Fake LinkedIn account-restricted, login-from-new-device, or InMail-locked alert sent from a non-LinkedIn domain demanding identity verification via the embedded link — credential-harvest cross-domain phish. Real LinkedIn security mail originates from linkedin.com only.

Fake LinkedIn account-restricted, login-from-new-device, profile-locked, or InMail-action-required alert sent from a non-LinkedIn sending domain (From / Reply-To / link domains do not align with linkedin.com / e.linkedin.com) demanding the recipient verify identity or restore access via the embedded link — credential-harvest cross-domain phish. Real LinkedIn security communications originate exclusively from linkedin.com / e.linkedin.com with DMARC-aligned signing and always link back to linkedin.com itself, never to third-party domains. LinkedIn account compromise is high-value because the platform stores professional history, recruiter contacts, and is widely used as an OAuth-style identity provider. Distinct from generic account-suspended-phish — this targets the LinkedIn brand / profile-restricted / cross-domain From-link mismatch pretext. Detection: LinkedIn brand vocabulary (account restricted, profile locked, login from new device, verify identity) + sender or link domain ≠ linkedin.com / e.linkedin.com + no DMARC alignment. Trash score: +4. Source: GC1-R31; APWG LinkedIn phishing tracker 2025; LinkedIn Trust & Safety anti-phishing guidance; FTC professional-network impostor advisory.