How can employees avoid falling prey to LinkedIn scams?

For social media firm LinkedIn, the mission is as so: “Connect the world’s professionals to make them more productive and successful.”

A userbase of 900 million collectively logs in to the site in the hope of finding new work connections, opportunities, and industry information – but, according to reports, hackers are using this to their advantage.

Last month, The Times reported that a Chinese Spy was using fake accounts on LinkedIn to contact thousands of British officials and lure them into handing over state secrets.

While British security service MI5 previously warned that spies are using LinkedIn to target those with access to confidential information, the alleged spy successfully set up several fake accounts over a period of five years to gain sensitive information.

According to The Times, some of the targets were offered trips to China and paid speaking engagements, while others were asked to provide reports which the spy used to request more confidential documents with the aim of entrapment.

British officials are not the first to fall for LinkedIn scams, last year, the $540 million hack of Axie Infinity’s Ronin Bridge was the consequence of its former employees being duped by a fraudulent job offer on LinkedIn.

These types of scams are still proving successful, particularly in the current economic climate.

In 2021, the UK government reported that over 10,000 UK nationals have been targeted on sites such as LinkedIn and Facebook.

The use of fake profiles on social media and professional networking sites is occurring at scale. In the first half of 2021 alone, LinkedIn stopped 11.6m fake accounts at registration.

Current and former civil servants are particularly attractive targets because of their experience and if their positions are listed on sites such as LinkedIn, this can carry the risk of fake offers of lucrative consultancy work if they connect with unknown users.

Creating a fake account is a clear violation of our terms of service,” a LinkedIn spokesperson told TI.

“Our Threat Prevention & Defense team actively seeks out signs of state-sponsored activity and removed fake accounts using the information we uncover and intelligence from a variety of sources, including government agencies,” they added.

According to Jim Kelly, regional vice president of endpoint security at cyber security firm Tanium, as the economic downturn continues it’s creating a sense of desperation in both criminals and victims.

And nets are likely to be cast wider than public officials – with job boards being used as an unsuspecting threat vector, offering a  false sense of security that users are safe from harm.

“This is exactly where criminals seek to strike,” Kelly observes.

In agreement, Steve Bradford, senior vice president EMEA for identity management firm SailPoint says: “Scams are far-ranging and growing more sophisticated by the day – from widespread phishing attacks to more targeted methods which impersonate those we recognise and trust.”

While some victims may be savvy enough to avoid sending any details, or clicking on dangerous links, from someone they don’t know, friend and family accounts can also be compromised and utilised to send spam or viruses, Carl Wearn, head of e-crime at IT security company, Mimecast, adds.

Avoiding scams

“Organisations have a vital role to play in increasing training and awareness for staff to spot these suspicious and ‘out of the ordinary’ questions, whether that’s across social media platforms, email, or phone,” Bradford enforces.

For Bradford, it’s up to companies to educate employees in recognising the signs of malicious communications, and for people to remain sceptical of any message they receive offering or requesting something.

In this case, employees need to start questioning: “Is it the type of message you would expect from this individual?” Wearn says.

Any important communication, particularly requesting money or purchases should be verifiable by other means before acting, he adds.

If you receive a suspicious-looking message, “contact the colleague or family member requesting by phone or other reliable means, speak to them in person, if at all possible.”

Suspicious messages

To thwart phishing messages or emails, Tanium’s Kelly says to look for signs “including being pressured to respond quickly, suspicious links, egregious misspellings, or offers of something too good to be true,” he says, such as: a trip to China.

For links, the advice is to never click.

“Links can be easily spoofed to represent an inaccurate destination URL, and on mobile devices URLs are often shortened in any browser, rendering a simple hovering over any link useless,” Kelly says.

Instead of clicking on a link, it’s advisable to go to the website the link looks like it goes to on your browser to ensure you are on the genuine website.

“Following links is likely to lead to a spoofed website, which may well be a complete copy of the genuine website, and the loss of your genuine login credentials,” Wearn says.

This advice is especially relevant to LinkedIn, as last year it emerged that the social media firm was the brand most imitated by cyber criminals in their phishing attacks, accounting for 45% of all phishing attacks at the time.

In the case that a false link is clicked on, and login credentials are put in a spoofed website, accounts can be easily recoverable if a person’s passwords are different on different websites.

“Never re-use passwords across multiple websites, and always activate and use any form of dual or multi-factor authentication if available,” says Wearn.

“This can render your accounts easily recoverable if you quickly realise your error in following links or suspect your account has been compromised.”

On an enterprise level, Bradford says that the industry must fight bad actors with innovative technology: “Such as identity security, to protect the workforce and reduce the risk of cyber-attacks and data breaches by spotting irregular behaviour from users.”

In addition to this advice the UK government’s National Protective Security Authority offers handy app on Google Play Store or Apple App.  Think Before you Link which helps users of Facebook and LinkedIn better identify the hallmarks of fake profiles used by foreign spies and other bad actors.

To read more stories on cyber security click here