There has been much chatter on the world’s largest professional networking platform (as well as other social media sites) about a surge in suspicious activity, so much so that parodical imitations have started to surface, which, in its weird social media way, has created a substream of spam and scams.
But, why LinkedIn?
According to Business Insider’s Digital Trust Report 2019, LinkedIn is considered the most trusted social media platform. But being the most trusted is a mixed blessing, especially from a security standpoint, as where there is trust, there will be people willing to take advantage of that trust. If users are inherently more trusting in the platform, then there is the likelihood they’ll be less discerning about their activity and may slip up more easily.
Popularized by Twitter, verified status markers have become commonplace for social media sites to ensure that accounts of public interest are authentic; it alleviates the need for users to conduct their own vetting and therefore provides an additional layer of implicit security; LinkedIn doesn’t have this.
Ultimately, enterprise data can be far more valuable compared to individual consumer data. Ascertaining enterprise data can provide hackers with access to millions of consumer profiles.
What does a LinkedIn scam look like?
Firstly, we need to discuss fake profiles
Fake profiles are rife on social media, they’re particularly pervasive on the more consumer-centric platforms like Facebook, Instagram and Twitter where bots, fake celebrity, influencer and corporate accounts run amuck, but they’re beginning to crop up more and more on LinkedIn.
The fake profile works so well because of the nature of LinkedIn; it’s a professional networking site where users are encouraged to: build and engage with their professional network.
When you have a platform full of hungry professionals looking to boost their ‘personal brand’ and meet the illustrious 500+ connections mark, members can become less selective about who they connect with.
Even if one employee is overzealous or unscrupulous when it comes to networking, they could prove to be the weak link that phishers need to mount a more serious attack.
For instance, once you connect with someone on LinkedIn, the default setting is to allow access to your email address – if you’re connecting with someone you know, then why would this be an issue? With access to a corporate email address, you’ve then got the email syntax (e.g. J.Bloggs@example.com) and can then go on to work out what other employee email addresses are.
It’s a snowball effect.
No amount of network security will be able to judge the validity of a profile and prevent connections, it’s ultimately down to the end user.
Members need to be careful about who they connect with on LinkedIn, not everyone will be who they say they are, information may be inaccurate or misleading or it may even be a duplicate profile parading as an existing user, but there are some easy ways to determine the legitimacy of a profile.
How to spot a fake LinkedIn profile
Common name: common names help phishers blend in, by having a more common name it makes it harder to accurately identify an individual and cross-reference online. That’s not to say all common names are fake, it’s just something to be wary of.
Profile picture: if you’re phishing for details, it’s unlikely you’ll want to use your face to scam people, it’s like a bank robber without a mask. If you have doubts as to whether a profile picture is legitimate, you can do a reverse image search.
If in Chrome, by right-clicking on the image and clicking ‘Search Google for Image’, you can determine whether the image is legitimate or whether it has been used anywhere else on the internet. If used in multiple locations and isn’t tied to your prospective new connection, the likelihood is that they are not who they claim to be.
If you haven’t got Chrome, you can search using Google Images.
Company Check: check the company that the profile claims to work at; does it exist, does it have a website, is it in the right industry?
Just be wary that anyone can sign up to a company’s network on LinkedIn without verification.
Check their connections: does the profile have any connections? If so, do they have any at the company they claim to work at? It’d be highly unusual for them to operate in a vacuum unless they’re a one-man-band. Are the connections credible? More sophisticated phishing profiles build up a multitude of accounts to legitimize their profile, so you may need to dig beyond the surface and not be duped by the number of connections alone.
Profile completeness: LinkedIn gives its users feedback on the strength of their profile encouraging users to populate as much as possible. If a profile is particularly bare or lacks meaningful substance, this might be cause for concern.
However, if a profile is complete, this is no guarantee of validity as it is incredibly easy to duplicate a profile.
Unfortunately, the above guidance doesn’t provide any guarantees, merely broad criteria you can use to make a subjective assessment. Yet, if a profile exhibits a number of the above issues, it would be wise to maintain a level of healthy skepticism.
If you do happen to stumble across a fake profile on LinkedIn, you should report it and LinkedIn provides instructions on how to do so.
A fake profile is just the first step, a scammer still needs to determine how they are going to pry personal or corporate information from their target(s) – what’s the vehicle and what’s the bait?
