LinkedIn’s verification process for new accounts is practically non-existent, a problem that’s made the website a hotbed for scammers and impersonators. But if that’s not enough, a new report from BleepingComputer shows that random people can post LinkedIn job listings under nearly any company’s name, opening the door to phishing attacks and recruitment fraud.
Several people may be aware of this “feature,” but Harman Singh, a security expert at Cyphere, was the first person to address it publicly. In his words, “anyone can post a job under a company’s LinkedIn account and it appears exactly the same as a job advertised by a company.”
Companies cannot remove these fake job listings without contacting LinkedIn directly. And that’s a big problem, because scammers can direct applicants to any website or email address using these fake listings.
If you were to make a fake job listing for Apple, for example, you could redirect applicants to a fake Apple login page that collects usernames and passwords. Using email correspondence, you could convince applicants into sharing personal or financial info, such as social security numbers (for “background checks”) or banking information (to set up “direct deposit”).
By default, LinkedIn gives companies zero control over unauthorized job listings. But some companies, like Google, are protected from this threat. That’s because they have extra job listing controls that aren’t available to average accounts. The only way to unlock these job listing controls is to hunt down the private email address for LinkedIn’s Trust and Safety team (tns-SAFE@linkedin.com) and complain about the site’s poor job listing security. No joke.
LinkedIn could solve this issue, or at least mitigate it, by immediately blocking unauthorized job listings for all companies. But the website doesn’t seem all that interested in security! For what it’s worth, LinkedIn tells BleepingComputer that it uses “automated and manual defenses” to block fake job listings, but these defenses did not stop BleepingComputer’s writers from setting up fraudulent job listings for their investigation.