Phishing attacks are no longer limited to emails. Today, almost one in three phishing attacks take place on non-email channels like social media, messaging apps, and search platforms. Among these platforms, LinkedIn has become a prime target for cybercriminals. Attackers are now using LinkedIn to run highly targeted spear-phishing campaigns against executives in industries like financial services and technology.
Despite the growing threat, phishing outside email is still underreported. Most cybersecurity teams depend heavily on email security tools for phishing detection, which means activity on platforms like LinkedIn often goes unnoticed.
You may wonder: Why does LinkedIn phishing matter when the app is personal?
The answer is simple. Professionals use LinkedIn for work networking, often from corporate devices, and attackers know this. The goal of these attacks is often to compromise business accounts such as Microsoft Entra ID or Google Workspace.
Below are five key reasons why phishing on LinkedIn is increasing, and why it is so effective.
1. Most organizations rely on email security solutions to catch phishing attempts. But LinkedIn direct messages completely bypass these tools. Employees access LinkedIn from their work laptops and phones, yet security teams have no visibility into these interactions.
This creates the perfect opportunity for attackers to deliver malicious links or files without being intercepted.
To make things worse, modern phishing kits are built with:
-
Obfuscation techniques
-
Anti-analysis controls
-
Evasion capabilities
These techniques help attackers hide their malicious pages from web crawlers, proxies, and automated scanners. As a result, many companies end up depending only on user awareness training—an unreliable line of defense.
Even when users report a suspicious LinkedIn message, security teams cannot determine:
-
Who else in the organization was targeted
-
Whether multiple employees received the same message
-
How to block or quarantine the phishing attempt
Unlike email, LinkedIn offers no centralized control for administrators. At best, organizations can block malicious URLs, but attackers simply rotate domains, making it a never-ending chase.
2. Phishing over email often requires attackers to build up domain reputation and bypass filters. But on LinkedIn, attackers have a simpler path: account takeover.
Over 60% of stolen credentials found in infostealer logs belong to social media accounts many without MFA protection. Once attackers hijack an account, they inherit:
-
Real connections
-
Authentic posting history
-
Credible profile details
This gives them an instant trust advantage, far stronger than a new phishing domain.
With AI-powered messaging tools, attackers can also send:
-
Personalized messages
-
Industry-specific lures
-
High-volume outreach
All at extremely low cost and effort.
3. LinkedIn is a goldmine for reconnaissance.
Attackers can easily identify:
Key executives
IT administrators
Employees with privileged access
Newly hired staff who may be less security-aware
There is no spam filter on LinkedIn messages, and no assistant managing an inbox. This makes LinkedIn one of the most direct and effective channels for attackers to reach the exact person they want.
Many red teams—and threat actors—already use LinkedIn to map organizational structures and craft believable pretexts. This makes the platform ideal for highly targeted spear-phishing campaigns.
4. Employees are more open to communication on LinkedIn than email. Executives, especially, are used to receiving messages from:
Recruiters
Industry peers
Partners
Investors
This trust factor significantly increases the success rate of phishing attacks.
When an attacker uses a hijacked account of a known connection, the chances of engagement go even higher. In some recent cases, cybercriminals have even leveraged compromised accounts of fellow employees, making the attack almost indistinguishable from legitimate internal communication.
With the right pretext—such as reviewing a document or approving a request—attackers can quickly manipulate even senior leaders.
5. Compromising a LinkedIn user does not stop at their personal profile. Most phishing campaigns aim to steal credentials for major enterprise platforms such as:
Microsoft Entra ID
Google Workspace
Okta
Once inside, attackers can access business-critical systems and use single sign-on (SSO) to enter multiple connected apps. This can expand rapidly into:
Lateral movement
Data theft
Internal phishing across Slack, Teams, and other tools
Large-scale business compromise
A single stolen executive account can lead to millions in financial damage.
Even personal-device compromises can lead to corporate breaches. For example, in the 2023 Okta breach, an employee’s personal Google account synced saved corporate credentials—allowing attackers to access 134 customer tenants.
Modern work happens across dozens of decentralized apps. Attackers now deliver phishing links through:
Social media
SMS
Instant messenger apps
In-app messaging
Browser-based SaaS alerts
Malicious online ads
With hundreds of cloud apps in each enterprise, every platform becomes a potential attack surface.
Since phishing has moved outside the email inbox, defenses must move too.
Organizations need browser-level phishing protection that can detect and block malicious sites across any platform, app, or communication channel. Security must extend to where users actually interact with phishing attempts—not just their inbox.
Interesting Article : $220M Cyberattack Hits JLR, Production Halt and Major Losses
Pingback: Cloudflare’s Worst Outage in 6 Years Disrupts Global Internet Traffic