The phishing landscape is rapidly shifting, as attackers increasingly bypass traditional email routes. Today, 1 in 3 phishing attempts is delivered through alternative channels including social networks, search engines, and chat-based apps. 

The platform has increasingly turned into a focal point for phishing activity, driven by attackers’ ability to craft convincing, personalised lures. Recent campaigns have zeroed in on executives within major financial and tech enterprises. 

As LinkedIn-driven phishing attempts continue to rise, businesses must strengthen their defences. These five points explain why attackers are drawn to the platform and how they manage to achieve such high success rates. 

Evading Conventional Security Defences  

Because LinkedIn DMs operate outside the email ecosystem, they evade the traditional security layers organisations rely on. Staff often use LinkedIn on their work devices, yet security teams lack visibility and control over these conversations — meaning outsiders can deliver phishing messages directly to employees without any email-based detection.

Attackers further exploit this gap using phishing kits built to circumvent browser analysis, web crawlers, and proxy-based inspection, rendering many technical controls ineffective. Consequently, companies are left depending heavily on employee training and manual reporting.

However, even when threats are reported, LinkedIn offers minimal remediation capability: no message recall, no sender blocks, no visibility into broader targeting patterns. Reporting the malicious profile may freeze the account eventually, but the attacker has likely already achieved their objective. Meanwhile, blocking URLs is largely futile as phishing domains rotate rapidly, creating an endless and unwinnable chase. 

A Low-Cost, High-Impact Channel for Attackers  

LinkedIn phishing is significantly easier to execute than email phishing. Email campaigns typically require attackers to register domains, build trust over time, and work around filtering systems. On LinkedIn, creating a credible profile would seem comparable — but attackers often skip that step entirely.

Credential theft makes this possible. A large portion of stolen log data — about 60% — is tied to social media accounts, many of which do not have MFA enabled. Taking over these accounts gives attackers an authentic identity and immediate access to a network of real contacts.

Pairing compromised profiles with AI-driven direct messaging lets attackers scale their operations quickly and at almost no cost, making LinkedIn an attractive phishing vector. 

Effortless Reach Into Executive-Level Targets  

LinkedIn makes reconnaissance remarkably simple. An attacker can easily review an organisation’s employee profiles and identify individuals worth targeting. The platform is already a favourite among red teamers and threat actors for assessing job roles and responsibilities to determine which users hold the access or privileges needed for an effective compromise.

Compounding this, LinkedIn offers no message screening, spam filtering, or gatekeepers. Messages land directly in the recipient’s inbox, making it one of the most effective channels for executing precise, highly targeted spear-phishing campaigns. 

Greater Success Rates Among Victims  

Professional networking platforms like LinkedIn naturally encourage interaction with people outside your organisation, which makes users more inclined to engage. Senior leaders, in particular, are far more likely to open and respond to a LinkedIn DM than to yet another suspicious-looking email.

When attackers hijack legitimate accounts, the likelihood of engagement climbs even higher. A message from a familiar connection mirrors the impact of compromising a trusted business email — a tactic that has driven numerous breaches.

In some recent incidents, attackers have even taken over accounts belonging to colleagues, essentially turning a compromised LinkedIn profile into the equivalent of a breached corporate email. With a convincing pretext, such as an urgent approval request or document review, the probability of a successful phish rises sharply. 

High Stakes and Even Higher Rewards  

Attacks delivered through personal apps may appear low-risk, but their consequences often extend deep into the enterprise. Once an attacker steals credentials for platforms like Microsoft, Google, or Okta, they gain far more than access to a single system — SSO allows them to move laterally into every integrated business application the employee uses.

This broadens their reach across core business operations and datasets. With control of one account inside the environment, they can easily escalate the attack, targeting colleagues through internal collaboration apps or exploiting methods like SAMLjacking to compromise additional users during routine logins.

When an executive’s account is involved, the damage multiplies quickly. A single foothold can escalate into an organisation-wide incident costing millions.

Even compromises that begin on personal devices can cascade into corporate breaches. In the Okta incident of 2023, a personal Google profile synced with a work browser stored corporate credentials — and when the personal device was breached, the attacker gained access to 134 customer tenants.