LinkedIn consistently ranks as the most trusted social networking platform due to the professional nature of its user base. In reality, though, the amount of information one can learn about businesses and high-level professionals on LinkedIn makes the site a target-rich environment for bad actors.
Here are some of the top threats LinkedIn poses to businesses and some tips on how to avoid them.
Over 774 million users—including 61 million decision makers and 10 million C-suite executives—use LinkedIn to showcase their education and work history, skills, and achievements. Unfortunately, these detailed profiles provide the ammunition social engineers need to identify potential targets, customize their attacks, and successfully penetrate a company’s internal systems.
One common tactic involves sending targets a phishing email designed to convince the recipient to click on a link that downloads malware or sends the individual to a fake website to capture his or her login credentials. To increase their chances of success, bad actors use LinkedIn to identify a target’s coworkers and bosses and spoof messages so that they appear to be coming from them. As 25% of employees tend to click on phishing links and nearly 70% submit their usernames and passwords, a business’s risk of a breach is substantial.
In one example, a cybersecurity firm doing a penetration test used a fake LinkedIn profile to see how many executives would click on a phishing link. The testers uploaded several pictures of a beautiful, local waitress and created an impressive background story (including a masters’ from MIT) for a software expert named “Emily Williams.”
Next, the testers began connecting with other LinkedIn users. When they had collected a respectable amount of connections, they changed Ms. Williams’s current employer to that of the target company and used the fake profile to send holiday messages containing a link to malware to the organization’s executive team. Every executive, save one (the chief of security) clicked on the link.
Instead of sending spies out to recruit targets in person, business competitors and foreign intelligence agencies are scaling their recruiting and data-gathering efforts by connecting with thousands of targets at a time via LinkedIn.
All someone needs to do is search the platform for high-privilege roles (like system administrator, vice president, or chief information officer) for select industries to create a list of potential targets.
Once a bad actor has chosen a target, all he or she needs to do is create a fake profile that looks real enough to dupe the unsuspecting user into accepting him or her as a connection. The spy can then gradually build a trusting relationship with the user and surreptitiously extract valuable sensitive data. Alternatively, spies can entice individuals to become an inside agent, regularly handing over intellectual property for profit.
“I think lots of worldwide intelligence agencies probably use it to seek out sources of information … Because it’s in everybody’s interest who is on LinkedIn to put their whole career on there for everybody to see — it’s an unusually valuable tool in that regard.”—Matthew Brazil, co-author of Chinese Communist Espionage: An Intelligence Primer
The problem of foreign spies using fake LinkedIn profiles to recruit informants is so pervasive that a host of countries, including Germany and France, have warned their citizens about it. In fact, the UK’s intelligence service recently reported that 10,000 brits have been approached by fake profiles linked to hostile states on LinkedIn in the past five years.
LinkedIn posts containing seemingly innocuous information can give disturbed individuals or disgruntled former employees the information they need to plan a physical attack. For example, malicious actors can leverage the date, location, and schedule of events you post about an upcoming company function to arrive early and scope out the best place and time to stage an ambush.
Threat actors can also combine the personal details individual employees share on LinkedIn with other online information about them (such as what they post on their other social media accounts or the data available on people-search sites) to identify where and when they are most vulnerable to an attack.
LinkedIn has a fake profile problem. Between July and December 2020, the platform blocked over 14 million fake accounts, and these are just the ones that got caught. Nobody knows how many actually exist.
The trouble with these fake accounts is that they often list real companies in the profile’s Experience section. Consequently, if the person pretending to be an employee posts untrue, misleading, or offensive content, it can tarnish the reputation of the company associated with the individual.
In one example, an unknown scammer created a LinkedIn profile claiming to be “Pat Gomez,” an employee of the food processing and packing company Wayne Farms. The profile included an email address: patrickwaynefarms@consultant, which the scammer used to contact the company’s customers and solicit fake product orders.
How to avoid these threats
While it’s hard to eliminate all risks associated with using a social networking site like LinkedIn, there are things you can do to reduce the size of your employees’ (and your company’s) attack surface, thus lowering the odds of becoming a target.
For example, you can teach your team:
- To not share sensitive, personal information online—(This rule applies to all social networking sites, not just LinkedIn.) The more personal information bad actors can find about someone online, the easier it is to scam that person or hack that person’s accounts. Your employees shouldn’t post anything that others can use to track their daily movements or any information, like their birthdate, their address, or their mother’s maiden name, that bad actors can use to hack, impersonate, or otherwise harm them. If they have revealed this potentially dangerous information on LinkedIn, they should immediately edit their profiles to remove it.
- How to spot fake profiles—Just because someone shares a connection with you doesn’t mean that person is worthy of your trust. As such, it’s up to you to verify people are who they say they are before you accept any new connection request. An easy way to do this is to right-click on the person’s profile picture and select “Search Google for image” from the drop-down menu to see if that picture is copied from somewhere else on the web. Other clues that a profile is fake include strange wording in the description, low or no activity to view, and a current employer that you can’t find online.
However, to truly keep your company and employees safe, you need to lock down their entire digital footprint. This includes any potentially dangerous information they share on their other social accounts or personal websites, as well as any data people-search sites like PeopleFinders, US Search, and Spokeo publish about them.
This is a multistep process that involves:
- Doing a deep scan of the web to discover which sites are publishing your team’s information.
- Creating a plan of action that prioritizes threats and identifies which employees are most at risk.
- Following the opt-out process for each site for every employee.
- Tracking your actions and results to know what is working and what isn’t.
- Monitoring the web for new instances of your team’s information popping up.
As you can see, protecting your employees’ privacy takes a lot of time and effort, especially if you have a large team or your team members have a significant online presence. If this is the case, you might consider hiring a privacy expert like ReputationDefender to oversee the process for you. Our ExecutivePrivacy service automates the entire removal process, scanning social media and the dark web, scrubbing personal information from people-search sites, threats, and providing comprehensive, individual and group reports for all stakeholders.
If you have any questions about protecting your employees’ privacy, please give us a call. We are happy to offer advice on the best ways to address your particular privacy concerns.
For more information about online privacy, see the following articles:
- 4 ways to keep corporate credentials off the dark web
- Why online privacy is vital to executive protection
- How personal IT affects corporate information security
- Corporate social engineering: What makes for an appealing mark?
- Real-world examples of executives being targeted due to online personal information