← Back to BlogSocial Engineering

How Scammers Use LinkedIn to Target Australian Employees

How Scammers Use LinkedIn to Target Australian Employees

LinkedIn is brilliant for networking. It's also brilliant for scammers. That professional profile you've carefully crafted — your job title, your employer, your skills, your connections, your recent posts — is essentially a free reconnaissance tool for anyone who wants to target you or your business.

Here's how they use it.

Reconnaissance for spear phishing

LinkedIn tells an attacker exactly who works at your company, what their roles are, and how they connect. A quick search of "accounts payable [company name]" might surface the exact person responsible for processing payments. That's who they'll target with a fake invoice.

They can also identify the MD or CEO (to impersonate them), the IT manager (to impersonate in a fake IT support email), and any recently joined staff who might be more susceptible to "just checking — this is how we normally do things here, right?" manipulation.

Fake LinkedIn connection requests

Scammers create fake LinkedIn profiles — often posing as recruiters, investors, or industry contacts — and send connection requests. Once connected, they might:

  • Send a message with a "job opportunity" that contains a malicious link
  • Extract more personal information through conversation to personalise a phishing attack
  • Build a relationship before asking you to look at a "document" or "portfolio" (which is malware)

Fake job offers

LinkedIn-based job scams are rampant. A recruiter reaches out with an amazing opportunity. After a few messages, they send a "job brief" or "assessment task" as an attachment — which installs malware. Or they ask for personal details for a "background check" before any job has actually been offered.

How to protect yourself:

  1. Audit your LinkedIn privacy settings. Limit who can see your connections, your contact information, and your activity.
  1. Be wary of unsolicited connection requests. If you don't know the person and there's no obvious reason for the connection, think carefully before accepting.
  1. Never download files from LinkedIn messages. Legitimate recruiters and partners don't send attachments through LinkedIn DMs without prior discussion.
  1. For businesses: Brief your team on LinkedIn-based reconnaissance. The information they share publicly is information attackers can use.
  1. Check profiles carefully. Fake profiles often have generic stock photos (run them through a reverse image search), vague employment history, and very few connections.

It's not just you

LinkedIn reconnaissance affects your whole business. One employee's public profile might reveal enough information for an attacker to craft a convincing spear-phishing email targeting a different colleague. Security is a team sport.

Build your whole team's scam-spotting skills at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →