This month, Iranian hackers targeted LinkedIn users with "dream job offers" - which were actually files that turned out to be password-stealing Windows malware.
The campaign, spotted by Israeli cybersecurity company ClearSky, delivered ZIP files to users in sectors including aerospace, aviation and defence - suggesting that the hackers were aiming to disrupt operations and steal sensitive information.
North Korean hackers previously posed as recruiters from Meta to target employees of an aviation company via LinkedIn, sending the workers malware disguised as "coding challenges", ESET revealed in 2023. Other cybercrime groups have targeted victims via LinkedIn messaging, with one campaign, Ducktail, targeting marketing and HR professionals.
Cybercriminals are increasingly turning to LinkedIn as a way to bypass corporate cyber defences, due to the social network’s unique positioning as both a business and personal network, experts told The Stack.
LinkedIn allows cybercriminals to bypass corporate defences around email, said Grant Paling, Director of Product Management at Orange Cyberdefense.
Paling said: "With email, you have a clear separation between personal email and work email. That ‘boundary’ is far less clear when it comes to social media.
“Linked is used by businesses as a channel to communicate and market the activities of the business but it is also personal. Users own their accounts, not the businesses they work for. Yet they can end up sharing detailed information about what they are doing within their role that hackers can use to profile potential targets within the business."
READ MORE: “Barfing” code, RAG stacks and other AI lessons from LinkedIn
Why do criminals love LinkedIn?
LinkedIn removed 11.9 million fake accounts in 2021, and has introduced new security features, such as linking a verified work email to profiles - alongside "Gold" profiles verified with a passport.
Paling added: "We have seen a number of cases where 'recruiter fraud' is perpetrated with a very targeted solicitation of users from malicious actors posing as recruiters. Offers of big salary increases, stock options and other benefits are common and look actually like a legitimate “inmail”. It is the latest example of hackers being very in tune with cultural trends and exploiting our inherent trust by appearing to be what they are not."
Paling says that the psychology around LinkedIn means that people see it as a grey area, with businesses failing to train employees in the proper use of social media.
Paling says that existing digital risk protection services (which monitor social media for individuals impersonating executives or brands) often won’t protect against LinkedIn scams, as the scammers will often be posing as recruiters from rival firms.
For high-value spear phishing attacks, where cybercriminals target emails at senior executives, Linkedin has become a "first stop" for gathering information.
This threat (in which attackers pretend to be a contact or colleague of a potential victim) are intensifying, and now account for 66% of all security breaches, according to research by Barracuda.
Michael Balmer, a partner at the global cyber consultancy CyXcel, told us that LinkedIn profiles can be a goldmine for hackers who want to construct targeted spear phishing attacks.
With LinkedIn profiles containing large amounts of information on employees and who their colleagues are, it’s easier to make phishing attacks appear real.
Balmer said: “By researching LinkedIn, scammers can build extensive profiles of their potential targets and create spear phishing emails using social engineering techniques that are personalised and appear legitimate because they come from individuals or companies they regularly engage with and contain information that could be authentic.”
READ MORE: LinkedIn starts training GenAI on users' personal data - without notification
Never trust, always verify
LinkedIn is also being used to zero in on new hires at large enterprises who may not be familiar with security procedures - using posts to look for people who have just landed a job and then targeting them.
The tactic is successful in part due to the "culture of trust" on LinkedIn, says Andrew Whaley, Senior Technical Director at Oslo-based security company Promon.
“In the B2B sphere, one major tactic involves using the platform to identify new hires at companies," Whaley said. "Then, posing as HR or a senior executive over email, scammers can reach out to new employees with urgent requests, such as downloading a file or transferring funds, which may be disguised as a legitimate onboarding process.
“This approach is effective because new hires are often less familiar with internal protocols and are more likely to comply with requests they believe have come from company leadership.”
Whaley advises that companies should combat such tactics by training employees on LinkedIn-specific risks - and by encouraging a robust security culture where employees verify requests through internal channels.
