Another fake LinkedIn phishing email scam is being circulated. Our system has identified an increase in the phishing email discussed below; please ensure you remain vigilant in identifying other equally deceptive variations.
Cyber criminals are sending out phishing emails purporting to be from LinkedIn. It appears that the aim is for cyber criminals to obtain user’s LinkedIn credentials.
As you can see, it appears to originate from LinkedIn and asks the recipient to verify their email address. One giveaway that should help users identify this as being a scam, is the fact that the email is sent to ‘undisclosed recipients’ and does not address the LinkedIn user by name.
LinkedIn do not send emails asking you to confirm your email address without you requesting to access a new service or similar.
Once the user clicks the ‘Confirm your email address’ button, they are directed to a fake LinkedIn landing page.
Here is a screen shot of the type of landing page to watch out for:
Firstly, the URL is not a legitimate LinkedIn URL (as circled above). Secondly, a less obvious giveaway is the incorrect date in the footer of the landing page; 2012 as opposed to 2015. Email users are easily fooled with these types of scams because the general styling of the email and landing page are almost identical to the brand the scammers are impersonating.
After clicking 'sign in', the fake landing page redirects users to the legitimate LinkedIn home page. If users already have an active session on LinkedIn (i.e they are still logged in with an active browser cookie), the redirect will take users straight to their LinkedIn account.
This gives the impression that the sign in was legitimate - meanwhile the attackers have the user’s LinkedIn credentials. Scammers could potentially use this to harvest other information and access personal or company information.
For example, scammers can impersonate the LinkedIn user by contacting others through their profile, they may access connected LinkedIn company accounts, or even use the credentials that were phished to gain access to other online accounts.
Criminals specifically target well known organisations because they know that people have a sense of familiarity and trust when they receive email correspondence from these companies. For this reason, email recipients are more susceptible to the email phishing scam and share their personal information or passwords which criminals can then use for their own financial or personal gain.
Here are other examples of some recent phishing scams:
Phishing scams can come in many guises, so this is why you must be vigilant and pay close attention to the emails you receive. Here are some quick tips to help you deal with a suspected ‘phishy’ email.
It pays to never click on a link contained within an email. If the email contains a link for you to go directly to your account, type the website address directly into your browser instead and enter your account that way.
This is also important as some phishing scams may trick you into downloading files such as .exe or .zip files. Never download these unless you are sure of their legitimacy, as they may lock, encrypt or steal your data. And be sure to back up your business data every day.
Educating staff and employing multilayered defences including desktop antivirus, anti-malware, anti-spyware, and using cloud-based email filtering and web filtering will go a long way to mitigating the risk from a wide range of email scams.
You can learn more about how phishing works in this blog: What is a phishing scam? And how to spot them (using PayPal as an example).