Tell HN: LinkedIn is automatically importing job postings into company profiles

378 points by gurchik ↗ HN
I work at a company that is not actively hiring, so imagine my surprise when I see 5+ job postings on my company's LinkedIn page.

It appears that LinkedIn is automatically importing job postings from other places on LinkedIn and other sites such as angel.co if the company name of the job posting matches your company name on LinkedIn.

After importing, the job postings will display your company logo, company description, profile pictures of your connections that already work there, etc, just like a real job posting. The "Apply" link redirects to the original job posting such as from angel.co.

The only reason I was able to tell these are not legitimate is because the descriptions of the posts clearly describe a different company.

So it seems to be a phishing opportunity is to create a profile on LinkedIn or angel.co with a company name that matches your target company. Write some job postings with descriptions that look like a job posting that the company would actually hire. And now those job postings will be reposted onto the official LinkedIn pages of the company, and applicants will be redirected to your phished webpage.

165 comments

[ 5.6 ms ] story [ 218 ms ] thread
> So it seems to be a phishing opportunity is to create a profile on LinkedIn or angel.co with a company name that matches your target company. Write some job postings with descriptions that look like a job posting that the company would actually hire. And now those job postings will be reposted onto the official LinkedIn pages of the company, and applicants will be redirected to your phished webpage.

Ehh, not sure how I'm targeting the company by doing that? If I understand correctly, you're actually targeting an applicant here.

Not the op, but the major group tempted to do this would be recruiters, who get paid by companies, not candidates
Or people looking to lure job applicants into a scam. The job being on the companies actual LinkedIn page adds all the credibility they need to lure people in.
Especially when many companies run their job application pages through 3rd parties. The phishing page having a different domain isn't suspicious at all. Most of the time when I check the career's page on a company's website, it links to something like "corpname.randomhrsolutions.com".
I think that it would make an illegitimate job posting for example.com look legitimate as LinkedIn scraped it and posted it in LinkedIn's example.com profile page.
You're targeting the applicants but you're accomplishing the scam by using the official LinkedIn profile of the company which can hurt credibility.
LinkedIn may be less hypocritical than it first appears:

February 2022: LinkedIn sue Mantheos.

April 18, 2022: TechCrunch runs an article [0] stating that a U.S. appellate court affirms the legality of scraping publicly available data.

So IIUC, LinkedIn was consistently playing to the apparent law.

EDIT: oops, forgot the link!

[0] https://techcrunch.com/2022/04/18/web-scraping-legal-court/

Linkedin has always been a shitty company, so I bet they've been scraping the entire time.
That gives rise to a decent conspiracy theory: LI sued to pave the road for LI themselves to scrape en masse.
Citation for TechCrunch article missing.
I was working at a recruiting startup years ago and we got a cease & desist letter from LI asking us to stop crawling their public data.

Initially crawling them was very easy (we had ~100m profiles). With time crawling became harder and harder on the technical front. They obviously invested millions of $ in technology to stop being crawled.

(comment deleted)
This is the reason why I never click the hyperlinks on LinkedIn (or anywhere else, including my email, also including hyperlinks allowing me to unsubscribe from services etc.) while in my main browser. Always sending them to incognito browser. If it requires me to be logged in then I just shrug my shoulders and not view it again. That's because I (as somebody who is not an expert in security) can't tell what those long hyperlinks are meant to do or if I can trust the target website.
If i understand your description of what you do correctly, then clicking the email links in incognito mode does not help you in any way. The long weird url is almost always a tracking link unique to the specific email that you received. Clicking it verifies that you received and read the email sent you your email adress, no matter where you click it
The long weird URL lets you unsubscribe without having to log in
Only sometimes. I've had plenty of long unsubscribe links require me to log in or jump through other hoops.
When I decide to click on the link then I accept the other side will know I clicked on that URL. What I tried to say was that I am always a bit worried that by clicking on a link there will be a chain of redirects or some click-jacking technique (or anything else) that in result will take over one of my accounts which I'm keeping logged in on my main browser (i.e. google, or LinkedIn)
I'm not particularly sure I understand. You're worried that because the URL is long that it might somehow take over your google account? I'm not quite sure I understand the correlation between "long URL" and redirects/clickjacking.
Looks like I structured what I tried to say in wrong way, sorry about that, English is not my mother tongue and sometimes I try to say too much in one sentence. I generally don't trust hyperlinks sent to me when pointing at source I have never seen before. I open such URLs in private session.
I would like to have a null browser as default on every device.

