LinkedIn is a great platform for networking and building relationships with potential customers, partners, and suppliers.
However, as with any online service, LinkedIn is also a target for phishing attacks.
Cybercriminals are constantly evolving their methods in order to achieve their goals.
With phishing, the aim is to gather banking information, credit card numbers, or gain access to email addresses from users, which can be used in more advanced scams such as the notorious business email compromise scam.
Some phishing now includes sophisticated social engineering, and one of those ways that is highly successful is to abuse LinkedIn since many individuals use and rely on it for their jobs or professional connections.
In this blog, we will cover the different types of attacks that are targeting LinkedIn users and provide some tips on how to stay safe online.
Types of LinkedIn Phishing Attacks
Fake Profiles
On LinkedIn, users are encouraged to create and connect with one another on a professional level, and you would believe everyone has good intentions.
But, that’s not always the case. Fake profiles are common on social media platforms and LinkedIn is no exception.
What’s bad about fake LinkedIn members?
Phishing attackers have been known to establish a relationship with their targets through likes, comments, messages, and posts before asking for sensitive information.
And with the professional nature of LinkedIn, it’s easier to feel trusting of all profiles.
Pretending to Be LinkedIn
You may have noticed that LinkedIn sends a lot of emails if you use it.
Hackers have taken this to their advantage by sending phoney LinkedIn communications.
A typical scam that involves this sort of approach is a fraudulent email masquerading as LinkedIn’s administration team – this message may contain a hyperlink that requests more personal information.
When you visit the page, you may be taken to a fake LinkedIn website that resembles the real thing.
When you provide your email address and password, the scammers will get access to your credentials.
Inmail Scams
According to Krebs, malicious actors used stolen accounts of trusted users and other LinkedIn members to send out in-platform communications urging recipients to click on a link to view a Google Doc.
When the URL was clicked, the recipient was redirected to a phishing site with the intention of stealing their Google credentials – and this is more common than you might think.
If a scammer gains access to an employee’s credentials as a result of one of these attacks, they could use that initial break-in to access vital corporate data and/or compromise workers’ PII (personally identifiable information).
Tech Support
Of course, phishers don’t always need to impersonate a trusted user or coworker in order to attack LinkedIn users.
In certain cases, all they require is the pretext of the network’s technical support department. For example, in 2017, an employee at Tom’s Guide received an email titled: “Important User Alert” from “linkedIn[dot]customerservices[dot]us1@fsr[dot]net.”
This email informed recipients that someone with a different IP address on record had gotten access to their account, and that they risked losing privileges on the site unless they followed a suspicious link.
This attack demonstrates digital attackers’ predilection to masquerade as support personnel and contact users that way.
As LinkedIn advises, they do not offer a phone number for customer support; they wouldn’t charge a customer or ask for your password, therefore you should follow best security practices if something feels suspicious.
How to Detect LinkedIn Phishing
Because some phishing emails may seem very authentic, spotting LinkedIn phishing might be difficult.
So, how can you tell if someone is trying to deceive you on LinkedIn?
Firstly, take a close look at the sender information.
If it’s from LinkedIn’s administrative team, it must come from an email address @linkedin.com.
However, even if it does, it doesn’t mean the content is genuine.
So, look for any typos and misspellings in the subject line and main body of the email.
Also, if there are any links, and the URL takes you somewhere that is not linkedin.com – it’s phishing.
Secondly, if the email contains an attachment, again this is fake. LinkedIn does not send files, and if you open it, it could infect your whole computer.
That said, give it another try if you detect anything suspicious. Open your browser and go to LinkedIn the way you normally would if you suspect something. You can then inspect the user interface and deal with it safely.
How to Spot Fake Profiles on LinkedIn
First of all, check the profile properly: is there any weird information?
Then, go through their contacts or the number of contacts – if they don’t have that many, it could be a newly created profile for fraud.
Also, ask yourself if it makes sense for this person to contact you. If so, do they want to share files with you? Perhaps they could be making it seem urgent.
If at any point you feel wary and have doubts about the message, then don’t hesitate to give their company a call (if they’ve listed one) and ask for the person.
Here, they will a) confirm the person exists and b) get them on the phone and confirm that it was them who sent you the message.
Conclusion
Online social networks are a great way to meet new people.
But, like on any website, fraudsters search these sites for vulnerable individuals.
Keep an eye out for the con artists’ methods described above while developing your connections on LinkedIn.
Like other phishing attacks, LinkedIn phishing attempts can’t be stopped by technological solutions like firewalls and antimalware software.
This is due to the fact that these assaults rely on human mistakes rather than technological flaws.
As a result, businesses looking to avoid LinkedIn phishing assaults should concentrate on educating their employees about how to spot fake accounts, identify fraudulent ones, and report phoney profiles.
In the meantime, take a look at our LinkedIn Lead Generation service here.
