Today, I received this very suspicious LinkedIn InMail message from one of my friend:
I smelled that something is quite off. Upon opening that PDF document, I saw this:
Something is very off with this message. So, I messaged my friend and asked whether she sent me that message at 4 am in the morning. She told me she received exactly the same message too.
“What happened after you clicked on the ‘View Document’ button in the PDF file?”, I asked.
“Nothing at all. It leads to LinkedIn Talent Solutions,” she replied.
“Were you prompted to log into your LinkedIn account with your password?”
“Hmm…. I think so. Now I cannot even accessed my LinkedIn account! It has transferred $5k [from my debit card] already!!!”
So, what happened?
After receiving that same message, my friend opened the PDF document. Then she clicked on the ‘View Document’ button inside the PDF, which then opened up a link in the web browser. That web browser showed a “LinkedIn Talent Solutions” page, which is actually a phishing page. She must have entered her LinkedIn email/phone and password into that phishing page.
Then the hacker changed her LinkedIn password and set up a 2-step verification to her LinkedIn account. Then he used her LinkedIn’s InMail feature to send that same scam message to lots of people, including some or all of her contacts (of which I’m one of them). Because InMail messages look ‘official’, the chances of someone trusting it as legitimate is much higher.
As each InMail message cost money to send, LinkedIn automatically deducted from her debit card that is kept on file on her LinkedIn account. In total, $5,000 was deducted from her bank account via her debit card.
So, what must she do?
I advised my friend to first contact her bank. Fortunately, her bank’s fraud detection department smelled something was wrong too and contacted her first. They will probably block her debit card or at least block all transaction from LinkedIn.
Next, she need to contact LinkedIn to restore access to her account. Unfortunately, it is very hard to find a phone number to call LinkedIn. I advised her to contact them through their Facebook page using Facebook Messenger.
Lastly, if she ever reuse her LinkedIn password in other accounts, she must change them ASAP. Otherwise, hackers will compromise her other accounts very quickly. I can assure you, hackers will act fast in doing this. They have a means to automate it using software robots. Just Google the term “credential stuffing” and you will be horrified at the technology hackers have at their disposal to do it.
My recommendation is to use a password manager to help her secure all your accounts. As I wrote in If you don’t use a password manager, you will EVENTUALLY be hacked, if you don’t use one, hackers will get you eventually.
There’s more you can do to protect yourself
Make no mistake, there are a lot of other ways for hackers to get you. This is just one example. You need to arm yourself with knowledge to protect yourself. I recommend that you get my book (filled with step-by-step instructions) to protect yourself further: