When you share a link on LinkedIn, and the URL is over 26 characters, LinkedIn will automatically shorten it, as per its policy. You may have seen it while perusing the site. It looks like this:

However, that shortened URL can be used to hide phishing. Avanan researchers have uncovered how hackers are taking advantage of this. Here’s an example email:

Screen Shot 2021-09-22 at 11.02.11 AM-1


The URL (shortened to lnkd.in) passed through the LinkedIn short URL service, leading visitors across several redirects, landing on this phishing page:


Screen Shot 2021-09-22 at 11.05.38 AM

This particular email can target anyone. Though it presents itself as a standard credential harvesting and invoice scheme, the use of a LinkedIn URL may mean that any profession—the market for LinkedIn—could click. Plus, more employees have access to billing and invoice information, meaning that a spray-and-pray campaign can be effective. 

Whether it’s the “lnkd.in” form or the https://www.linkedin.com/slink?code=aB-cDeF variation, the idea is to create a link that contains a clean page, redirecting to a phishing page.

Check Point Research found that LinkedIn is the sixth-most impersonated brand in phishing attempts globally in Q2 2021. That’s up two spots from Q1 2021.

In late 2020, we wrote about another scam impersonating LinkedIn notifications via email.

By preventing malicious emails like this one from reaching the inbox, Avanan prevents end-user confusion and keeps organizations safer. 

Subscribe to Our Attack Briefs for More Research