Why Attackers Are Phishing on LinkedIn
▼ Summary
– 34% of phishing attacks now occur through non-email channels like social media, search engines, and messaging apps, with LinkedIn being a major platform for these threats.
– LinkedIn phishing bypasses traditional email security tools, leaving organizations reliant on user training and reporting since they lack visibility into these communications.
– Attackers find LinkedIn phishing cheap and scalable, often hijacking legitimate accounts with weak MFA adoption to launch credible campaigns using AI-powered messages.
– Users are more susceptible to LinkedIn phishing due to the professional context, making them more likely to engage with messages, especially from hijacked contacts of colleagues or executives.
– Successful phishing on LinkedIn can lead to significant breaches by compromising high-value accounts, enabling access to core business platforms and facilitating attacks on other users through SSO and internal apps.
The threat landscape for phishing has dramatically expanded beyond traditional email, with a significant 34% of all attacks now occurring on platforms like social media, search engines, and messaging applications. LinkedIn stands out as a particularly fertile ground for these malicious campaigns. Cybercriminals are executing highly targeted spear-phishing operations aimed at executives, with recent waves focusing on companies within the financial services and technology sectors. A major concern is the severe underreporting of these non-email phishing incidents, largely because the security industry’s primary metrics still originate from email-focused security tools.
You might wonder why a phishing attempt on a personal app like LinkedIn should concern your business. The reality is that employees routinely access LinkedIn for professional reasons, often using corporate-issued devices. Attackers are specifically targeting business credentials for platforms like Microsoft Entra and Google Workspace through these channels. This makes LinkedIn phishing a critical and immediate corporate security risk. Here are five key reasons this method is both popular and dangerously effective for attackers.
1. It Evades Conventional Security Defenses
Direct messages on LinkedIn completely bypass the email security gateways that form the backbone of most organizations’ anti-phishing strategies. Employees use LinkedIn on their work computers and phones, yet security teams have zero visibility into these private conversations. This allows external actors to contact staff on corporate hardware without any fear of their messages being intercepted by email filters.
The problem is compounded by modern phishing kits that employ sophisticated obfuscation and anti-analysis techniques. These methods effectively neutralize security controls that depend on webpage inspection or traffic analysis. Consequently, many companies find themselves relying almost entirely on user awareness training and incident reporting as their primary defense, a precarious position at best.
Even when a vigilant employee identifies and reports a LinkedIn phishing attempt, the options for containment are limited. Unlike with email, there is no way to see who else was targeted, recall a malicious message sent to multiple users, or block the sender across the network. Reporting the account to LinkedIn might eventually get it suspended, but the attacker has usually already achieved their objective and disappeared. Blocking the associated URLs offers little relief, as attackers constantly cycle through new domains, creating a futile game of whack-a-mole that defenders are destined to lose.
2. It’s Inexpensive, Simple, and Highly Scalable
Launching a phishing campaign on LinkedIn is often cheaper and easier than orchestrating one via email. For email attacks, criminals frequently need to establish new domains, patiently build their reputation to bypass mail filters, and carefully warm them up. The equivalent process on a social network involves creating fake profiles, making connections, and posting content to appear legitimate.
However, attackers have discovered a far simpler method: hijacking existing, legitimate accounts. A startling 60% of credentials found in infostealer logs are linked to social media profiles, many of which lack multi-factor authentication because users are seldom prompted to enable MFA on what they consider personal apps. This provides attackers with a trusted, ready-made platform from which to launch their campaigns, leveraging the account’s established network and inherent credibility.
When you combine the takeover of real accounts with the power of AI-driven messaging, attackers can scale their LinkedIn operations to target vast numbers of users with minimal effort.
3. Direct Pathways to High-Value Individuals
Just as sales teams use LinkedIn for prospecting, so do cybercriminals. It is remarkably straightforward to map an organization’s structure through employee profiles and identify high-value targets with access to sensitive systems and data. LinkedIn has become a go-to reconnaissance tool for both red teams and attackers looking to pinpoint individuals whose job roles suggest they possess the access privileges needed for a successful breach.
