by Hoala Greevy Founder CEO of Paubox
Article filed in

Proof that LinkedIn Powers Display Name Spoofing Attacks

by Hoala Greevy Founder CEO of Paubox

Proof that LinkedIn Powers Display Name Spoofing Attacks | Paubox

Last August we wrote a post called Display Name Spoofing attacks via LinkedIn. In it, we identified a new variant on Display Name Spoofing phishing attacks- the abuse of LinkedIn to build a social construct of manipulation.

Our contention, dating back to August 2020, was that LinkedIn was being scraped at scale for Display Name Spoofing attack campaigns.

Yesterday’s news proves we were right:

This post recaps how we arrived at our conclusion, nearly a year before anyone else caught on.

Display Name Spoofing: Manipulating Authority and Smartphones

As a recap, Display Name Spoofing is a type of phishing attack that appears to come from a person of authority within a company.

When this is coupled with:

The net effect is that if you see an email from your boss on your phone, you’ll probably open it immediately, not bothering to think about the actual email address it came from.

In essence, Display Name Spoofing attacks tend to work because they manipulate:

  • Corporate hierarchy
  • How employees check email
  • Inherent shortcomings of today’s smartphones

Scraping LinkedIn at Scale

In today’s society, people keep their LinkedIn profiles studiously current. Job title and current employer are especially manicured on LinkedIn.

In fact, it’s what makes LinkedIn such an effective platform for Outbound Sales Development.

With LinkedIn, you know where everyone works and where everyone sits in the org chart.

While not an epiphany, that last sentence is having profound consequences for email security.

ExecProtect Provides the Proof

Just within our 40-person startup, we’ve seen ample proof of LinkedIn being abused for phishing attacks via Display Name Spoofing.

Last year for example, ExecProtect stopped the following phishing attack dead in its tracks:


Display Name Spoofing attacks via LinkedIn | Paubox


The above screenshot is an alert email ExecProtect sends to Domain Administrators like me.

At a quick glance, we can see that:

  • An email was sent to a Paubox employee, Evan, supposedly from me, the CEO.
  • I obviously do not have an email address of officepad1@email.cz and ExecProtect instantly quarantined it. Don’t forget though, it’s difficult to realize this on a smartphone.
  • The IP address that sent the email, 77.75.76.89, was not on any RBL Blacklists. In other words, the IP was recognized as a legitimate sender.

Here’s the smoking gun: Evan did not even work at Paubox yet!

In reality, he was so fired up to start that he updated his LinkedIn profile six days before his start date.

The only way to have known that Evan had a connection to Paubox at that time was via LinkedIn.

There were other times when ExecProtect would stop dozens of Display Name Spoofing attacks in the span of two minutes. The entire company was targeted all at once, with the hope of at least one hit.

See Also: US Patent Office Approves our Approach to Display Name Spoofing

Sound familiar?

In these instances, it’s hard to find a one-to-one correlation to LinkedIn, as company directories can be purchased from other sources.

The same cannot be said however, when an employee is targeted and they haven’t even started work yet. In our case, there was only one place that information existed- on LinkedIn.

If a company of our size was targeted with such pinpoint precision, yesterday’s news correctly concluded the same is true for every company on LinkedIn.

Try Paubox Email Suite Plus with ExecProtect today