A new phishing campaign uses fake LinkedIn notifications to hijack professional accounts. Research from Cofense PDC reveals how spoofed domains like inedin.digital are used to steal login credentials and professional data.
Checking a LinkedIn notification has become a routine part of the working day for millions of us. However, new findings suggest that a single click on what looks like a standard message alert could hand your private account details directly to criminals. This tactic is the focus of a new report by the Cofense Phishing Defense Center (PDC).
The research, which was shared with Hackread.com, identifies a clever phishing campaign designed to trick even the most cautious professionals. By mimicking the exact layout of a genuine notification, attackers are successfully stealing credentials (the usernames and passwords people use to log in) from unsuspecting users.
The urgent business trap
The scam begins with an email that appears to be a standard alert from LinkedIn. It informs the recipient that a representative from a reputable firm has sent an urgent message regarding a potential business opportunity. According to Cofense PDC researchers, the email is a near-perfect replica of the real thing, using the same fonts, logos, and colours we see every day.
However, while the email looks legitimate, the hook relies on a sense of urgency to stop the reader from checking the details. The messages were originally written in Chinese, suggesting the attackers were targeting professionals in that region or those dealing with Chinese business partners.
The email actually originates from a domain called khanieteam.com, which was only a few days old when it was first spotted in March 2026. This should alert users right away because a legitimate notification from a global platform would never come from such a random, recently created address.
Cleverly disguised websites
If a user is still clueless or tempted by the opportunity and clicks any of the buttons in the email, they are not taken to LinkedIn but to a fraudulent login page with this web address inedindigital. It is worth noting that the attackers intentionally chose this name because the letters visually resemble the real brand.
“The threat actors deliberately selected a domain name that visually resembles ‘LinkedIn,’ repeating familiar letter patterns like ‘in’ and ‘din’ to deceive users,” researchers explained in the blog post.

Further investigation revealed that this fake site was set up only two months before the campaign began, using several internet addresses, including 104.21.80.1, to stay active. Enrico Silverio from the Cofense PDC explained that the scam is so dangerous because it exploits human curiosity and trust. As soon as a user types their password into the fake site, the hackers gain full access to their professional network and personal data.
This is why security experts always suggest verifying the sender’s email address and hovering over links to see where they actually lead before clicking on anything, because if a message seems too good to be true, it likely is.

