How you (and attackers) can post a LinkedIn job as almost ANY employer

Share:

Share on facebook
Share on twitter
Share on linkedin

Almost anyone can create a job listing on today’s leading recruitment on behalf of just about any employer. And worse, the employer can’t easily take these down.

Key takeaways

  • Adding a job on behalf of a company on LinkedIn is a little too easy
  • Almost anyone can add a job on behalf of anyone, including threat actors
  • Experts believe this feature can be abused and could become a hotbed for phishing campaigns if LinkedIn doesn’t move to do something about it soon


Almost anyone can create a job listing on today’s leading recruitment on behalf of just about any employer. And worse, the employer can’t easily take these down.

These lax verification standards on LinkedIn pave the ways for attackers to post bogus listings for malicious purposes.

Attackers can use well honed social engineering tactics to collect personal information and resumes from professionals who believe they are applying to a legitimate company, without realising their data may be sold or used for phishing scams.

In a recent deep-dive by prominent cybersecurity website BleepingComputer, cyber expert Harman Singh discussed a feature that essentially allows “anyone to post a job under a company’s LinkedIn account and it appears exactly the same as a job advertised by a company”.

There seem to be no real blockers to an individual posting a job appearing to pass off as another organisation, and Singh demonstrated this by getting to the final stage of the process as below:

linkedin test job posting
Creating a bogus LinkedIn job posting on behalf of BleepingComputer from an unaffiliated account

Using an unaffiliated LinkedIn account, Sing was able to successfully publish a new job posting on behalf of BleepingComputer, almost anonymously.

The job listing would appear authentic as if coming straight from BleepingComputer.

It also did not show the user account that created the posting — an option set by the user who posts the job, rather than the employer.

And, within hours of the listing going live, applications started coming in!

job applications
Submitted applications arrive within hours of creating test listing

In a brief test, BleepingComputer also leveraged LinkedIn’s “Easy Apply” option such that any resumes uploaded by an applicant would come straight to a test email account, as opposed to LinkedIn redirecting the applicant to an external website.

The organisation found that using a test email account for collecting applicants’ personal information and resumes would leave no indication of any suspicious activity to the applicant or the employer, unlike when redirecting the applicant to a website that may appear “phishy” right away.

resumes arriving via email
Resumes arrive via email to test mailbox

Fraudulent listings and phishing scams

Experts like Singh believe this feature has been abused in the past and could become a hotbed for phishing campaigns in the near future.

The feature can be misused by threat actors to target the public for various kinds of frauds and phishing scams.

LinkedIn scams are not exactly something new, with the ones reported thus far mostly relying on someone creating a fake profile and touting themselves as the “recruiter” of a company.

But this form of loophole allows anyone to create a job listing on behalf of virtually any organization, without even revealing their identity.

Restricting who can post jobs under your company

This begs the question: what can you do as an employer to prevent unauthorised parties and threat actors from creating bogus job listings using your organisation?

LinkedIn has previously released a blog post with tips on spotting and avoiding common job scams, but falls well short of addressing the particular issues we mention here.

BleepingComputer confirmed that you cannot take down a bogus job posting yourself, even as the super-admin of your company’s page!

Fortunately, there may be some steps that businesses can take to deter unauthorised job postings.

By default, there isn’t a way for the administrator of a LinkedIn company page to restrict job listings from anyone, but emailing LinkedIn’s safety team seems to do that job:

“You can manually email to the LinkedIn trust and safety team to get those options enabled that allow you to block unauthorised posts, and only allow authorised team members to post jobs,” Singh told BleepingComputer, while sharing the team’s email address: [email protected]

However, as this email address is not shared online by LinkedIn, unless you knew of its existence and the ability to block this “feature,” you are vulnerable to this type of attack.

Additionally, Singh suggests informing your recruitment and HR teams to periodically monitor your company’s LinkedIn pages and report any bogus postings to LinkedIn as a workaround, albeit a slower one.

Contrary to claims by LinkedIn that its AI-based systems can detect fake postings, their automated systems did not detect the tests conducted by BleepingComputer, and the listings were not removed until after the website’s emails to LinkedIn.

Until there is a more permanent solution, LinkedIn users and employers should report suspicious job listings as spam or scam for review by LinkedIn.

But it remains no less than astounding that the world’s premier professional network has not yet implemented best-practice methods to ensuring job-related scams do not take place.

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.