Why LinkedIn Users Need to Be Aware and Beware!
A recent article in Symantic’s Official Blog (Symantic makes Norton Antivirus software and other security tools), confirmed a new series of fake accounts on LinkedIn which show increased sophistication from the more “traditional” fake accounts on the site.
The new crop of fakes repeat certain patterns:
- Their profiles often state they are recruiters (which gives them greater leeway to communicate with strangers).
- They usually (but not exclusively) use photos of women on the profiles, gathered either from stock photo sites or stolen from other LinkedIn users.
- Their profiles use language cut and pasted from real LinkedIn accounts, making them sound more authentic than most fake accounts.
- Their profiles are stuffed with keywords to show up in more LinkedIn search results.
Other reports confirm that these scammers are creating multiple fake accounts, not just single ones. Once they create a group of fake accounts, they can send requests to link to each other, click on endorsements back and forth, and even send recommendations. As these fakers also invite real LinkedIn members to connect, they examine their new connections’ connections to send more invitations, too.
In October, Dell Secureworks’s Counter Threat Unit™ publicly announced their discovery of an Iran-based “threat group” active on LinkedIn, which built on many of the above techniques. This report divided the profiles into “Leader personas” which have complete profiles, photos, endorsements, sometimes more than 500 connections; and “Support personas” with much less developed profiles used to link to and endorse the Leader’s personas. In this case, the profiles posed as aeronautics, telecommunications and human resource professionals and had successfully connected with over 200 telecommunications and aeronautics professionals in the Middle East and elsewhere in Asia. Those posing as HR pros even posted job openings (copied from real job announcements) to attract new connections and gather résumés and applications.
The Dell investigators also observed the spy ring changing the identities of some profiles, adding new photos, job titles and history, while maintaining all the original endorsements and connections. Again, a sophistication that you don’t see in the day-to-day fake LinkedIn accounts.
Added, 12/14/2015 at 11:59 pm:
If you like your spy news more current, while this post was being posted, reports have surfaced that a few copies of the Islamic State’s online magazine, Dabiq, have been uploaded to LinkedIn, including copies using LinkedIn’s own SlideShare application. An anonymous LinkedIn spokesperson reported the copies, links and persons involved have been removed from LinkedIn, also noting that ISIS promotion and propaganda (on top of being revolting to all civilized people, nations and religions) is against LinkedIn’s Terms of Service. Nevertheless, reports say that ISIS-related profiles do pop up from time to time.
Online discussions have also referred to another reason for creating fake LinkedIn accounts: to create evidence that a fake account elsewhere (say on a dating site) is real, by pointing to LinkedIn, Twitter and Facebook accounts for the same faker. This shows an evolving sophistication in how malefactors are using social media to make their online personas look more real.
Hackers who want to find a way to enter a corporate account may actively look for employees of that company who may have weak passwords or could host some invasive computer code on their computer. Since LinkedIn lists the current employers for most of its members, its a target-rich field.
Why do they do this?
Many simply are gathering email addresses. Some may just want to sell your address to spammers. But bigger money is in a completely different sphere.
With your email address, hackers can create Spear phishing attacks. Unlike real-life spearfishing, where a diver or swimmer attacks an innocent fish, a spear phisher’s target is YOU. This is done by sending an email to your account which appears to be from a person or company you do business with. Another variation is to be somebody who claims your friend or associate recommended you to them.
A popular ruse is to pretend to be your credit card company or your bank saying you need to take immediate action to prevent something awful from happening (like closing your account). What are they looking for? It could be bank account info, credit card numbers, passwords, or your social security number. (And, of course, money.) With that, and a copy of your résumé and/or the info on your LinkedIn profile, a hacker now has all the info they need to create a fake identity in your name, charge your credit card or bank, steal your federal income tax refund, or create an entirely new identity.
Another strategy is to post a link in an email which, if clicked, has your computer download some malicious software.
Don’t think spear phishing is a serious threat? The FBI does!
Be aware that banks, credit card companies, your phone company, and your email provider will never ask you for your password or account number online. Your safe-computing strategy should also include an anti-virus / anti-malware program on your computer or device to monitor anything you download, intentionally or not.
On LinkedIn, if you connect to a fake account, the person behind that account has access to your LinkedIn profile, your email address, and other contact info. If they pose as a recruiter, they may also plausibly ask you for a copy of your résumé (which gives them your history) and your social security number.
Even without asking for a résumé or posing as a recruiter, you have given them access to your LinkedIn network plus your education and employment history. This may be more info than they can get from your Twitter, Facebook or other social media, making LinkedIn a better info source for hackers.
Eleven Ways to Protect Yourself from Fake LinkedIn Accounts
- Don’t automatically accept an invitation unless you really know the person, especially if they send the automatic, generic LinkedIn invitation.
- Check their profile.
- Does the info on their profile make sense? Or do they have an law degree from Harvard and then suddenly become CFO of a major corporation.
- Which schools did they attend? Most fake accounts (for Americans) prefer Ivy League East Coast and high tech West Coast schools. You probably won’t see Oberlin College or University of Kentucky on many fake accounts.
- Does the career path match the education?
- Check their photo. If they look good enough to be a model, maybe they really are and the photo was stolen from the web or a stock photo service. Use a photo image search tool such as TinEye or Google Image Search to see if the photo is used elsewhere. (See below.)
- Spelling and grammar counts, including their name.
- Send a message back before accepting the invitation. Ask them where you met or why they want to connect. If they don’t respond back, ditch the invitation. Even if they were a real person, why connect with somebody who doesn’t have the social skills to answer a simple LinkedIn message?
- If they say they are a recruiter, ask which companies they recruit for, what is their website, what is their specialty. Never give out your Social Security Number, unless you get a job offer in writing. If they insist on getting your SSN or other private info before an interview, ditch them unless you are sure they’re a legitimate recruiter (and that the company they’re hiring for is also legit).
- If you’re still not sure, call them and talk to them. Ask for references.
- If you think a profile is a fake one, report it to LinkedIn.
The days where you could be an indiscriminate LinkedIn open networker and safely accept all invitations are over. I’ve received invitations from profiles I’m sure are fakes and I often find open connectors I know who have already connected with them. Even if you are not concerned with your own security, have enough respect for your connections that you don’t want to put them at risk, too.
How many fake accounts are there on LinkedIn? Nobody knows and LinkedIn isn’t telling. Even if it’s a lowball 1% figure, with 400 million members that’s still a sizeable 4 million fake accounts.
In spite of these scammers, on the street LinkedIn has a reputation for being one of the better services as far as security issues are concerned. They also have competent legal counsel to go after people who create these fake accounts.
The overwhelming number of the people using LinkedIn are legitimate businesspeople, job hunters, recruiters, and the like. Be smart and just a little bit skeptical with strangers, and you can network, promote, sell and get work safely.