Security challenges

LinkedIn phishing attacks up 232% in February

Since February 1st, 2022, we have recorded a 232% increase in email phishing attacks which are impersonating LinkedIn. These attacks use display name spoofing and stylized HTML templates to socially engineer victims into clicking on phishing links and then entering their credentials into fraudulent websites.

Quick summary of these attacks

  • Vector and type: Email phishing
  • Technique: Display name impersonation
  • Payload: Phishing links to harvest credentials
  • Targets: Organizations in North America and the UK
  • Platform: Outlook 365
  • Bypassed secure email gateway: Yes

These attacks use webmail addresses with a LinkedIn display name. The phishing emails are sent from different webmail accounts that have zero correlation to each other. They use targeted subject lines associated with LinkedIn, including:

  • You appeared in 4 searches this week
  • You appeared in 9 searches this week
  • You have 1 new message
  • Your profile matches this job
  • Who’s searching for you online

The emails use multiple stylized HTML templates, including the LinkedIn logo, brand colors and icons.

Within the body of the email, the cybercriminal uses other well-known organizations’ names (including American Express and CVS Carepoint) to make the attacks more convincing. When clicked, the phishing links send the victim to a website that harvests their LinkedIn log-in credentials.

The footer features elements from LinkedIn’s genuine email footer, including their global HQ address, hyperlinks to unsubscribe and to their support section, and the recipient’s information.

What the attacks look like

The emails below demonstrate the variety in HTML templates and subject lines used by the attacks.

You can also see the LinkedIn display name spoofing, which is designed to hide the webmail accounts used to launch the attacks.


Two LinkedIn phishing emails from February 2022 that use display name spoofing and stylized templates, with Egress Defend anti-phishing alerts visible

Egress analysis

Current employment trends help to make this attack more convincing. ‘The Great Resignation’ continues to dominate headlines, and a record number of Americans left their jobs in 2021 for new opportunities. It is likely these phishing attacks aim to capitalize on jobseekers (plus curious individuals) by flattering them into believing their profile is being viewed and their experience is relevant to household brands.

While the display name is always LinkedIn and the emails all follow a similar pattern, the phishing attacks are sent from different webmail addresses that have zero correlation with each other. Currently, it is unknown whether these attacks are the work of one cybercriminal or a gang operating together.

The targets vary, covering companies in both North America and the UK, and operating within different industries. LinkedIn states it has over 810 million members in more than 200 countries, which provides an extensive victim pool for cybercriminals. Many professionals choose to include their corporate email address within their profile, and many regularly receive update communications from LinkedIn. Consequently, they could be more trusting of a stylized phishing email.

The cybercriminal(s) involved has likely used a legitimate LinkedIn email as their starting point for these attacks. They have used branded elements, including the current LinkedIn logo, to make the phishes more convincing.

The attacks we have seen are bypassing traditional email security defenses to be delivered into people’s inboxes. Without technology deployed within the mailbox to help them detect attacks, it can be difficult for individuals to avoid falling victim. You can see in the screengrabs provided that Egress Defend has alerted the recipient to the attack within their inbox. 

The takeaways

We advise organizations to examine their current anti-phishing securing stack to ensure they have intelligent controls deployed directly into people’s mailboxes.

Individuals should take extreme caution when reading notification emails that request them to click on a hyperlink, particularly on mobile devices. We recommend hovering over links before clicking on them and going directly to LinkedIn to check for messages and updates.

You might also be interested in ...

Ransomware Code 358X193
Security challenges
Ransomware: 2022's top attacks and need-to-know stats

Learn about the top ransomware attacks we’ve seen so far in 2022, and take a look at some important statistics. 

Smishing Quishing Vishing Scams 555X300
Security challenges
What are smishing, vishing, and quishing scams?

You've heard of phishing - now learn about the scams that arrive via SMS, voice call, and QR code. 

Invoice Fraud Dollars555x300
Security challenges
Invoice fraud: Everything you need to know

Invoice fraud is an effective cyberattack to which nearly half of all businesses fall victim. We've outlined what to keep in mind and the intelligent email security tools you can deploy to protect yourself.