When opening a link it would only show a popup telling you what app tried to open what link and it gives you the option to choose what app/browser to open it or just to copy it. On mobile it would also have a share button.

It would be a completely offline app.

Just these features, nothing more.

Edit: actually it sounds like a good first Android app...

Indeed has been doing some version of this since at least 2013, to my knowledge, and probably before. Google Jobs or whatever they're calling it does this exact thing as well (I mean I'm not defending the practice, simply noting that this is the norm among job posting sites)
Do you have a source for that?

Google Jobs' site [1] suggests the data sources are likely from integrations with other platforms (2).

> There are two simple options to make sure your jobs appear on Google.

> 1. I post or aggregate jobs on my website - ...

> 2. I use a third-party to post jobs - Check to see if your job provider is already participating in the job search experience on Google.

https://jobs.google.com/about/

Are you confident that LinkedIn itself is doing that, rather than some recruiter working for or targeting that different company?

Or a recruitment SaaS that recruiter is using?

(Recruitment seems to be numbers game for a lot of people. And I've noticed a few questionable integrations and duct-tape workflows going on around LinkedIn. I wouldn't be surprised if the phenomenon you noticed was an accident of one of those.)

What's the difference? The end product is the same - OP's privacy is still undermined
You're right that the end impact is the same for OP. I don't think GP is arguing that this should necessarily soften consequences. It's pretty important to know who is responsible for this outcome and what consequences can fix the situation, though!

I believe GP's intended direction was that there may be very different conversations there depending on whether this is (1) a platform potentially abusing its users vs. (2) a platform's _user(s)_ potentially abusing other users.

How is privacy undermined?
First of all, I believe it is a LinkedIn feature because I came across an article on the LinkedIn knowledge base site about this feature 2 weeks ago. Unfortunately I can't find it anymore... It's very frustrating how searching Google for anything related to LinkedIn reveals dozens of pages of SEO spam but I digress.

I'm hoping someone else can find the article I read. What I remember about it was: It said it was a beta feature gradually being rolled out, but if you wanted access sooner there was a link to contact LinkedIn to enable it for your company. The other thing I remember from the page is that it said it would automatically import 2 jobs per month for free, which is good because this is in addition to the 1 free job you can post per month.

Secondly, if I dreamt about this article or something and this isn't actually a LinkedIn feature, then I apologize as the title and content of my post is misleading. However it is still a problem that somehow other companies are able to post jobs on your company's official LinkedIn that link away from LinkedIn to another page.

I'm sure there's a way to opt-out of all of this (or at least I'd hope so). The problem is that we didn't _opt_in_ which is why I think people need to know.

This is the company that crushed startup hiQ labs for scraping public profiles
Ironic that Linkedin hates people who scrape their site which is nothing but user generated content yet they do the same.
One rule for them, another for us. Same old, same old.
If this is the case then I wonder what happens in the event that LinkedIn's scrapers make a mistake and dont't parse the salary range on a job post, and then publish that post in a jurisdiction that requires one like Colorado. Would LinkedIn be opening themselves up to liability?
They seem hellbent on having a rotten reputation. I do not know a single person who likes it other than recruiters (who all tell me they're upset about people not replying to their out-of-the-blue messages). Every developer I know either simply dislikes the LinkedIn experience, or knows about the company's shitty behaviour and despises the company (to the point of deleting their profile or not signing up).

