A recent survey, reported in SC Magazine, found that 24% of surveyed LinkedIn users have connected with people they didn’t know on the professional social network, despite LinkedIn’s repeated warnings not to do so. Why is this an issue?
Because LinkedIn can be a vector for spear-phishing and other types of attacks.
Never thought of it that way? Neither had the 69% of survey respondents who hadn’t considered that some of the people they’d connected with via LinkedIn might not actually be real people. The results of this survey are worrying, and it’s time to review some good LinkedIn security practices.
Not Always So Professional
While the majority of interactions that take place on LinkedIn are professional in nature — making connections, finding mentors, looking for jobs — it can also be used as a platform to launch attacks against unsuspecting victims. LinkedIn is a good platform for this partly because people are often unsuspecting. If you get a direct message on Twitter with a job offer, you’d be immediately suspicious. But if you got one on LinkedIn, you might be intrigued enough to look into it.
Many people don’t place a whole lot of faith in strangers on Facebook and Twitter, and for good reason; there’s no way to know who it actually is. The same is true on LinkedIn, but because it’s seen as a professional network, the number of connections that a person has can be perceived as their reputation or veracity, especially if that person is connected to people you know. When you think about it, this doesn’t make much sense, because if you’re connecting with people you don’t know, why wouldn’t your colleagues and connections?
This easy mistake seems relatively harmless, but it could be very damaging if the person you’re connecting with is a scammer or malware distributor.
How You Can Be Attacked on LinkedIn
There are a number of ways that you could potentially be victimized on LinkedIn, and some that are more likely to show up. LinkedIn is a great platform for highly targeted social engineering and spear-phishing attacks, because users post so much information about themselves that’s available to their connections. Job history, education, organizations you’re a part of, people you know, and a lot of other personal information is encouraged on LinkedIn, and all of those things can be used to target you for an attack.
Of course, as with most emails and messages, there’s always the possibility of being sent a malicious link that will download malware to your computer. All it takes is one click and the right (or wrong) browser security settings, and your computer could be hit.
More platform-specific threats, are also present. For example, you might receive a message that says you’ve been selected for a year of free LinkedIn Premium; it could include a username and password box for you to fill out to receive your free upgrade. But when you enter that information, it will be sent back to the sender, and delivering your login credentials to a complete stranger. A scammer.
Other scammers will encourage you to get in touch with them outside of LinkedIn, potentially leaving you open to email-based attacks that could result in you giving up valuable personal information.
Staying Safe on LinkedIn
Obviously, the best thing you can do is to never connect with someone you don’t know, but that may not be an optimal strategy for you. Maybe you try to make connections within your field, or you’re looking to get in touch with someone at a specific company, and you want to use LinkedIn to do it.
If you do decide to connect with someone that you don’t know, it pays to do your research. Look closely at their profile and see if they look like a legitimate professional. If their profile is full of irrelevant information and spelling errors, you should deny the request. If anything just looks off, don’t connect.
Once you’ve decided to connect with someone, you may want to do a bit of research outside of LinkedIn first. Go to your potential contact’s employer’s website and see if they’re in the staff list. Google their name to see if it’s one that’s been associated with scams in the past. See if you can find social profiles on other networks and if they show any warning signs.
If you’re communicating with someone and they ask for your email address, or for a way to get in touch with you outside of the LinkedIn messaging system, be very careful about agreeing. In some cases, it might be necessary or a good idea, but don’t just give out your contact information to anyone who asks. Remember, that’s the first step in a targeted spear-phishing or social engineering attack.
It’s also a good idea to update your privacy settings. For example, you may not want to share your list of connections with everyone, as that can be valuable information for an attack. Many of the other settings in the Privacy tab can also be optimized for increased security by reducing the amount of information you share.
In general, you’ll just want to follow the standard security and privacy practices that we recommend for email when you’re dealing with InMail. Don’t give out any more information than you absolutely need to, make sure you know who you’re in contact with, and always be a little suspicious. If you keep those tips in mind, you’ll be fine.
Use Common Sense
No matter how you use LinkedIn, you can almost certainly make it a little more secure by using some common sense and remembering that LinkedIn, like any other social network, can be used for spear-phishing and social engineering attacks. You probably won’t be targeted, but why take the chance? Be a little more discerning about who you connect with, and you’ll be much safer.
Are you worried about scammers on LinkedIn? Or do you connect with anyone who sends you a request? We want to hear about it in the comments below!