The Independent’s journalism is supported by our readers. When you purchase through links on our site, we may earn commission. Why trust us?
Cofense Phishing Defence Center (PDC), has identified a phishing campaign targeting LinkedIn users. It has been reported that a suspicious number of phishing messages were sent via LinkedIn. Smart Links are offered to business accounts as part of the Sales Navigator service. Smart Links are used to reach out to other LinkedIn users – the links are trackable and allow senders to track engagement.
Threat actors have found a way to exploit the feature and redirect users to malicious websites that attempt to steal personal information and credentials. Phishing has been a go-to tactic for cybercriminals for a long time. The best defence to stay safe online is to never click suspicious links, and if you’re browsing an untrustworthy website, always protect yourself by connecting to a VPN, which conceals your IP address and web activity. A VPN won’t protect you from a phishing attempt that requires you to input personal details. However, some VPNs have built-in phishing detection or can detect and alert you if you’re visiting a malicious website.
Between July and August 2023, Cofense says that some 800 emails were sent out using around 80 links. The messages contained typical phishing copy relating to financial, document, security and general notifications in a bid to lure victims. Links can be sent via newly created LinkedIn accounts or existing compromised accounts.
Leveraging Smart Links in phishing isn’t new. In 2022, Cofense identified the same LinkedIn phishing campaign, which used Smart Links as bait. Similar tactics were deployed and threat actors bypassed the security email gateway (SEG) to deliver credential phishing.
The popular social network for professionals is used to share business news, hunt for jobs and connect with like-minded business people. Like most other social media platforms, users are required to enter personal credentials – making it a target for hackers.
LinkedIn has credible trust signals, which makes it a lucrative target. A trusted domain name can allow threat actors to take advantage of unsuspecting victims who are more likely to click malicious links. Cofense reported that while the hackers weren’t targeting any one specific, several industries were targeted – the finance and manufacturing sectors were hit the hardest.
Phishing is one of the most common cybercrimes, and tactics have become so sophisticated these days that it can, at times, be tricky to identify a bogus link – like with the Smart Links phishing campaign. It can be used in the form of phone calls, text messages or emails. When receiving emails, you should err on the side of caution when it comes to clicking links – especially from untrusted or unrecognised sources.