Surely this kind of thing will eventually come back to haunt them?

I have the opposite experience. I don’t get any messages from recruiters after having set the appropriate preferences. And I use LinkedIn to connect to relevant people in my field.
Consider yourself lucky.

I get hundreds per year.

Maybe 1 in 50 are decently relevant.

Many are mass spams. A good amount will be in tech I have no interest in, haven't worked in in over a decade, or have never worked in. It's clear the messages are sent without ever actually reading your profile or even job titles.

I wish there were a way to control only the handcrafted / non-spam messages reaching my inbox.

The ones that really grind my gears are the ones that clearly guessed your current work email address based on your LI profile and standard business email username formats.
Oh for sure. I bet `<first name>@<small company>` or `<first.last>@<company>` goes a very long way.

There are seem to be some techniques for verifying existence of an email address without actually emailing it.

https://stackoverflow.com/questions/565504/how-to-check-if-a...

I tried the below services with a custom G Suite domain and, to my surprise, they successfully worked, even for addresses that I know have never been posted publicly (!).

https://email-checker.net/validate

https://clean.email/verifier/how-to-check-if-an-email-is-val...

I have a PhD and so have Dr as my first name on LinkedIn.

All the automated messages address me as if Dr was my actual first name, So “hi Dr” or “Dr,…”

So it’s a good filter for all the machine created messages, which is a very very high percentage of them.

Yeah, I really don't have that much of a problem with LinkedIn. It definitely seems like they do scammy things, but I don't really notice since I really only login to it when I'm looking for a job. When I set my preference from "not looking" to "actively looking" or even the "casually looking" option (forgot what it's called), the flood gates get opened wide. Then it's pretty much just like picking a job from a job tree because there's usually so many options from recruiters. Then I turn it off, and the emails pretty much shut down (once in a while one or two seems to trickle through somehow, which is annoying but not that bad).

For my intent it kinda works the exact way I want it to, but I really only ever login when I'm looking for a job.

I wish I had this problem. I get maybe one or two messages from recruiters a month.
Am I crazy or did they get rid of this setting? I remember they used to have a way to set your status to "not looking", but I've been looking recently and can't find it.
My recruiter invites have been dropping at a exponential rate once I passed age 45. LinkedIn is apparently a fairly efficient platform for age discrimination.
One way to mitigate that somewhat is to never put your age online. I plan on being 39 for as long as possible.
Your CV kinda gives it away though...
Drop everything beyond N years...
Yes. Most people's CV's who have been around for a while are too long anyway. The goal should be one page, with only the most recent/relevant experience.
Empirically, I'm getting about the same results from my 1 page and my 2 page CV, based on call back rates, funnel progression, and interviewer comments. Go ahead and use two pages if the incremental content is relevant to your overall pitch.

(In my case the extra material is relevant... I've run pricing at five companies, which is usually a massively cross-functional job. Unlike my typical competitor, I've also mastered most of the supporting technical, accounting, and commercial disciplines... which makes me a one stop shop for serious pricing problems.)

Don't get me wrong, two pages might be optimal if you have lots of varied experience. I wasn't trying to make a case for one page only. It really depends on what you want to convey to interviewers.
> Surely this kind of thing will eventually come back to haunt them?

I doubt it. Network effects matter and nobody is switching from LinkedIn for fear of missing out. There is no other work-related social network like it.

It's different with FB/Instagram that there isn't much at stake so people will just switch to test something and then stay. With LinkedIn, the "what if I miss a job opportunity?" factor means there's pressure to ignore the UI issues and just stick it out.

I don't see a disruptor in this industry, do you know of any?

I see “network effects” cited so frequently as this impenetrable fortress, but… literally every site that now has “network effects” had to fight them to exist, so it seems kind of odd…
When LI started, it didn't have much competition so it was easier.

