How attackers profile you on LinkedIn before sending the perfect phishing email

What spear phishing actually is

Spear phishing is a phishing email written for one named person. The attacker knows your title, your manager, the project on your plate this quarter, and who you talk to outside the company. Every line is true except the link. Mass phishing fails 999 out of 1,000 times. Spear phishing succeeds because the 1,000th person is the only person it was ever sent to.

The 6-step LinkedIn profiling playbook

LinkedIn is the single highest-value reconnaissance surface on the open internet. Every step below uses only public information that you and your coworkers voluntarily posted. No hacking required.

1. Target identification by job title + company

The attacker starts with a goal. For a wire transfer, they want a "controller," "AP manager," "finance director," or "treasury." For source code, "senior engineer" or "staff engineer." For customer data, "customer success" or "sales ops." LinkedIn's free search filters by current company plus title. Thirty seconds, the attacker has a name.

2. Manager and reporting structure mapping

"People also viewed" plus the company directory page surface coworkers. A few minutes of clicking maps your team - direct manager, skip-level, CFO or CEO at the top. Now the attacker knows the email cannot just come "from your CFO." It has to come from the specific person named Sarah Lin. That specificity is what makes the email feel real.

3. Recent project mentions in feed

Your feed is gold. "Three weeks into our SAP rollout." "Day one of the Oracle implementation." Every project post tells the attacker exactly what work is on your plate. That context goes straight into the phishing email - and the reference reads as legitimate because the reference is real.

4. Vendor and client relationships from posts

Comments and tagged posts reveal who you work with. "Great kickoff with our friends at Acme Logistics today." "Thanks to the Stripe team for the integration support." Every tagged company becomes a sender pretext. A spoofed email "from Acme Logistics" updating bank details lands very differently when Acme Logistics is genuinely your vendor and you just posted about them last week.

5. Travel and out-of-office signals

This one is brutal. "Heading to Singapore for the regional kickoff." "On leave for two weeks." Every travel and OOO post tells the attacker exactly when you are away from your normal verification routines. A "CEO needs urgent wire transfer" email lands much harder when the real CEO is genuinely on a plane to Tokyo and you cannot just walk over to their desk.

6. Personal details from comments and About sections

Alma mater, kids' names, hobbies, sports allegiances - all of it leaks through your About blurb, endorsements, and comments on others' posts. "Coaching my daughter's soccer team this season." That is the rapport layer. A spear phishing email that opens with "Hope your daughter's team had a good weekend" instantly disarms suspicion. Real people who know you say things like that. Generic phishers do not.

How the perfect email gets written

Once profiling is done, the email writes itself. Three template patterns in active rotation, with LinkedIn-sourced details bolded inline.

Template 1: The CEO wire request (classic BEC)

"Hi Priya, sorry to bother you from Singapore. We need to wire $84,500 today for the SAP rollout - they will not start until paid. Can you get this out before EOD? Please do not loop anyone else in yet, I will explain when I am back.
Thanks,
Sarah Lin, CFO"

Every bolded detail came from LinkedIn. The "do not loop anyone in" line is the lock - it shuts down the second-channel verification that would have caught the scam.

Template 2: The vendor bank change

"Hi Priya, we have updated our banking details for the monthly logistics invoice. Please update your records before the May 30 cycle so we do not have any delays on the Q2 shipment.
Best,
Marcus Chen - Acme Logistics"

Marcus Chen is a real person at Acme Logistics. The email comes from a lookalike domain (acme-logistics.co vs acmelogistics.com) or from Marcus's actually compromised mailbox.

Template 3: The recruiter pretext (engineering targets)

"Hi Jordan, came across your recent post about migrating to Rust and your background at Stripe and now Lattice - really impressive. Working a Staff Engineer search for a stealth crypto-infra startup, comp band $340K-$420K plus equity. Worth a chat? Role spec: [link]"

The link is a fake Google Drive login or a credential-harvesting page styled like Notion. The comp band is set just above your market rate from LinkedIn salary data, which is why you click.

Why it bypasses every spam filter

• DKIM and DMARC pass. The email is sent from a compromised legitimate mailbox or from a lookalike domain with its own valid DKIM record. Authentication clears.
• No bad reputation. A brand new lookalike domain has no reputation yet. Reputation filters need precedent to block, and a one-shot spear-phish never gives them one.
• Content does not match generic patterns. No "click here," no "Nigerian prince." The email reads exactly like every other internal note about an SAP rollout invoice. Nothing to flag.
• Volume is one. Filters depend on the same template hitting many mailboxes. A one-email campaign never trips the threshold.
• The first link is clean. It often goes to a real Google Doc or SharePoint preview. The malicious second hop lives on the destination page.

KnowBe4's 2026 phishing benchmark across 12.5 million simulated emails found untrained employees fail spear phishing at roughly 4x the rate of generic phishing. After 12 months of training, spear phishing failure rate still sits near 5% - and with targeted volume in the millions globally, 5% is a lot of breaches.

The 5-second pause that beats it

You do not need to spot the technical tell. You need to verify the request through a second channel before you act.

1. Call on a number you already had. Not the number in the email signature - your existing contact list or the internal directory. Thirty seconds on the phone defeats every spear phishing email ever written.
2. DM on Slack, Teams, or internal chat. "Hey, did you just email me about a wire?" If no, you just stopped an attack.
3. Walk over if you are in the office. The most under-rated verification method in security. Five seconds of eye contact ends it.
4. For any wire request, dual-authorization. Two named humans must approve any new payee or change of payment instructions. Not two emails - two phone calls. The rule is not bureaucracy. It is the cheapest insurance your finance team owns.

