn Inmail Scam

This SCAM is sent in the form of a message using the built-in messaging system and usually contains a link to a fake or malicious website which the scammer could use to harvest information or to try and get you to download malicious software onto your computer.

How to protect yourself against Phishing Attacks:

  •  Check the email address of any emails appearing to be sent from Linkedin. Avoid any that have a non-LinkedIn domain.
  • Hover over any hyperlinks sent within emails or messages received to check it takes you to an official LinkedIn webpage. If you received the email below, would you click on these links?


LinkedIn links Normal

Both appear to be for LinkedIn. But when I hover over them, you can see that only one of them is legitimate! Here’s the correct URL when I hover over the top link.

LinkedIn links correct link

But the second one shows just how easy it is to hide a malicious url.

LinkedIn links dodgy link

  • Verify the validity of the email by logging into your LinkedIn account; the notice should also be in there.
  • Avoid any emails asking you to install the software.
  • Avoid any emails or messages containing poor spelling or grammar.
  • If you do click a link on an email from LinkedIn, check certificate of a site
  • Common sense -unsure? and LinkedIn will notify you if there is an issue with your profile security. and e.g. if you’ve not requested a password reset, then ignore any emails which ask you to reset your password!

Anthony Roberts, Infrastructure Manager, Fabric

Get in touch Back to blog