Hackers exploit fake LinkedIn job alerts to steal user credentials

Attackers are sending convincing imitation LinkedIn notification emails that redirect victims to a spoofed login page, which appears to be part of a broader shift toward polished, platform-branded social engineering attacks.

What happened

Security researchers have documented a phishing campaign that abuses the trusted appearance of LinkedIn notification emails to steal user credentials. According to Cybernews, the phishing emails closely mimic genuine LinkedIn message alerts, matching the font, logo, formatting, and subject line style of authentic notifications. Recipients are told they have a new message from a recruiter at a reputable company and are prompted to contact them urgently about a business opportunity. Clicking the button redirects victims not to LinkedIn but to a spoofed login page hosted on a lookalike domain such as "inedin[.]digital," chosen because it visually resembles the LinkedIn URL at a quick glance. The sender address used in observed samples, "khanieteam[.]com," has no connection to LinkedIn and was created only days before the emails were distributed. Some of the phishing sites were created just months before analysis.

Going deeper

The campaign follows a well-documented pattern in which attackers select a trusted professional platform and replicate its branding precisely enough to reduce suspicion at the moment a recipient decides whether to click. The job opportunity framing is what researchers describe as a classic social engineering hook, using urgency as an emotional trigger to push the recipient into acting quickly rather than verifying the sender. Researchers noted that attackers are increasingly scraping public data from the web to make phishing lures more targeted and personalized, which also makes them harder to identify as fraudulent. The phishing emails observed in the Cofense samples were written in Chinese, suggesting the campaign may have originated from a Chinese-speaking threat actor, though the credential-harvesting infrastructure has broader reach. Spoofed display names, freshly registered sender domains, and near-identical website clones are now standard components of these campaigns rather than exceptional features.

What was said

Researchers said in the research blog cited by Cybernews that the email's "font, logo, and formatting closely match those of real LinkedIn notification emails," and that the job opportunity lure is "a classic social engineering hook" designed to exploit "emotional triggers" such as urgency. They added that attackers are continuously changing "in both technical sophistication and persistence by crafting highly convincing schemes to exploit human trust and curiosity," and reminded users that "remaining vigilant, verifying sources, and thinking twice before clicking are essential steps in defending ourselves against increasingly creative cyberattacks."

In the know

LinkedIn has been a consistent vector for credential theft and malware distribution campaigns targeting professionals. According to BleepingComputer, a separate campaign documented in October 2025 targeted finance executives through LinkedIn direct messages, impersonating executive board invitations, to steal Microsoft credentials. That campaign used a similar formula: a high-value professional lure delivered through a trusted platform, designed to create urgency and reduce the recipient's instinct to verify before acting. The campaign extends that pattern to email-based notifications rather than direct messages, demonstrating that attackers exploit LinkedIn's trusted brand across multiple delivery channels simultaneously.

The big picture

Platform-branded phishing campaigns targeting professional networks are growing in sophistication and scale as attackers combine AI-generated lures, scraped public profile data, and freshly registered lookalike domains to increase their success rates. According to Paubox's Top 3 Healthcare Email Attacks report, impersonation attacks succeed because "email still treats identity as trustworthy by default," and Microsoft's Digital Defense Report, cited in the same research, confirms that "attackers increasingly exploit trust in familiar identities, such as executives and vendors, rather than relying on malicious attachments or links." Healthcare organizations are directly exposed. Employees receive legitimate vendor, recruiter, and partner communications routinely, making it structurally difficult to single out a convincing LinkedIn alert as fraudulent without technical controls that flag lookalike domains and spoofed display names before they reach the inbox.

FAQs

How do attackers make phishing emails look like they come from LinkedIn?

Attackers copy LinkedIn's fonts, logos, and email formatting precisely, use a spoofed display name that appears legitimate, and register sender domains designed to look plausible at a quick glance. The email itself is indistinguishable from a genuine notification without inspecting the actual sending domain.

What makes job opportunity lures particularly effective?

Job offers create urgency and appeal to professional ambition, two emotional triggers that prompt recipients to act quickly without verifying the source. The lure is especially effective when it appears to come from a recognizable platform that professionals already expect to receive messages from.

How can individuals verify whether a LinkedIn notification is genuine?

Check the actual sender domain as well as the display name and go directly to LinkedIn rather than clicking any link in the email. LinkedIn communications will always come from linkedin.com, not lookalike domains.

What can organizations do to reduce exposure to these attacks?

Deploying email security tools that detect lookalike domains and flag spoofed display names before messages reach employees provides a technical layer of protection that does not depend on users recognizing the attack themselves.

Why are healthcare employees a target for credential phishing campaigns like this?

Healthcare staff manage active professional networks and routinely receive vendor, recruiter, and administrative correspondence, making platform-branded lures harder to distinguish from legitimate outreach. Compromised credentials in healthcare environments can enable access to patient records and clinical systems.