Network effects is not an impenetrable fortress. It just means your product has to have a really good reason for people to switch, and I dont see anyone in the work network space doing anything really better than LI. I wish someone was.

How about a video only (or video first) network - companies can promote but has to be videos. Tiktok meets LinkedIn (!)
That’s my point; nobody tries because harpies screech “network effects” every time it’s discussed…
We talk about exponential growth a lot more than exponential collapse. Historically, social networks collapse as quickly as they grow. Even mighty Facebook recently hit the peak, and in their most important markets the network effect is utterly collapsing.
Blind would be a cool one but it kinda defeats the purpose.
From personal experience: possibly Twitter. Having a presence there has given me several serious offers to interview, for jobs worth having (FAANG and similar).

The folks in my field (ML/applied math/scientific computing) are all on there, and moreover those reaching out to me are always technical folks rather than recruiters.

(Twitter gets a bad rap, but the academic/dev parts of it are the single best way I've found to track the Zeitgeist of fields and topics I'm interested in.)

I had the opposite experience.

'tech twitter' is full of junior developers, developer advocates, and students, all trying to sell e-books to each other or virtue signal their way into a dev advocate role. I only found content creator and tech influencer sales pitches.

This is definitely true, but then I also see more experienced developers and researchers tweeting about these people making fun of them and calling them on their bullshit.

I think tech Twitter quality is heavily dependent on being thoughtful of who you follow.

I did. I deleted my LinkedIn account. Too much spam. My personal information was constantly being shared despite telling LinkedIn I didn't want them to. I still get a few emails per week where they shared my email address with recruiters. I'd rather not work with recruiters anymore at all. In the future the best opportunity will be from my website or direct contact.
It seems like it should be easy to replace LinkedIn but no one seems to do it. I've looked at Xing and a few others. I loved the premise of LinkedIn but you can't forward messages any more.
> it should be easy to replace

Often network effects dominate this sort of thing, so that's probably not true.

You're right about the network effect.
I've deleted my LinkedIn profile years ago because it was annoying as hell.
Linkedin succeeds because most companies suck at recruiting so much, that this bottom-feeder behaviour by recruiters and Linkedin actually gets people hired, much faster than they otherwise would be. Recruitment agencies and their cheesy, ignorant reach-outs are actually what gets the market going. This is because hiring managers at tech companies don't want to do the job themselves, even though they'd do a lot better.
This is exactly the issue. As sucky as LinkedIn is, it actually did result in better results for me than average HR department at a given company. That should not be the case, but so very often it is.. therefore, LinkedIn remains one of the viable options.

I am relatively lucky, because I am now old enough to have friends, colleagues and some reputation so I do not need it ( amusingly, my profile was flagged for something recently and I have not looked back ), but I remember when I did and recruiters were the least painful way to get my foot in the doors

(comment deleted)
Honestly, this feels like a natural reaction to the ruling that they couldn’t stop people from scraping their site.

They probably just decided, we may as well do it too.

> Every developer I know either simply dislikes the LinkedIn experience, or knows about the company's shitty behaviour and despises the company (to the point of deleting their profile

omg, I had that feeling too (and I actually removed my profile): good: I thought I was alone :)

My hope that Microsoft’s professional oversight would be a healthy moderating influence has not panned out.
You might notice that Microsoft has destroyed all of its acquisitions
tell me how you find job posts, do you disklike the concept of a search engine for jobs?
I don't dislike the concept of a search engine for jobs. I haven't had to search for a job for a while, but there are plenty of places outside LinkedIn which provide job listings
the whole idea of search engine is that you only go to one place, so, what that one place is gonna be?
To be fair, who ever wanted a work-based social media platform? People have accounts because it’s expected as part of the recruiting process. The only people I see posting on there are embarrassing “workfluencers” sharing each other’s content into the void.
(comment deleted)
(comment deleted)
A cool hack I have found is that those developers who do not have linked in profiles are usually better developers.
How does this play with copyright infringement? If I advertise a job on my own website, and someone copies that verbatim and reposts it, isn't it a clear case of copyright infringement? (or am I missing something....)
Most people having their copyright infringed probably don't care to sue Linkedin over it because their postings are getting additional exposure which is usually costly. The problem the OP complains of is that some other company's job postings are appearing on their company's Linkedin page, which isn't their copyright infringement lawsuit to fight (it's someone else's copyrighted work).