The only rule that matters: never use the contact information inside the suspicious email to verify the suspicious email. Reply to the sender or call the number in the signature, and you are talking to the attacker.

If you already replied or wired money

Speed matters more here than in any other scam. The FBI's Financial Fraud Kill Chain protocol gives banks a 72-hour window to recover internationally wired funds before they disperse across mule accounts. Hour one matters more than hour 24.

1. Call your bank's wire desk within the hour. Use the phrase "Financial Fraud Kill Chain" - fraud teams know the protocol and it escalates the case. Domestic wires can sometimes be reversed within 24 hours.
2. Report to ic3.gov within 24 hours. The FBI's Recovery Asset Team coordinates with banks on BEC. They recovered roughly $538 million on cases reported inside the 72-hour window in 2024.
3. Tell internal IT and security immediately. The attacker may still have a foothold - a compromised mailbox, a hidden inbox rule auto-deleting responses from the real sender. IT needs to hunt before it gets used again.
4. Reset credentials and turn on a hardware key. If you entered any password, change it everywhere it is reused.
5. File a police report for the cyber-insurance claim, and notify the spoofed company - their other customers are about to get the same email.

How to harden your LinkedIn against this

You cannot leave LinkedIn - for most professionals it is half the job. But you can sharply reduce the reconnaissance surface in 15 minutes.

• Hide your connections list. Settings → Visibility → Who can see your connections. Set to "Only you." Your network map is the org chart used in step 2.
• Stop announcing travel. No real-time "heading to [city]" posts. Post after you are back, if at all.
• Sanitize the About section. Remove kid names, school mascots, hobbies, religious affiliation. Keep the professional pitch only.
• Be careful with public reactions. Likes and comments on others' posts are public. "Great seeing you all at the offsite" tells the attacker who was where and when.
• Restrict profile photo visibility to connections. Attackers use profile photos to source deepfake video for BEC follow-up calls.
• Weekly review. Every Monday, scan your last 7 days from a logged-out browser and ask: would a stranger learn anything useful about my work, team, or whereabouts?

Where browser-layer defense fits

The email itself is hard to block because the sender authenticates and the content reads clean. The defense that holds up is at the link destination: when the spear-phished user clicks, a browser-layer scanner can check the destination domain against the impersonated brand and block before the fake credential page loads. SafeBrowz is a free Chrome, Firefox, and Edge extension that scans every URL before the page renders, using a 550+ brand database (Microsoft 365, Google Workspace, Stripe, DocuSign, every major SaaS used in BEC), JavaScript signatures for credential-harvesting kits, and AI content analysis for fresh lookalike pages. Cisco Talos's brand impersonation tracker has Microsoft and Google in the top 5 most-impersonated brands every month of 2026 - those are the pages SafeBrowz catches at the click. Install SafeBrowz free as a backstop for moments the second-channel-verify rule slips.

Frequently asked questions

How is spear phishing different from regular phishing?

Regular phishing is mass-mailed and generic - same template to a million inboxes. Spear phishing is one email to one named person, written with details about that person's job, manager, and current projects. Spear phishing's success rate is roughly 10-30x higher per email sent, which is why it now accounts for about 65% of targeted attack volume per FBI IC3.

If DKIM and DMARC pass, isn't the email automatically safe?

No. DKIM and DMARC verify the sender domain is authenticated, not that the sender is honest. A compromised legitimate mailbox passes both checks. A lookalike domain (acme-logistics.co vs acmelogistics.com) sets up its own valid DKIM record and also passes. Authentication is necessary but not sufficient - verify the request, not just the headers.

I deleted my LinkedIn - am I safe from spear phishing?

Safer but not safe. Attackers also use company About pages, conference speaker lists, podcast guest lists, press releases, GitHub commit history, and the Wayback Machine cache of your old LinkedIn. Deletion reduces but does not eliminate reconnaissance. The verification habit is the durable defense.

What is BEC and how is it related to spear phishing?

BEC stands for business email compromise - spear phishing that targets business payment flows. It is the highest-value spear phishing subtype, with an average loss of about $137,000 per successful incident and $2.9 billion in total reported US losses in 2025 per FBI IC3. Almost every BEC starts with LinkedIn reconnaissance of the finance team.

I wired money 2 days ago. Is it too late?

Not necessarily. The FBI's Financial Fraud Kill Chain protocol opens a 72-hour recovery window. Domestic wires can sometimes be clawed back even later if the funds have not yet moved through mule accounts. Call your bank's fraud desk and file at ic3.gov today, not tomorrow. Recovery rates drop sharply each additional day.

Can my employer detect spear phishing for me automatically?

Partly. Email gateways now run sender behavioral analysis, vendor-impersonation detection, and lookalike-domain scoring. These catch many spear phishing attempts but miss the most targeted ones, because a one-shot email to one user has too small a sample for ML detection. Human verification through a second channel is still the defense that closes the gap.

Related reading

• "Microsoft account suspicious sign-in" email scam: how to spot it - the brand pretext most often used inside BEC chains
• Your phone is the new phishing target: how the text scam works - companion piece on smishing
• Pastejacking and ClickFix attacks explained - what happens after a spear-phished engineer clicks the recruiter link
• How to tell if a website is a scam - the 11 visual red flags on credential-harvest landing pages

Bottom line: Spear phishing works because the attacker did their homework on LinkedIn before they ever wrote the email. You cannot stop them from researching you - public profiles are public. You can stop them from succeeding by treating every wire request, every vendor bank-change, and every "urgent" message from leadership as a request that needs a second-channel verification. Five seconds on Slack beats a $137,000 wire loss every single time. Add SafeBrowz for the click that slips past you.