Fake LinkedIn recruiter credential-harvest lure — "Senior Executive at Goldman Sachs sent you a LinkedIn InMail about a $250K role, sign in to view" targeting LinkedIn 1B+ user base; post-2024-2026 tech-layoff job-market anxiety amplifies conversion; LinkedIn credentials harvest enables connections export, Sales Navigator data exfil, DM harvest, fake-offer hijack to victim's network

Fake "a Senior Executive at [prestigious company] sent you a LinkedIn InMail about a $250K role — sign in to LinkedIn within 24 hours to view the full message" email targeting LinkedIn's 1B+ user base. The "view full message" link lands on a LinkedIn credential harvester that mimics the real sign-in page. Post-compromise attackers: (1) export the victim's entire connections list for downstream spear-phishing of people who trust messages from that LinkedIn identity; (2) extract LinkedIn Sales Navigator / Recruiter data — high-value B2B contact lists worth thousands on resale markets; (3) harvest the victim's own DMs, which during a job search often contain sensitive career info, salary data, and reference emails; (4) hijack the LinkedIn identity to send fake job offers to the victim's own network, converting the victim into an attack amplifier. The lure converts because LinkedIn notification emails are frequent and familiar — users have fast-click response patterns; job-market anxiety from 2024-2026 tech layoffs makes any "executive recruiter reached out" email irresistible; real LinkedIn emails use the exact "view full message" CTA, so the phish looks structurally identical. Fires when body references LinkedIn / LinkedIn Recruiter / LinkedIn Sales Navigator / InMail / LinkedIn message / LinkedIn connection / linkedin.com AND contains senior-executive / Fortune-500 / $Xk-role / recruiter-reached-out / sign-in-to-view / before-it-expires / urgent-response urgency. Excludes linkedin.com, linkedinmail.com, licdn.com, navigator.linkedin.com, e.linkedin.com. Auto-classified as danger via the `-lure` suffix.