A recent phishing campaign has arisen targeting users on LinkedIn in public post comments. This demonstrates attackers shifting away from DMs and email as initial attack vectors and toward highly visible spaces where users feel safer and less guarded. This approach is more likely to catch targets unaware, as users are not often primed to be on the watch for phishing attempts in this environment.
How the Fake Comment Scam Works
The LinkedIn comment phishing attack begins with bot-like accounts replying publicly to legitimate posts. These comments impersonate official LinkedIn moderation, warning users of supposed urgent violations of the site’s policies. These messages even use lnkd.in short links to bolster legitimacy and disguise external phishing domains. The link preview appears to be legitimate, and it leads to a false verification page. If the user clicks the link and goes through the fake verification steps, their credentials are harvested from the page.
Why the Comments Look So Convincing
There are a number of reasons that these phishing comments are particularly deceptive, thanks to the use of social engineering tactics. The comments take advantage of LinkedIn’s familiar branding and the style of language usually used in official communications. The use of a platform-native behavior, commenting on posts, also primes users to trust the message more than they would, for instance, a cold DM. The urgency and public visibility of the messages also carry psychological power, convincing targets to act quickly to remedy the situation rather than pausing to consider if the message is authentic.
AI and Automation Fuel the Scale
Attackers are likely using AI and automation to carry out these phishing attempts. Automating certain processes enables threat actors to generate, customize, and rapidly deploy large volumes of convincing comments across the platform. The explosive growth of AI usage in recent years has led to adoption not only by individual users and organizations for legitimate purposes, but by attackers as well.
Experts stress the significance of the advanced technological capabilities of attackers. “What’s different here is scale,” says Shane Barney, Chief Information Security Officer at Keeper Security, a Chicago-based provider of zero-trust and zero-knowledge cybersecurity software. “Automation and AI enable attackers to flood comment threads with convincing, bot-driven posts faster than moderation systems can react, effectively turning public conversations into phishing delivery channels.”
LinkedIn’s Response and What It Won’t Do
In response to these comments popping up across the platform, LinkedIn has clarified that policy violations are never communicated to users via public comments. They have also confirmed that the accounts responsible for these comments are being removed. However, this announcement and the removal of the bot-like accounts cannot prevent future comments nor undo any damage done by those attacks that have been or will be successful in deceiving users.
The Real Risk: Account Takeover and Lateral Abuse
The potential harm of LinkedIn credentials stolen by attackers is significant, starting with account takeover and impersonation, which attackers can use for a variety of malicious ends. They can use compromised accounts to amplify scams through trusted networks and potentially access corporate or recruiting conversations.
The account compromise is not the end of the attack, but the initial access point that can lead to significant damage down the line. “Adversaries often begin by compromising low-privileged accounts, using them as a foothold to quietly observe systems, map out processes, and identify vulnerabilities,” says Rex Booth, Chief Information Security Officer at SailPoint, an Austin, Texas-based enterprise identity security provider. “Over time, they escalate privileges or move laterally, positioning themselves to impersonate legitimate users, authorize fraudulent transactions, or disrupt operations.”
What Users Should Do Now
It is vital for LinkedIn users to take precautions in order to protect against these phishing attacks. Traditional phishing education may not cover messages delivered via comments on public posts, but phishing awareness principles and caution should be extended to all online interactions. Avoid clicking “policy” links in public comments, as official LinkedIn communications will never use this channel to alert users of violations of the site’s terms.
Users concerned about potential policy violations should go through official settings to verify their account status, and any suspicious comments should be reported so the account can be looked into and blocked. Implementing multi-factor authentication also significantly reduces the risk of account compromise and takeover.
The Bigger Signal for Security Teams
This campaign is not occurring in isolation—it is part of a broader trend of attackers embedding themselves into normal digital behavior rather than breaking it. It is important for individuals and security teams alike to maintain awareness of the ways that threat actors evolve and shift tactics to increase effectiveness. Phishing and credential harvesting remain popular, but attackers often find new ways to deceive their targets.
