Business-oriented social media platform LinkedIn posted an announcement this week that there’s been additional fallout from a four-year-old data breach. Back in 2012, the site suffered an unauthorized access attack in which the passwords of multiple accounts were compromised. Now, however, additional information that is believed to have been accessed four years ago has been found for sale online, leading the company to issue a new warning concerning password security. All members–not just those whose information was fraudulently accessed–have been cautioned to change their passwords.

linked in phishing

Now, the fun begins.

Scammers have already begun playing off this announcement and the resulting emailed warnings to the 100 million or so affected users. With the news that LinkedIn is informing compromised accounts on an individual basis, phishing scams masquerading as LinkedIn correspondence have already cropped up.

The emails, which unoriginally contain poor grammar and fail to even capitalize the name of the website, instruct users to change their passwords by clicking the included link. As the genuine emailed warning from LinkedIn contains no link, only instructions to go to your account and change your password/log out, the link included in the scam attempt will undoubtedly install malicious software on the victims’ computers.

Of course, this type of scam attempt is nothing new. There are always phishing attempts any time a major news headline occurs, whether it’s fraudulent charitable requests following a widespread natural disaster, offers to be included in lawsuits like the AshleyMadison class-action lawsuit, or (as in this case) attempts to steal users’ personal information or gain access to their computers following the news of a data breach. Users who think they are taking swift action to protect themselves are actually causing them further harm.

Even without the news of a major event, it’s a safe bet to never click a link in an unsolicited email, and to verify the sender before ever turning over personal or company data.