"Phishing attacks are no longer confined to the email inbox, with 1 in 3 phishing attacks now taking place over non-email channels like social media, search engines, and messaging apps. LinkedIn in particular has become a hotbed for phishing attacks, and for good reason. Attackers are running sophisticated spear-phishing attacks against company executives, with recent campaigns seen targeting enterprises in financial services and technology verticals."
"But phishing outside of email remains severely underreported - not exactly surprising when we consider that most of the industry's phishing metrics come from email security tools. Your initial thought might be "why do I care about employees getting phished on LinkedIn?" Well, while LinkedIn is a personal app, it's routinely used for work purposes, accessed from corporate devices, and attackers are specifically targeting business accounts like Microsoft Entra and Google Workspace."
"1: It bypasses traditional security tools LinkedIn DMs completely sidestep the email security tools that most organizations rely on for phishing protection. In practice, employees access LinkedIn on work laptops and phones, but security teams have no visibility into these communications. This means that employees can be messaged by outsiders on their work devices without any risk of email interception."
One in three phishing attacks now occur over non-email channels such as social media, search engines, and messaging apps. LinkedIn has become a major vector, with sophisticated spear-phishing campaigns targeting company executives in financial services and technology firms. Non-email phishing remains severely underreported because most industry metrics derive from email security tools. LinkedIn is routinely used for work, accessed from corporate devices, and attackers specifically target business accounts like Microsoft Entra and Google Workspace. LinkedIn direct messages bypass traditional email security tools and leave security teams blind to those communications. Modern phishing kits employ obfuscation, anti-analysis, and detection evasion that defeat web-crawling and web-proxy inspection, forcing reliance on user training and reporting.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]