5 Reasons Why Attackers Are Phishing Over LinkedIn

Summary

Phishing is increasingly moving beyond email, with 34% of attacks now happening on platforms like social media, search engines, and messaging apps. LinkedIn has become a major target, as attackers use spear-phishing to impersonate executives and breach enterprises in sectors like finance and technology. Yet, these non-email attacks often go unreported, since most phishing data comes from email security tools. Despite being a “personal” app, LinkedIn is used for work and is often accessed from corporate devices, making it a prime vector for compromising business accounts. In short, LinkedIn phishing is a growing threat that organizations can’t afford to ignore.

How it works

LinkedIn phishing is a key threat that businesses need to be prepared for today. Here’s 5 things you need to know about why attackers are going phishing on LinkedIn and why it’s so effective.

     1. A Blind Spot for Security Teams

LinkedIn direct messages completely bypass traditional email-based security controls, giving attackers a direct path to employees’ devices without detection. Modern phishing kits use advanced evasion techniques to slip past webpage inspection and traffic analysis tools, leaving organizations with limited defenses beyond user vigilance. Even when a phishing attempt is spotted, security teams have little visibility or control, they have no way to recall messages, block senders, or assess the wider impact. As attackers rapidly rotate domains, blocking URLs becomes a futile game of whack-a-mole.

    2. Cheap, Easy, and Scalable for Attackers

LinkedIn-based phishing is significantly cheaper and easier for attackers than traditional email campaigns. Rather than building domain reputation, attackers can hijack existing social accounts (many lacking MFA) or create plausible new profiles, immediately leveraging established networks and trust. With 60% of infostealer-leaked credentials tied to social media and AI tools that automate personalized outreach, adversaries can scale high-volume, high-quality LinkedIn messaging campaigns toward valuable targets with minimal cost or infrastructure.

    3. Easy Access to High-Value Targets

LinkedIn makes reconnaissance effortless: attackers can quickly map an organization’s workforce, identify roles with privileged access, and pick the best candidates for targeted outreach. Security-minded red teams already use the platform for scoping and adversaries do the same to craft highly relevant, believable messages. With no message screening, minimal spam filtering, and a direct line to the target’s attention, LinkedIn is an ideal channel for precise spear-phishing aimed at high-value individuals.

    4. Users Are More Likely to Fall for It

Professional networking platforms like LinkedIn naturally encourage users to engage with people outside their organization, making them more receptive to unsolicited messages. Executives, in particular, are far more likely to open and respond to a LinkedIn DM than a suspicious-looking email. When attackers hijack legitimate accounts, those messages come from trusted contacts, dramatically increasing their credibility. In some cases, compromised accounts have even belonged to colleagues, mimicking an internal request for approval or document review. With the right pretext and urgency, these LinkedIn phishing messages have an unusually high chance of success.

    5. The Potential Rewards Are Huge

Attacks launched via LinkedIn though they begin on a “personal” app can quickly unlock an organization’s crown jewels. Compromising a single identity often grants access to core cloud platforms (Microsoft, Google, Okta) and, through SSO, to any connected business apps and data. From there attackers can pivot across messaging platforms (Slack, Teams), abuse SAML flows, or turn services into watering holes that capture additional credentials. Targeted breaches against executives amplify the payoff: one account compromise can cascade into a multi-million dollar, organization-wide incident. Even compromises that start on an employee’s personal device can be laundered into corporate account takeovers as the 2023 Okta breach demonstrated, where an attacker exploited an Okta employee’s personal Google account on a work device, gaining access to credentials for 134 customer tenants.

Conclusion

Modern phishing no longer happens just through email attackers now use multiple channels like social media, instant messaging, SMS, ads, and SaaS apps. With hundreds of apps per enterprise and varied security levels, it’s increasingly difficult to block malicious content.

Reference: https://www.bleepingcomputer.com/news/security/5-reasons-why-attackers-are-phishing-over-linkedin/

DefenseStorm Recommendations 

As always, DefenseStorm recommends the following:

• Continued internal training for phishing campaigns
• Block threat indicators at their respective controls
• Keep all systems and software updated to the latest patched versions to best protect against all known security vulnerabilities
• Maintain a strong password policy
• Enable multi-factor authentication
• Regularly back up data, air gap, and password backup copies offline
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location
• Use app hardening
• Restrict administrative access