Furthermore, LinkedIn’s messaging system lacks the spam filters and automated monitoring common in corporate email. There is no screening process for incoming messages. This makes it one of the most direct channels to contact a specific person, rendering it an ideal launchpad for precisely targeted spear-phishing attacks.
4. Higher Susceptibility Among Users
On professional networking platforms, users naturally expect to interact with people from outside their own company. A senior executive is far more inclined to open and respond to a LinkedIn message than yet another unsolicited email. This inherent trust is the attacker’s greatest advantage.
This vulnerability is magnified when attackers use compromised accounts of known contacts. A message appearing to come from a colleague or business partner is significantly more likely to elicit a response. In several recent incidents, attackers have taken over the accounts of employees to then target other executives within the same organization.
When these deceptive messages are paired with a convincing pretext, such as a request for urgent approval or to review a time-sensitive document, the probability of a successful phishing attempt rises dramatically.
5. The Stakes Are Immensely High
The fact that these attacks occur on a “personal” app does not diminish their potential impact. The ultimate targets are often critical enterprise cloud platforms like Microsoft 365, Google Workspace, or identity providers such as Okta. Gaining control over just one of these accounts provides access not only to the primary application and its data but also allows the attacker to exploit single sign-on (SSO) to infiltrate every connected application the employee uses.
This level of access can grant an attacker entry into virtually every core business system and dataset. From there, it becomes simple to target other users internally, perhaps by using business collaboration tools like Slack or Microsoft Teams, or through techniques like SAMLjacking to turn a legitimate application into a trap for other employees.
When aimed at executive staff, the payoff is enormous. A single compromised account can rapidly escalate into a company-wide breach costing millions. Even an attack that initially only reaches an employee on a personal device can be leveraged into a corporate account takeover, as demonstrated by the 2023 Okta breach. In that incident, an employee’s personal device was compromised, and because they had signed into a personal Google account on their work computer, browser-synced credentials for 134 Okta customer tenants were exposed.
This Is Not Just a LinkedIn Issue
The modern workplace operates across a sprawling ecosystem of decentralized internet applications and diverse communication channels, making it increasingly difficult to shield users from malicious interactions. Attackers can deliver harmful links through instant messengers, social media, SMS, malicious advertisements, and in-app messaging features, in addition to sending emails directly from SaaS platforms to circumvent email security.
Simultaneously, the average enterprise uses hundreds of different cloud applications, each with varying and often inconsistent security configurations. Phishing is now a multi-channel threat aimed at a broad spectrum of cloud and SaaS apps.
Halting Phishing at the Source: The Browser
Since phishing has clearly moved beyond the inbox, security measures must follow. To effectively combat these modern attacks, organizations require a solution capable of detecting and blocking phishing across every application and delivery method.
A modern security approach involves monitoring what users actually see in their web browsers. It doesn’t matter which delivery channel or evasion technique an attacker uses; the attack is neutralized in real-time as the malicious page loads. This is achieved by analyzing the page’s code, its behavior, and user interactions as they happen.
Beyond just stopping phishing, a comprehensive browser security solution can block a range of other browser-based threats. These include adversary-in-the-middle (AiTM) phishing, credential stuffing attacks, malicious browser extensions, dangerous OAuth grants, and session hijacking attempts.
These platforms also enable proactive security by identifying and remediating vulnerabilities within the applications employees use daily. This includes discovering unused “ghost” logins, identifying gaps in SSO coverage, spotting missing MFA, and flagging vulnerable passwords.
They can even alert security teams when employees log into personal accounts on their work browsers, helping to prevent scenarios like the Okta breach mentioned earlier.
To gain a deeper understanding of how such a platform operates, reviewing a detailed product overview or scheduling a live demonstration with a security specialist is highly recommended.
(Source: Bleeping Computer)
