Fake recruiter messages on LinkedIn are a clean social engineering attack — not because they use technical exploits, but because they’re designed to look entirely legitimate. There’s no malware link in the first message, no obvious red flag. Just a polished profile, a plausible job description, and a friendly tone.
By the time the actual attack comes — a phishing link dressed as an assessment portal, a request for sensitive documents, or a push for a verification code — the target has already built enough rapport to lower their guard.
LinkedIn itself removes tens of millions of fake accounts every year, but enough get through to reach real employees. And because the platform is specifically associated with professional opportunity, people are more likely to engage with an unexpected message there than they would with a cold email.
What the scam typically looks like
Phase 1 — Credible contact. The fake recruiter has a polished profile: a professional photo, a plausible job history, and some connections. The opening message references your company, your industry, or a specific role that sounds relevant to the person they’re targeting.
Phase 2 — Moving off-platform. Once initial rapport is established, the conversation moves to email, WhatsApp, or a “recruitment portal.” This is deliberate — LinkedIn’s friction goes away, and the attacker can now send files and links directly.
Phase 3 — The pivot. At this point the actual attack happens:
- A link to a “skills assessment” that captures credentials
- A request for identity documents for “pre-employment verification”
- A request for a verification code (“our system needs to confirm your account”)
- An upfront payment for equipment, training, or a background check
Phase 4 — Pressure. “This role closes tomorrow.” “We have three other candidates in final stage.” “I need this information today to keep you in consideration.” Urgency prevents deliberate thought.
Red flags to know
- The role description is vague or too good — high pay, flexible conditions, minimal experience required
- The recruiter uses a personal email address (gmail, outlook) instead of a company domain
- Any request for payment at any stage
- Any request for a verification code sent to your phone or email
- A request to move the conversation to a different platform immediately
What to tell your team
Keep it simple: any recruiter who asks for money, a verification code, or sensitive documents before a formal offer is a scam. Full stop.
For everything else, the standard is verification through a separate channel. If someone contacts you claiming to be from a company, look up that company’s number independently and call them. Don’t use contact details provided in the original message.
LinkedIn recruitment scams succeed because they target something real — people’s interest in their careers and professional growth. The defence isn’t cynicism; it’s a simple set of behaviours your team can apply consistently. If you’d like to include this in a security awareness programme for your staff, get in touch.