LinkedIn Job Scams: How Fake Recruiters Steal Your Credentials Through PDFs

A Reddit user recently shared a warning that every professional needs to hear: they received a LinkedIn InMail from a recruiter about a "confidential board position." It was perfectly tailored to their background. It was essentially their dream job.

It was also a targeted cyber attack.

The message included a link to view the role details on what looked like a legitimate company page. When they clicked the PDF document, they were prompted to enter their Microsoft Office credentials. They entered them — and their company's security software immediately locked their PC.

They spent the morning with their cybersecurity team dealing with the fallout, and the bigger red flag came later: when they replied expressing interest, the "recruiter" said the client "already has too many interested people" and was no longer accepting applications. For a confidential board mandate, that kind of instant turnaround is unheard of.

How LinkedIn Credential Phishing Works

Step 1: The Perfect Job Offer

Scammers don't send generic spam. They study your LinkedIn profile and craft a message that matches your experience, seniority level, and career aspirations. The offer typically includes a prestigious title or role like "board position" or "VP of Operations," a claim of confidentiality to explain why details are limited, a company name that sounds legitimate or even mimics a real firm, and language that makes you feel specially recruited.

This level of personalization is what makes it so effective. It doesn't feel like spam — it feels like a genuine opportunity.

Step 2: The Malicious Link

The message includes a link to "view the full job description" or "review the role details." This link leads to a page that looks professional but is actually a phishing site designed to steal your login credentials. Common tactics include fake PDF viewers that require a "login to view," Microsoft 365 login pages that look identical to the real thing, Google Workspace sign-in pages that capture your password, and document hosting sites that mimic SharePoint or Dropbox.

Step 3: The Credential Harvest

When you enter your username and password, the scammers capture them instantly. They now have access to your email and potentially your company's entire network.

What they can do with your credentials includes accessing your email to launch attacks on your contacts, stealing sensitive company data, deploying ransomware across your company network, accessing financial systems and initiating fraudulent transfers, and reading confidential communications.

Step 4: The Disappearing Act

If you follow up with the recruiter, they'll either ghost you or give a quick excuse like "the position has been filled." They got what they wanted — your credentials.

Why This Scam Is Particularly Dangerous

It Targets Professionals

Unlike Nigerian prince emails, these phishing attacks target educated professionals. The victims are executives, managers, and specialists who should "know better" — which is exactly why it works. The sophistication matches their expectations.

It Exploits LinkedIn's Trust

People trust LinkedIn more than random emails. A message from a recruiter on LinkedIn feels legitimate because that's exactly what the platform is for.

It Can Compromise Entire Companies

One set of stolen credentials can give attackers access to an entire corporate network. The Reddit victim's company security software caught it, but many organizations aren't that well-protected.

It's Personally Tailored

Mass phishing emails are easy to spot. A personalized message about your dream job, referencing your actual skills and experience, is much harder to recognize as a scam.

Red Flags to Watch For

About the Message

• Unsolicited job offers that seem too perfect for your background
• "Confidential" positions with limited details upfront
• Urgency to review materials quickly
• The recruiter's LinkedIn profile is new or has few connections
• The recruiting firm name is similar to but not exactly a well-known firm

About the Link

• You're asked to click a link to view a PDF or document
• The URL doesn't match the company's actual domain
• The page asks for your Microsoft, Google, or other login credentials
• The document requires a "sign-in" to view
• The URL contains suspicious elements like misspellings or extra characters

About the Follow-Up

• The "recruiter" responds unusually fast or slow
• The position is suddenly filled after you clicked the link
• They can't provide basic details about the role or client
• They avoid phone or video calls
• They pressure you to complete next steps quickly

What To Do If You Clicked

If you entered your credentials on a suspicious page, act immediately:

Within the first 5 minutes:

1. Change your password immediately on the affected account
2. Enable two-factor authentication if it's not already on
3. Check for any forwarding rules added to your email
4. Log out of all active sessions

Within the first hour:

5. Notify your company's IT or cybersecurity team
6. Change passwords on any accounts that use the same password
7. Check for unauthorized activity in your accounts
8. Enable login alerts on all important accounts

Within 24 hours:

9. Run a full antivirus scan on your device
10. Check your sent folder for messages you didn't send
11. Monitor your accounts for unusual activity
12. Report the phishing attack to LinkedIn
13. Report to the FTC at reportfraud.ftc.gov

How To Protect Yourself From Job Scams on LinkedIn

Verify the Recruiter

• Check their LinkedIn profile history and connections
• Search for the recruiting firm independently
• Look them up on the firm's official website
• Call the firm directly using a number you find yourself

Never Enter Credentials From a Link

• If a document requires a login, go to the service directly by typing the URL yourself
• Never enter your Microsoft, Google, or any credentials from a link someone sent you
• Legitimate recruiters send PDFs as attachments or use well-known platforms

Use Separate Devices

• Don't use your work computer for personal job searching
• The Reddit victim learned this lesson the hard way: their work PC was locked by security software

Enable Two-Factor Authentication

• Even if your password is stolen, 2FA can prevent unauthorized access
• Use an authenticator app rather than SMS when possible

Be Skeptical of Perfect Opportunities

• If a job offer seems tailored too perfectly to your background, be extra cautious
• Legitimate recruiters are happy to get on a phone call to discuss details
• Real confidential searches still follow professional norms

The Bigger Picture: Spear Phishing

This type of attack is called "spear phishing" — targeted phishing aimed at specific individuals rather than mass audiences. It's increasingly common because personal information is freely available on LinkedIn and social media, AI tools make it easy to craft personalized messages at scale, stolen credentials are incredibly valuable on the dark web, and most people still don't expect phishing attacks on professional platforms.

The FBI reported that business email compromise and phishing caused billions in losses annually. LinkedIn job scams are a growing portion of that.

A Note on Shame

The Reddit poster said "I feel a bit silly even asking this." They shouldn't. These attacks are specifically designed to fool smart, experienced professionals. The sophistication is the point.

If you've fallen for something like this, you're not alone and you're not stupid. What matters is how quickly you respond.

---

Check Suspicious Links Before You Click

Before clicking any link from a recruiter or anyone else, paste it into our Link Checker to analyze the URL for phishing indicators. You can also paste the recruiter's message into our Scam Scanner to check for scam patterns.

One click can compromise your accounts and your company. Take 30 seconds to verify first.