In the first two weeks of 2026, attackers doubled down on a strategy that continues to outperform malware and zero-days: exploiting trust. Instead of hacking platforms directly, cybercriminals are using LinkedIn and Instagram exactly as designed and turning familiar features into weapons.

These are not noisy spam campaigns. They are quiet, convincing, and engineered to feel normal. If you or your team use LinkedIn or Instagram for business, networking, or brand visibility, understanding these tactics is no longer optional.

LinkedIn Comment-Based Phishing

A New Twist on Social Engineering. Attackers have found a way to bypass email security entirely by abusing LinkedIn’s public comment system.

Here is how the attack works in plain terms.

A threat actor posts what looks like an official LinkedIn reply under a legitimate post. The comment claims there is a policy issue, account restriction, or verification problem. To increase credibility, the attacker often uses LinkedIn branding and a shortened lnkd.in link.

When clicked, the link leads to a fake LinkedIn login page designed to capture credentials.

Why this works so well is simple. Users are conditioned to trust LinkedIn notifications. Seeing a message inside the platform lowers defenses, and since this happens in comments, traditional security tools never see it.

Important truth to remember: LinkedIn does not communicate account violations or enforcement actions through public comments. Ever.

Red flags to watch for:

• Any comment claiming to be LinkedIn Support or Compliance
• Urgent language demanding immediate action
• Links that do not end in linkedin.com
• Login pages that feel slightly off or load outside the normal LinkedIn flow

Instagram Password Reset Emails

Fear as the Attack Vector. At the same time, Instagram users across the globe reported receiving password reset emails they never requested. The emails looked real. Logos were correct. Language matched official communications. Panic followed.

Security researchers traced the surge to leaked account metadata circulating in underground forums. Email addresses and phone numbers are enough to target users at scale.

Meta later confirmed there was no breach of passwords. Instead, a technical issue allowed third parties to trigger password reset emails. The issue has since been fixed.

Even so, the lesson is critical.

Attackers do not need your password to compromise you. They need urgency, fear, and one click.

Unsolicited password reset emails train users to act without thinking. That behavior is exactly what attackers rely on.

Why Social Platforms Are High-Value Targets

LinkedIn and Instagram share a dangerous advantage: trust.

Attackers exploit that trust by:

• Mimicking legitimate platform interfaces
• Using real platform infrastructure like official domains and short links
• Creating urgency around account loss or violations

No vulnerability scanning required. No exploit chains needed. This is human-level exploitation.

A Critical Warning About Browser-in-a-Browser Attacks

There is an advanced tactic making these campaigns even more dangerous.

Attackers now create fake login windows that appear to be real browser pop-ups. The URL bar looks correct. The window resizes properly. Everything feels legitimate.

But it is not a real browser window. It is a visual imitation built with web code.

This technique can bypass MFA entirely because the victim willingly enters credentials and one-time codes into the fake window. From the user’s perspective, MFA worked. From the attacker’s perspective, it was harvested in real time.

This is why awareness matters more than tools alone. Technology cannot protect users who do not recognize deception.

How to Protect Yourself and Your Team

For LinkedIn:

• Never click links inside comments claiming account issues
• Verify alerts directly inside the LinkedIn app or settings
• Report suspicious comments immediately

For Instagram:

• Only use password reset links you personally initiated
• Verify the sender domain carefully
• If concerned, open the app directly and change your password there

Universal best practices:

• Use unique passwords for every platform
• Enable MFA everywhere, preferably app-based
• Never log in through links sent via comments or email
• Train your team to slow down and verify before reacting

The Bigger Picture

Social engineering is evolving faster than most organizations realize. Attacks are moving away from email and into the platforms people trust most. The technology did not fail here. Human expectations were exploited.

Cyber resilience today is about awareness, behavior, and repetition. Tools help. Training protects.

Tap In With Krome IT

At Krome IT, we go deeper than surface-level security tips. We help organizations understand how modern attacks actually work and how to build human-aware defenses that scale.

If you want advanced awareness training, executive briefings, or real-world cybersecurity resilience strategies for your team, tap in!

Awareness is the alpha. Everything else builds on it.