I'm not a lawyer so I don't really know what this is. Maybe trademark infringement? But you probably "signed" something giving them a perpetual irrevocable license to do stuff like that. "Tech companies being irritating in the third degree" is the best I have here. Not illegal yet, sadly.

Thanks, I did note the difference, it was just this reminded me of the separate issue I'd been wondering about.
It's a referral, same as Google search. Anybody interested clicks through to the original site, which is what the original site wants.
Web scraping is legal, US appeals court reaffirms (April 2022) [1]:

> Using a “gate-up, gate-down” analogy, the Supreme Court said that when a computer or website’s gates are up — and therefore information is publicly accessible — no authorization is required.

> The Ninth Circuit, in referencing the Supreme Court’s “gate-up, gate-down” analogy, ruled that “the concept of ‘without authorization’ does not apply to public websites.”

[1]: https://techcrunch.com/2022/04/18/web-scraping-legal-court/

Scraping is one thing; reproduction is another. I can scrape the Times but I don't get to mirror their site on my own domain.
I've always wondered how this isn't more of an issue for the common archivers and news sites...
Indeed, Crunchbase even host photos that they've scraped from other websites - how do they work around the image copyright? (I know profiles where they've taken copies of staff photos from a corporate website where they most certainly don't have permission to reproduce).
A few years ago, I worked at a tech company that shared a name with a restaurant a few towns over.

The company's LinkedIn (with our logo, connections, etc...) would show job openings for cooks and waiters.

I found it funny, at the time, and even went to the restaurant to try it out.

"I'm here for the job managing the servers."

"Sounds great, when can you start?"

Preface: I hate LinkedIn

Do we know that in fact LinkedIn is scraping? Could it be that the LinkedIn data science team is erroneously matching company names with job titles that are added to its website? E.g., someone from YMCombinator posts a page to LinkedIn and puts the application link to angel.co. Then LinkedIn mistakenly sees YMCombinator as YCombinator and adds the logo (no scraping involved).

Whatever you think of LinkedIn’s or Microsoft’s ethical standards this would be so comical - and could piss off so many major LinkedIn large customers - that it warrants alternative hypotheses like yours.
LinkedIn may or may not be scraping. Just remember that scraping is a pejorative word for what Google does, also known as "indexing".
Historically LinkedIn and Indeed were my go to places. When I go to LinkedIn and do a job search, I expect that there is really a job and not a job that was removed 2 weeks ago. That the "Date Posted" isn't the "Date Scraped." If LinkedIn started to scrape and have a ton of spam, I simply would no longer use them. My question was to determine if there's an alternative explanation or if they are scraping.
I would differentiate scraping and indexing by how you represent ownership/authorship.

Google search results are indexed content.

Google magic answer boxes are often scraped content.

Taking OP's claim at face value this looks like scraping to me.

If the job ad on linkedin says "Easy Apply" it means the job was posted on Linkedin. If it just says "Apply" with an arrow that means it scraped it off another job posting site. Linkedin even scrapes the "number of people applied" from the 3rd party site.
Don't forget: LinkedIn is owned by Microsoft. Just like Github.
Someone wants to be our (tech worker’s) friend..? MS as a tech labor hub?
(comment deleted)
Just redirect people out of LinkedIn. My LinkedIn page says only "My real profile is on Github: URL".
Not only is there phishing opportunity, it's being actively exploited to much greater financial effect (check fraud and identity theft), and you don't even need to go to the lengths of creating a company profile or a website as anyone can create a job posting for any company (with rare exception) [1].

