Phishing attacks are no longer limited to email inboxes, with one in three phishing attacks occurring via channels other than email, such as social media, search engines, and messaging apps.
LinkedIn in particular is a hotbed for phishing attacks, and for good reason. Attackers are conducting sophisticated spear-phishing attacks against corporate executives, with recent campaigns targeting companies in the financial services and technology industries.
However, non-email phishing remains significantly underreported. That’s not really surprising, considering that most of the industry’s phishing metrics come from email security tools.
Your first thought may be, “Why should I care about my employees getting phished on LinkedIn?” Although LinkedIn is a personal app, it is routinely used for work purposes and accessed from corporate devices, and attackers specifically target business accounts such as Microsoft Entra and Google Workspace.
Therefore, LinkedIn phishing is a key threat that businesses need to be prepared for today. Here are five things you need to know about why attackers phish on LinkedIn and why it’s so effective.
1: Bypass traditional security tools
LinkedIn DM completely bypasses the email security tools that most organizations rely on for anti-phishing. In reality, employees access LinkedIn on their work laptops and phones, but security teams have no visibility into these communications. This means employees can receive messages from outsiders on their work devices without the risk of their emails being intercepted.
To make matters worse, modern phishing kits use a range of obfuscation, anti-analysis, and evasion techniques to circumvent anti-phishing controls based on web page inspection (e.g., web crawling security bots) or web traffic analysis (e.g., web proxies). This leaves most organizations relying on user training and reporting as their main line of defense, which is not a very good situation.
But even if it’s discovered and reported by a user, what can you actually do about LinkedIn phishing? You can’t see which other accounts in your user base have been targeted or attacked. Unlike email, there is no way to recall or quarantine the same message sent to multiple users. There are no rules you can change or senders you can block. If the account can be reported, the malicious account may be suspended, but the attacker will likely have what they need by then to move on.
Most organizations simply block the URLs involved. However, this is of little use if the attacker is rapidly rotating phishing domains. By the time you block one site, several more have already taken its place. It’s a game of whack-a-mole and it’s set against you.
2: Cheap, easy, and scalable for attackers
There are several reasons why phishing via LinkedIn is more accessible than email-based phishing attacks.
In the case of email, it is common for an attacker to create an email domain in advance and go through a warm-up period to establish the domain’s reputation and get it through email filters. Compared to social media apps like LinkedIn, you create an account, make connections, add posts and content, and dress up to look legitimate.
However, it is incredibly easy to take over a legitimate account. 60% of the credentials in Infostealer logs are linked to social media accounts, many of which do not have MFA (as MFA adoption is much lower in nominally “personal” apps where users are not encouraged to add MFA by their employers). This gives attackers a trusted starting point for their campaigns, allowing them to compromise an account’s existing network and exploit that trust.
Combining legitimate account hijacking with the opportunities presented by AI-powered direct messages, attackers can easily expand their reach on LinkedIn.
3: Easily access high-value targets
As any sales professional knows, LinkedIn scouting is easy. Planning your organization’s LinkedIn profile and choosing the right targets to reach is easy. In fact, LinkedIn has become a top tool for red teamers and attackers alike when vetting potential social engineering targets. For example, look at job roles and descriptions to estimate which accounts have the level of access and privileges needed to successfully carry out an attack.
There’s also no assistant to screen or filter your LinkedIn messages, protect against spam, or monitor your inbox. This is probably one of the best places to launch a highly targeted spear phishing attack, as it is probably the most direct way to reach the desired contact.
4: Users are more likely to be fooled by it
Due to the nature of professional networking apps like LinkedIn, you are expected to connect and interact with people outside your organization. In fact, an empowered executive is much more likely to open and respond to a LinkedIn DM than another spam email.
Especially when combined with account hijacking, messages from known contacts are even more likely to get a response. This is the same as taking over an existing business contact’s email account, which has been the cause of many data breaches in the past.
In fact, in some recent cases, those contacts were co-workers, so it’s like an attacker took over one of the company’s email accounts and used it to spear-phish executives. Combined with the right pretext (asking for urgent approval, verifying documents, etc.), the chances of success are significantly increased.
5: The potential rewards are huge.
Just because these attacks occur on “personal” apps doesn’t limit their impact. It’s important to think about the big picture.
Most phishing attacks focus on core enterprise cloud platforms like Microsoft and Google, or specialized identity providers like Okta. Compromising one of these accounts would not only give them access to the core apps and data within each app, but it would also allow the attacker to use SSO to sign into connected apps that employees are logged into.
This gives attackers access to nearly every core business function and data set within an organization. And from this point on, it also becomes much easier to target business messaging apps like Slack and Teams, as well as other users of these internal apps using techniques like SAMLjacking, which turns the app into a watering hole for other users trying to log in.
When combined with executive employees spearphishing, the payoff can be significant. A single account compromise can snowball into a multi-million dollar business-wide breach.
And even if an attacker only has access to an employee’s personal device, it can be laundered and lead to a compromise of corporate accounts. Look at the Okta breach of 2023. In this breach, the attackers exploited the fact that Okta employees were signed into their personal Google profiles on their work devices. This means that all credentials stored in your browser will be synced to your personal device, including credentials for 134 customer tenants. When your personal device was hacked, your work account was also hacked.
This isn’t just a LinkedIn issue
With modern work taking place on a network of decentralized internet apps and communication channels beyond email becoming more diverse, stopping users from interacting with malicious content is more difficult than ever.
Attackers can distribute links via instant messenger apps, social media, SMS, malicious ads, use in-app messenger functionality, or send emails directly from SaaS services to bypass email-based checks. Similarly, companies now have hundreds of apps targeting varying levels of account security configuration.
Want to learn more about how phishing will evolve in 2025? Register for an upcoming webinar from Push Security. Discover key phishing statistics, trends, and case studies for 2025.
Phishing is now delivered through multiple channels, not just email, and targets a wide range of cloud and SaaS apps.
Stop phishing where it happens: in your browser.
Phishing has expanded beyond the mailbox. Security is equally important.
To combat modern phishing attacks, organizations need solutions that detect and block phishing across all apps and delivery vectors.
Push Security checks what users see. No matter what delivery channel or evasion method is used, Push shuts down attacks in real-time once a user loads a malicious page in a web browser by analyzing the page’s code, behavior, and user interactions in real-time.
This is not the only thing we do. Push blocks browser-based attacks such as AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You can also use Push to proactively find and fix vulnerabilities across the apps your employees use, including ghost logins, SSO coverage gaps, MFA gaps, and weak passwords. You can also see where employees are logging into their personal accounts in their work browser (to prevent situations like the 2023 Okta breach mentioned above).
To learn more about Push, check out our latest product overview or schedule a live demo with our team.
Source link
