Fake LinkedIn connection request, pending connections, or account restricted phishing — impersonates LinkedIn from a non-LinkedIn domain with fake "X sent you a connection request", "N pending connections", or "your account has been restricted" emails driving to a fake LinkedIn login page; Check Point 2024: LinkedIn is the most impersonated brand globally (52% of all brand phishing); Vade Secure 2024: LinkedIn impersonation grew 232% YoY; targets sales and networking professionals conditioned to click connection notifications instantly

Phishing emails impersonating LinkedIn from a non-LinkedIn domain with fake "X has sent you a connection request", "you have N pending connection requests", "your profile was viewed", or "your account has been restricted" notifications — driving to a fake LinkedIn login page that harvests credentials for the victim's LinkedIn account, Microsoft account, or Google account (since many LinkedIn logins use SSO). Key facts: (1) Check Point 2024: LinkedIn is the single most impersonated brand globally, accounting for 52% of all brand-phishing attempts — far exceeding shipping (DHL at 14%), Microsoft (9%), and Google (5%); this dominance is driven by the ubiquity of legitimate LinkedIn notification emails and the professional urgency those emails create; Vade Secure 2024: LinkedIn impersonation grew 232% year-over-year; (2) The conditioning problem is severe: sales professionals, recruiters, and networkers receive dozens of legitimate LinkedIn connection request emails per week and have been trained to click them immediately without examining the sender domain; the "X has sent you a connection request" subject line achieves near-100% open rates in business contexts because recipients always want to know who is connecting; (3) The account takeover is high-value beyond just LinkedIn itself: most attackers immediately use the captured LinkedIn session to message the victim's connections with investment scams, job fraud, or BEC wire transfer requests — the victim's established professional credibility is weaponized against their entire network; (4) Account restriction variants ("your LinkedIn account has been flagged for unusual activity — verify immediately") are effective because LinkedIn does genuinely send such notices, and the fear of losing professional network access, job history, and connections creates authentic panic. Warning signs: sender domain not linkedin.com, mail.linkedin.com, or message.linkedin.com; connection request email asks you to "sign in to your LinkedIn account" rather than linking directly to the connection's profile; account restriction notice without specific activity detail or case reference; link to a non-LinkedIn domain.