LinkedIn Purchase Inquiry Email Scam

Unexpected emails that appear to come from trusted platforms can be highly convincing, especially when they promise new business opportunities. For this reason, users should always exercise caution when receiving unsolicited messages that request action or contain links and attachments. The so-called LinkedIn Purchase Inquiry emails are part of a phishing campaign and are not associated with LinkedIn or any legitimate company, organization, or entity. Instead, they are designed to deceive recipients into revealing sensitive login credentials.

A Fake Business Opportunity Designed to Build Trust

Cybersecurity researchers have identified the LinkedIn Purchase Inquiry emails as phishing messages that impersonate business notifications from LinkedIn. The emails falsely claim that the recipient has received a new business invitation and purchase inquiry from an individual identified as 'lisa_fan,' who is presented as a Senior Partner and Managing Director at a Hong Kong-based trading company.

According to the message, the sender is interested in learning whether the recipient's business offers certain products. Recipients are encouraged to review an alleged product search request and respond with minimum order quantities. The content is carefully crafted to appear professional and business-oriented, increasing the likelihood that recipients will trust the message.

The Dangerous Links Hidden Behind the Message

The fraudulent emails typically contain two prominent buttons. One invites recipients to accept the sender's invitation, while the other encourages them to provide a quotation immediately.

Regardless of which button is selected, users are redirected to a malicious website created specifically to steal credentials. The goal is not to facilitate a business discussion but to lure victims into providing sensitive account information.

Inside the Credential-Harvesting Website

The phishing page is hosted through the InterPlanetary File System (IPFS), a decentralized file storage protocol often abused by threat actors to host malicious content.

Upon visiting the page, users may notice what appears to be a spreadsheet-based purchase order associated with a company named LightKing Tech Group Co. LTD. However, access to the document is blocked by a pop-up window claiming that identity verification is required before the supposedly encrypted file can be viewed.

The pop-up requests a username and password. Any information entered into these fields is transmitted directly to the scammers operating the campaign.

What Happens When Credentials Are Stolen?

Once cybercriminals obtain login credentials, they can attempt to access various accounts and services belonging to the victim. The consequences may extend far beyond a single compromised account.

Potential risks include:

• Unauthorized access to email accounts, business platforms, and online services.
• Identity theft, fraudulent transactions, and additional scams conducted under the victim's name.
• Further compromise of business communications and sensitive corporate information.

Because many users reuse passwords across multiple platforms, a single credential theft incident can lead to a chain of security breaches.

Malware Distribution Remains a Possible Threat

While the primary objective of this campaign is credential theft, similar phishing operations are sometimes used to distribute malware as well. Cybercriminals frequently employ email campaigns to spread malicious software through attachments or links to infected websites.

Threatening files may be disguised as legitimate documents, archives, PDFs, executable programs, or Microsoft Office files. In some cases, visiting a malicious website can trigger automatic malware downloads. In others, victims are prompted to manually download and run a file.

Office documents may also contain harmful macros that remain inactive until users enable them. As a result, successful infection often depends on some form of user interaction.

Warning Signs That Reveal the Scam

Several indicators can help recipients identify these fraudulent messages before any damage occurs:

• Unsolicited business inquiries from unknown contacts.
• Requests to review documents through external links rather than official platform notifications.
• Urgent prompts encouraging immediate action, such as accepting invitations or providing quotations.
• Login pages requesting credentials before access to a document is granted.
• Inconsistencies involving sender details, company information, or website addresses.

Recognizing these warning signs can significantly reduce the risk of becoming a victim.

How to Respond to LinkedIn Purchase Inquiry Emails

Recipients who receive these emails should avoid clicking any links, opening associated files, or entering credentials on any linked website. The safest course of action is to delete the message immediately.

If credentials have already been submitted, affected users should change the compromised passwords without delay, update any accounts using the same password, and enable multi-factor authentication wherever possible. Additionally, account activity should be monitored for signs of unauthorized access.

Final Thoughts

The LinkedIn Purchase Inquiry email campaign is a phishing scam that exploits the reputation of LinkedIn to create a false sense of legitimacy. By presenting recipients with what appears to be a genuine business opportunity, cybercriminals attempt to trick users into revealing valuable login credentials. Maintaining a cautious approach toward unexpected emails, verifying communications through official channels, and avoiding suspicious links remain essential defenses against this and similar online threats.