Today, phishing no longer remains confined to the inbox. In fact, over 30% of attacks happen outside of email, leveraging social networks, search engines, and messaging apps to deceive victims.
And among all platforms, LinkedIn has become the new favorite ground for cybercriminals. At TecnetOne, we’ve observed how attackers are launching increasingly sophisticated spear phishing campaigns, specifically targeting executives and companies in industries such as finance, technology, and professional services.
The problem is that this type of phishing is rarely detected or documented. Most industry reports rely on email security data, so attacks occurring outside that environment often go unnoticed.
You might think: “Why should I care if someone falls for a fake message on LinkedIn?” Well, it matters—a lot. Even if the platform is used for personal purposes, many employees access it from corporate devices, and attackers are well aware of that. Their goal isn’t just the LinkedIn account, but gaining access to enterprise systems like Microsoft Entra or Google Workspace.
That’s why at TecnetOne, we believe LinkedIn phishing is one of the most significant threats facing companies today. In this article, we’ll explain the top 5 reasons why attackers are using LinkedIn to launch phishing campaigns—and what you can do to protect yourself.
LinkedIn direct messages slip through a gap many companies haven’t closed: they don’t pass through email filters. Your employees may receive suspicious messages on their corporate laptops or phones, but security teams don’t see them because traditional solutions focus on the inbox.
To make matters worse, modern phishing kits use obfuscation and evasion techniques that bypass automated scans and web proxies. In practice, this leaves organizations relying almost entirely on user training and someone reporting the incident—a fragile defense when the attacker is well-prepared.
And if someone reports the attack on LinkedIn, things get more complicated: there’s no easy way to track how many employees received the same message or to mass-remove it the way you would with an email.
You can report the account and, with luck, the platform will suspend it—but by then, the attacker may have already achieved their goal. Blocking URLs helps, yes, but malicious domains change quickly; it’s a cat-and-mouse game that often favors the attacker.
Compared to running an email campaign (creating a domain, “warming up” reputation, evading filters), operating on LinkedIn can be quicker and cheaper. Creating profiles, connecting with people, and appearing legitimate is enough in many cases.
Additionally, hijacking legitimate accounts is very common: many leaked credentials belong to social media profiles, and many of those accounts don’t have MFA enabled. That gives attackers a real “facade” that exploits the trust of their network.
Add to that tools that automate messages (or even AI-generated messages), and you have a formula to scale attacks at low cost with high impact.
Read more: Why are phishing attacks still working in 2025?
LinkedIn is practically a public database of job titles and responsibilities: with just a few clicks, you can map out who has access to finance, IT, or critical infrastructure within a company. For an attacker, that’s gold—it allows for highly targeted spear phishing campaigns with real context.
There are no robust filters controlling who can contact whom, nor are there assistants verifying the authenticity of messages. That’s why LinkedIn is ideal for pinpointing the exact person who, if compromised, could open the door to corporate accounts (Microsoft Entra, Google Workspace, etc.). In short, it’s the most direct path to attacking privileged users and launching successful spear phishing campaigns.
On LinkedIn, interacting with strangers is part of the game: accepting connection requests, receiving messages from recruiters or industry peers—it’s all normal. That’s why it’s far more likely that an executive will open and respond to a LinkedIn direct message than a cold email that ends up in their spam folder.
If the attacker uses a hijacked account (or impersonates someone familiar), the response rate skyrockets. It’s just like receiving an email from a real vendor or colleague’s account—trust does the rest. In fact, several recent incidents began exactly this way—a compromised account within the organization was used to launch targeted attacks on executives.
And when the message includes the perfect pretext (“urgent approval,” “review this document now”), the pressure to respond quickly plays into the attacker’s hands. In short: on LinkedIn, social signals lower suspicion and increase the likelihood of the trap working.
Landing Page of an Investment Opportunity Scam Targeting Tech Company Executives
The fact that the attack comes through a “personal” app like LinkedIn doesn’t make it any less dangerous—in reality, it can be the entry point to the entire corporate infrastructure. Many phishing attacks have a specific goal: gaining access to cloud platforms (Microsoft 365, Google Workspace) or identity providers (Okta, etc.). Once inside, the attacker can leverage SSO and credentials to move laterally and access any connected service.
This means that compromising just one account can grant access to emails, documents, backups, internal systems, and all kinds of critical data. From there, it becomes much easier to launch internal attacks (e.g., messages via Slack or Teams), use techniques like SAMLjacking, or even pivot to higher-privilege accounts.
If the target is an executive (well-executed spear phishing), the reward can be enormous: what starts as access to a single account can end in a multi-million dollar breach.
Even when an attacker only compromises an employee’s personal device, the damage can still reach the company. Cases like Okta’s in 2023 showed how sessions and credentials stored in browsers or personal devices can sync and provide access to corporate accounts and clients.
And let’s be clear: this isn’t a LinkedIn-only problem. Modern work relies on hundreds of SaaS applications and communication channels (messaging, SMS, social media, malicious ads), many with inconsistent security settings. That multiplies the entry points and complicates containment.
Phishing now operates across multiple channels and targets various cloud applications and SaaS Services
Phishing no longer lives solely in email—and your security strategy shouldn’t either. Today’s attacks move across social media, messaging apps, ads, and even SaaS services, exploiting every corner of the digital environment.
At TecnetOne, we help companies stop phishing right where it happens: in the browser. That’s where users actually interact with websites, forms, and suspicious messages—and where clear signs of malicious behavior can be identified in real time.
Our approach goes beyond email filters and blacklist-based blocking. We use advanced real-time monitoring and analysis tools that examine user behavior directly within the browser. We analyze what the user sees and does while browsing (the page’s code, behavior, and interaction patterns) to stop the attack the moment it tries to execute.
Beyond traditional phishing, this protection also blocks:
AiTM (Adversary-in-The-Middle) phishing, where attackers intercept active sessions.
Credential stuffing and malicious extensions that attempt to steal passwords.
Fake OAuth grants or session hijacking aimed at accessing corporate accounts.
At TecnetOne, we also help you identify vulnerabilities before they become a problem—such as unmanaged logins, SSO gaps, weak passwords, or missing MFA on critical accounts.
We can even detect when an employee logs into personal accounts from their corporate browser—a key step in preventing data leaks like those that have impacted major companies in recent years.
In short, the new frontier of cybersecurity is the browser—and at TecnetOne, we help you protect that critical point before a single click turns into a breach.