How Safe is LinkedIn? Be Aware What You Share
LinkedIn is a popular social networking site used for professional business connections, job searching, and hiring. Because of this, people are much more willing to share their personal information on this site, specifically surrounding their current role and job history. It is also very common for users to prominently display their contact information on their LinkedIn profiles. All of this makes it easier for job seekers and recruiters to get in touch with each other and find suitably qualified candidates for available roles. However, once you share information online it is available for anyone to access, especially on a public profile like LinkedIn. Whereas, on other social media sites, users often set privacy restrictions to ensure that only the people they confirm as friends can access their private profile information.
You should always be cautious about any emails you weren’t expecting, especially on your work email account, or any other accounts you have shared or listed publicly online. Check the sender address carefully to determine if any messages are likely to be legitimate or if they need to be reported as a threat. Cyber criminals can gather information from your LinkedIn profile to use in targeted phishing attacks against you, known as spear phishing. Emails or private messages that discuss a personal interest of yours, or reference a specific club or group you belong to, are more likely to appear legitimate despite actually being a part of a scam. Your profile likely already includes your job role and what company you work for, but what you post may enable cyber criminals to piece together who else works there, what current projects you are working on, and maybe even customer-specific or sales information that is supposed to be private and confidential.
New employees are particularly susceptible on LinkedIn. In our firm, a new employee recently posted about their new job on LinkedIn and within 48 hours they received a spear phishing email, pretending to be from their new boss (also discovered from LinkedIn) asking them for a ‘favour.’ New employees, eager to impress and maybe still doing their orientation and security awareness training are easy targets for fraudsters.
LinkedIn have a Sales Navigator feature called LinkedIn Smart Links, which companies can use to provide tracking information on who access the links. The purpose behind this feature is to help marketing teams determine engagement levels. When a Smart Link is created, it uses LinkedIn’s domain with an 8-digit code added to the end. This makes the link appear to come from a legitimate source, as it is recognised by users and email programs as a LinkedIn link. However, cyber criminals have been abusing this system in phishing messages to bypass security features and provide malicious links to their targets.
Cyber security firm Cofense detected a recent phishing campaign utilising these links, which they have identified as a resurgence of this cyber attack type, first seen in late 2022. The links used in this phishing campaign were over 80 unique links derived from LinkedIn business accounts that had been previously compromised, or were links from newly created accounts. Over 800 emails were detected to be using these malicious links between late July and August, targeting a range of industries and business types. Although this is currently a fairly small scale campaign currently compared to other phishing attacks, it still presents a serious threat, as the obfuscated links can bypass security filters on email applications that are supposed to detected and prevent phishing messages from reaching your inbox.
As is common with other phishing scams, these links will take the user to a fake sign-in page that is pretending to be an official Microsoft login page. The victim is tricked into providing their password and other account credentials to the cyber criminals by being prompted to enter them in a fake login attempt. Because of the tracking information encoded into the smart links, the criminals are able to obtain their victims’ emails and autofill some details into the fake Microsoft sign-in form, making it appear more convincing in requesting further details such as passwords.
You should also be cautious about connecting with people you don’t know on LinkedIn, such as people posing as recruiters. They may be offering too-good-to-be-true business opportunities, which results in them tricking you into revealing information about your job role and what your company handles in the guise of extended interview-type conversations. They may have connected with a few of your co-workers and friends in an attempt to gain as much information as possible and be more convincing in their scam. To spot a fake profile, you need to be critical about what they are offering, and whether or not it seems legitimate. Are the questions they’re asking related to the opportunity? Or do they seem too interested in specific details about your current role, without describing what their company does or what your new role would be? Do they seem more interested in your employers than they are interested in you? You can also check up on the recruiters themselves to see if the profile is real, and if their ‘company’ has a web presence.
Identifying and reporting all suspected phishing attempts is the best way to protect yourself at home and at work. When using an email reading programme such as Outlook, or when accessing emails online such as through Gmail, you can report phishing messages directly. This is done by opening the (…) menu when you have the phishing message open and click the ‘Report Phishing’ option. The best defence against attack is a well-educated team, that know how to avoid malicious websites or clicking links in suspicious emails. Cyber Coach Security Awareness Training can turn your team into a security asset rather than a security risk. Get in touch to book a free consultation with our experts today, and find out how to turn your employees into your biggest cyber security asset.