Here's a very real series of events I'm privy to:

- Bad guy gets a domain name confusingly similar to the target company (maybe tack on "inc" or "llc").

- Bad guy gets access to a LinkedIn account (doesn't matter who or if they're connected to the company; stands to reason that a hacked account with existing connections adds credibility) and updates the title to CEO of target company.

- Bad guy posts an "Easy Apply" ad for a remote job with target company.

- That job listing automatically appears on target company's LinkedIn page.

- Bad guy begins receiving contact info for the job and gets to work.

- Following a weak interview process conducted entirely over IM or email, the candidate is hired.

- New hire provides identity documentation at bad actor’s request.

- Bad actor sends new hire a check with instructions to buy equipment for their home work area from a specific vendor who is also the bad actor.

- New hire deposits check and bank makes funds available before the check clearance process actually completes.

- New hire buys a few thousand dollars’ of equipment from a vendor that doesn’t exist with money they don’t actually have.

- Check bounces and the jig is up.

By the time target company found out, LinkedIn has removed both the job ad and the profile that created it, but did not and would not reach out to the applicants to warn them of the scam nor provide those applicants to the target company (y'know, the company the applicants thought they were applying to; citing "privacy reasons").

While [1] says LinkedIn can do something to restrict who can post jobs on behalf of your company, it's wholly undocumented (and I suspect may not work well for companies relying on both internal and external sourcing). The only defensive measure I've identified is setting up a job alert for your company, specifically for Easy Apply and/or Remote positions as that seems to track with the scam.

[1] https://www.bleepingcomputer.com/news/security/you-can-post-...

The more nefarious ploy is how Axie infinity got shut down for millions of dollars in fraud because the targets opened a PDF that was actually sent by NK bad actors posting a fake high paying job and interview process
I have 'Hibernated' my profile a month ago. I've never felt better. I recommend others to do the same.

It won't permanently throw away your data, allowing you to revert if you so desire.

A bit of tangent, but it reminds me of a funny story:

I discovered one day that I am getting recommended "Long distance truck driver" jobs through email and some of the re-targeted ads. First, I ignored them, but in a week or two, it became apparent that it was not just a coincidence. After some research, I realized that I had listed "Device Driver" programming as a skill on my LinkedIn and personal website. I suspect it must have been crawled, and the word "Driver" was matched to send me those recommendations.

Maybe add "Function hooker" to your profile and see what happens.
"Oracle expert"

2 weeks later: See your new recommendations for job opportunities in Delphi!

(comment deleted)
Fuzzy matched to NAICS titles perhaps. I’ve gone through that jumble and “Driver” had so many edge cases
Haha I got suggested for "freight" and "shipping" due to having "Cargo" (the MediaWiki SQL wrapper, not the package manager) listed on mine.
My "Rust" experience apparently qualifies me for a job as an aircraft painter.
there lots of scammers who do it. it is probably nothing from linkedin team itself.

you may want to apply for the job to see what happens

I've seen the same with Glassdoor, years ago while on my previous employer. The company's name is also used by an American company in a completely unrelated business and vertical. Many times I saw job listings that were not for our company at all.
This has been happening to us for over a year. We contact support, the posting gets removed, and then a few weeks later it is back. It's infuriating.
We've also had a HUGE influx of fake accounts in the past couple of months claiming to work for our company. According to LinkedIn we have 243 employees! In reality, we have 23.

See for yourself: https://www.linkedin.com/company/facetdev/people/

How are these accounts not being automatically flagged as fake?

Is there employment verification on LinkedIn at all? They don't go back and check everyone's references, their listed university, skills, or certifications, do they? I think as with resumes, it's really easy to lie, and it's up to others to cross-check things.
Sounds like a good way for some clever person on HN to add fake job listings to LinkedIn and Microsoft's profiles.