What are the common vehicles & bait for LinkedIn scams?
As mentioned previously, once you are connected with someone on LinkedIn, default privacy settings allow you access to their email address, so getting past the connection hurdle might be enough. This is why Linkedin continually reiterates the philosophy of connecting with people you actually know.
This is a relatively effortless technique, scammers can send out dozens of connection requests quite easily. All that is needed is an attractive enough profile for a member to click accept. However, LinkedIn does have safeguards in place to mitigate such activity including invitation limits for profiles that have had a lot of requests rejected or ignored. Also, the number of connection requests you can send is impacted by your own connection count.
The reality is that building a profile (or company page) with a substantial number of connections might, in itself, be enough, due to the amount of personal information available on connection.
Private Messaging & InMail
Private messaging and InMail are similar in functionality, but the primary difference is that private messaging is for direct connections whilst InMail is an advertising solution that allows users to message people who are not a direct connection.
A known example of an InMail scam is when a phisher used a LinkedIn premium account to distribute a Wells Fargo Google Doc that redirected recipients to a phishing page on a hacked website.
For the large part, InMail isn’t a viable option given LinkedIn’s restrictions as well as the cost – InMail can be very expensive, but it’s not to say it doesn’t happen.
Being a free solution, private messaging is a more cost-effective and accessible option.
LinkedIn has identified common tactics deployed by phishers and they have all the telltale signs of classic social engineering including inheritance and advanced fee scams, lucrative job offers, technical support as well as dating and romance scams.
LinkedIn branded emails
Then there is the good ol’ faithful email for LinkedIn phishers, the tried and tested vehicle of choice.
One example of a fake LinkedIn email is the ‘you appeared in X search this week’.
This particular email, fortunately, got filtered into junk, but is quite an obvious scam email when looking a little closer:
- The sender’s email is a dead giveaway, a non-LinkedIn domain
- Poor grammar in the subject line
- The LinkedIn logo is out of date and off-brand
- The ‘you were found by people at these companies” brand logo is invariably the same over a number of emails
Just hovering over the links and buttons in the email, you can see that none of the links point to linkedin.com. On clicking, the email directs the recipient to marijuanacloud.com which then redirects the user to one of several suspicious-looking pages for viagra. More sophisticated techniques make use of LinkedIn within the domain itself e.g. profile.linkedin.com.verify.org to give the impression that it is, in some way, connected to LinkedIn.
These errors are easily identifiable on a desktop computer, but on a mobile device, where the screen is much smaller, certain elements are hidden (e.g. sender email address) and user behavior and context differ, it’s an email that piques competitive curiosity and could tempt less discerning recipients.
There are some general tips about how to avoid phishing emails, but for this email in particular, if you’re desperate to see how you fared in the search results on LinkedIn, there are in-app/platform notifications for this.
Acknowledging the fact that the professional networking platform is a target for phishing emails, LinkedIn provides guidance on the types of emails they will and won’t send you as well as further examples of phishing emails they’re aware of, so if you’re unsure about the authenticity of an email, you can always review against this criteria.
What is LinkedIn doing to prevent phishing and scams?
Understanding that there are miscreants at work on the platform, LinkedIn is striving to ensure that member data is properly handled and their trusted reputation doesn’t go the same way as other social media sites.
They follow the latest security best practices and have built a site dedicated to educating their users on phishing and spam as well as the types of fake profiles that commonly occur.
The purpose of this article is by no means to dissuade people from using LinkedIn nor is it to instill the fear of God in its members, it’s merely to highlight that we’re not as safe as we think we are. LinkedIn’s platform is an excellent way to build your professional profile and companies have acknowledged the value that comes in tow, but users just need to be mindful of the information that is publicly available on their profiles and who they exchange information with on the platform.
What can security teams do?
When it comes to endpoint security, employees can be an organization’s greatest weakness, but providing your workforce with the necessary awareness training will help mitigate phishing attacks.
Additionally, investment in a Threat Defense solution will provide organizations with an added layer of protection. Although employees can provide initial screening, social engineering attacks are becoming incredibly sophisticated and there is only so much training one can do. Some Threat Defense solutions are able to provide visibility whenever a user navigates to a known mobile phishing page, and the best ones can block access to phishing links as soon as the victim attempts to access it.