By Peter Warmka, CPP
Today’s professional human hackers are migrating from basic phishing techniques delivered to a wide audience via spam e-mail having malicious links or malicious attachments to direct spear phishing attacks against single targets via social media platforms such as LinkedIn.
In fact, LinkedIn’s search feature provides an excellent resource for identifying specific individuals within an organization for targeting. Assessment data is collected on these individuals from LinkedIn and other social media platforms. Fake LinkedIn profiles are then established having commonalities with the target such as alma mater, profession, or passion for a humanitarian cause. These commonalities greatly increase the likelihood that a target victim will accept an invitation to connect.
Once connected, a human hacker will establish a dialogue with the target via LinkedIn’s messaging feature. After the exchange of a few messages to develop further rapport and trust, the target will be asked to click on a link or attachment sent via this messaging feature. In most cases, the target will execute the action thereby releasing malware into their device. If this same device is utilized to log into their organization’s IT network, it may facilitate a breach of their network.
A profile should never be trusted based upon the number or quality of connections. It is not difficult for a fake profile to acquire over 500 legitimate connections within 10-14 days. The human hackers may also approach several of the target’s own connections prior to reaching out. Seeing several mutual connections listed frequently increases blind trust.
Provided below are 5 tips which LinkedIn users can follow to protect themselves against such spear phishing attempts:
- Avoid accepting an invitation to connect from someone you do not personally know.
- Scrutinize profiles to determine whether they are professionally written. Grammatical errors and/or significant gaps in time during academic or professional work history may be red flags.
- Copy a portion of the profile and paste it into LinkedIn’s search bar to see whether it was taken from another profile.
- If possible, verify certifications claimed on the profile.
- Conduct a reverse image search by hovering your mouse over the image, right click the mouse, copy the URL link of the photo, paste it into the reverse image search field within Google and observe all locations where this exact image appears on the internet. If it appears under the name of individuals other than the LinkedIn profile, this is a huge red flag.
LinkedIn can be an invaluable resource for networking amongst trusted professionals. The danger lies when we automatically trust everyone who reaches out to us. If we incorporate Verify, then Trust into our use of the LinkedIn platform, we can protect ourselves from most spear phishing attempts.