5 reasons why attackers are phishing over LinkedIn

Phishing attacks are no longer limited to email inboxes, with 34% of phishing attacks now occurring on non-email channels such as social media, search engines and messaging apps.

LinkedIn in particular has become a hotbed of phishing attacks, and for good reason. Attackers are running sophisticated spear-phishing attacks against company executives, with recent campaigns seen targeting enterprises financial Services And technology Work area.

But phishing outside of email is severely underreported – not at all surprising when we consider that most of the industry’s phishing metrics come from email security tools.

Your initial thought might be “Why do I care about employees getting phished on LinkedIn?” Well, while LinkedIn is a personal app, it is regularly used for work purposes, accessed from corporate devices, and attackers are specifically targeting business accounts like Microsoft Entra and Google Workspace.

Therefore, LinkedIn phishing is a major threat that businesses need to be prepared for today. Here are 5 things you need to know about why attackers are phishing on LinkedIn – and why it’s so effective.

1: It bypasses traditional security tools

LinkedIn DMs completely bypass the email security tools that most organizations rely on for phishing protection. In practice, employees use LinkedIn on work laptops and phones, but security teams have no visibility into these communications. This means that employees can send messages on their work devices without any risk of email interception by outsiders.

To make matters worse, modern phishing kits use a variety of Obfuscation, anti-analysis and detection avoidance techniques Having anti-phishing controls based on inspection of a webpage (such as web crawling security bots), or analysis of web traffic (such as web proxies). This leaves most organizations relying on user training and reporting as their main line of defense – not a good situation.

But what can you actually do about a LinkedIn phish, even when seen and reported by a user? You cannot see which other accounts in your user base were targeted or affected. Unlike email, there is no way to recall or differentiate the same message that multiple users receive. There are no rules you can modify, or block senders. You can report the account, and maybe have the malicious account frozen – but the attacker will probably have got what they needed by then and moved on.

Most organizations simply block the included URLs. But this doesn’t really help when attackers are rapidly rotating their phishing domains – by the time you block one site, many other sites have already taken its place. It’s a strange game – and it’s rigged against you.

2: It’s cheap, easy, and scalable for attackers

There are few things that make phishing on LinkedIn more accessible than email-based phishing attacks.

With email, it is common for attackers to create an email domain in advance, build domain reputation, and go through a warm-up period to pass mail filters. In comparison with social media apps like LinkedIn it takes a lot of work creating accounts, making connections, adding posts and content, and making them look legitimate.

Except that legitimate accounts are incredibly easy to take over. 60% of credentials in Infostealer logs are linked to social media accountsMany of which lack MFA (as MFA adoption is much lower than on nominally “personal” apps where users are not encouraged to add MFA by their employer). This gives attackers a trusted launchpad for their campaigns, breaking into an account’s existing network and exploiting that trust.

Hijacking legitimate accounts combined with the opportunity provided by AI-powered direct messages means attackers can easily expand their LinkedIn outreach.

3: Easy Access to High-Value Targets

As any sales professional knows, LinkedIn recon is trivial. It’s easy to map an organization’s LinkedIn profile and select appropriate targets to contact.

In fact, LinkedIn is already a top tool for red teamers and attackers when pursuing potential social engineering goals – for example by reviewing job roles and descriptions to guess which accounts have the levels of access and privilege you need to launch a successful attack.

There is no screening or filtering of LinkedIn messages, no spam protection, or an assistant monitoring the inbox for you. This is arguably the most direct way to reach your desired contact, and therefore one of the best places to launch a highly targeted spear-phishing attack.

4: Users are more likely to fall for it

The nature of professional networking apps like LinkedIn is that you’re expected to connect and interact with people outside your organization. In fact, a high-powered executive is far more likely to open and respond to a LinkedIn DM than any other spam email.

Especially when combined with account hijacking, messages from known contacts are even more likely to receive a response. This is the equivalent of taking over an email account for an existing business contact – which has been the source of many data breaches in the past.

In fact, In some recent cases, those contacts have been fellow employees – So it’s like an attacker taking over one of your company’s email accounts and using it to defraud your C-suite executives.

Combined with the right excuse (e.g. asking for immediate approval, or reviewing a document) and the chances of success increase significantly.

5: The potential rewards are huge

Just because these attacks are happening on “individual” apps doesn’t mean the impact is limited. It’s important to think about the big picture.

Most phishing attacks focus on core enterprise cloud platforms like Microsoft and Google or specialist identity providers like Okta. Taking over one of these accounts not only gives access to key apps and data within the associated app, but also allows the attacker to leverage SSO to sign in to any connected apps the employee is logged in to.

This gives the attacker access to almost every core business function and dataset in your organization. And from this point, it’s very easy to target other users of these internal apps – like using business messaging apps. slack or teamsor techniques like SAMLjacking Turning an app into a watering hole for other users trying to log in.

Combined with spear-phishing executive employees, payouts are significant. A single account compromise can quickly turn into a multi-million dollar business-wide breach.

And even if the attacker only has access to your employee’s personal device, it could still involve a corporate account compromise. just look 2023 octa breachWhere an attacker took advantage of the fact that an Okta employee was signed in to a personal Google profile on their work device.

This meant that any credentials saved in their browser were synced to their personal devices – including the credentials of 134 customer tenants. When his personal device got hacked, his work account also got hacked.

It’s not just a LinkedIn problem

With modern work happening across networks of decentralized Internet apps and more diverse communication channels outside of email, it is harder than ever to prevent users from interacting with malicious content.

Attackers can distribute links using instant messenger apps, social media, SMS, malicious advertisements, and in-app messenger functionality, as well as send emails directly from SaaS services to bypass email-based checks.

Similarly, there are now hundreds of apps per enterprise to target with varying levels of account security configuration.

Stop phishing where it happens: in the browser

Phishing has moved out of mailboxes – it’s important that security does too.

To combat modern phishing attacks, organizations need a solution that detects and blocks phishing across all apps and delivery vectors.

push security Sees what your users see. No matter which delivery channel or detection avoidance methods are used, Push stops the attack in real time, as the user loads the malicious page in their web browser – by analyzing page code, behavior and user interactions in real time.

That’s not all we do: Push AiTM blocks browser-based attacks like phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking.

You can also use Push to proactively find and fix vulnerabilities in apps used by your employees, such as ghost logins, SSO coverage gaps, MFA gaps, and weak passwords.

You can also see where employees are logged in to personal accounts in their work browser (to prevent situations like the 2023 Okta breach mentioned earlier).

To learn more about Push, Check out our latest product overview Or Book some time with one of our team for a live demo,

Sponsored and written by push security,