Thought Leadership
A new phishing campaign uses convincing LinkedIn notifications to lure users to fake login pages. The emails are so well crafted that even cautious users might fall for them.
Security researchers at the Cofense Phishing Defense Center have analyzed a phishing campaign in which attackers send convincing fake LinkedIn notifications to steal user credentials. The fraudulent emails are nearly indistinguishable from genuine messages sent by the platform.
How the attack works
The scheme is simple but effective: victims receive an email that looks exactly like a typical LinkedIn notification about a new message. Logo, font, layout, everything checks out. In the message body, the supposed sender poses as an employee of a reputable company and urges the recipient to get in touch quickly about a business opportunity. It’s the classic social engineering playbook: spark curiosity, create urgency, get the click.
According to Cofense analyst Enrico Silverio, that’s precisely what makes this so dangerous: “A moment of curiosity or urgency is all it takes for an attack to succeed.” Three prominently placed buttons in the email are designed to make it look like the user can respond to the message directly. In reality, all three redirect to a fake LinkedIn login page that is virtually identical to the real thing. Anyone who enters their credentials there hands them straight to the attackers.
A closer look reveals the deception
The attackers don’t operate entirely without leaving traces, though. The sender address comes from the domain “khanieteam.com”, which has no connection to LinkedIn and was only a few days old at the time of analysis. The phishing page itself also gives itself away through its URL: the domain “inedin.digital” was clearly chosen because it vaguely resembles “LinkedIn” at a quick glance. It had only been registered two months before its discovery, another strong indicator of malicious intent. As Silverio notes, the attackers deliberately picked a domain name that “repeats familiar letter patterns like ‘in’ and ‘din'” to deceive users who don’t look too closely.
The campaign is yet another reminder of how much effort now goes into phishing attacks. Silverio warns that “threat actors continue to evolve in both technical sophistication and persistence.” Even routine notifications that barely register in day to day work life can serve as an entry point. A quick check of the sender address and the target URL remains the most reliable defense, no matter how convincing the rest of the email may look.
