How LinkedIn can be used by a hacker, phisher, and for social engineering
- Phishing - As part of your network, a LinkedIn contact can see your email address (if you made that available). Since LinkedIn helps to create an established business connection, you may be more apt to open a phishing email. A criminal can better tailor the phishing email if they know your profile. Knowing what you do for a living, what type of job you have, etc. makes it easier to create a legit-looking phishing email.
Phishing methods can include:
- People asking you for money who you don't know in person. This can include people asking you to send them money, cryptocurrency, or gift cards to receive a loan, prize, or other winnings.
- Job postings that sound too good to be true or that ask you to pay anything upfront. These opportunities can include mystery shopper, company impersonator, or personal assistant posts.
- Romantic messages or gestures, which are not appropriate on our platform - can be indicators of a potential fraud attempt. This can include people using fake accounts in order to develop a personal relationship with the intent of encouraging financial requests.
- Compromised Data - In 2012, LinkedIn lost the email addresses and passwords for more than 100 million users. This data is still readily available on the dark web and is a goldmine of credentials because a lot of people are lazy and either don't know or don't care about good password hygiene. In fact, reused credentials are one of the most common causes of data breaches.
- Viewing all employees - A feature like 'see all employees' can help a criminal identify targets. In terms of what they do with this information, an attacker might use their knowledge of a company's structure to pose as someone's boss or colleague and trick them into sharing confidential information or clicking a malicious link.
- Viewing all connections - By reviewing an organization's many LinkedIn connections, a hacker can start to build a detailed picture of an organization's suppliers, technology providers and other third-party services. This can help them identify potential entry points within their target's technology stack e.g. their CRM, HR or payroll systems. An understanding of which technologies are in use can also help a hacker understand what security systems may be in place and, more importantly, which systems are vulnerable.
Furthermore, imagine the scenario in which an attacker cannot infiltrate their target directly. If resourceful enough, they may try to use LinkedIn to work out which suppliers and partners they use, in a bid to infiltrate them instead. It's easy to imagine a bank's marketing agency having more lax security than the bank itself, and that's exactly why they may end up an unwitting entry point to their client's network.
- New job posts offer insight into technology - When hiring for technical roles, particularly IT or system admin positions, LinkedIn job posts can reveal a lot of valuable data. This can include the technology underpinning critical business operations, for instance, which databases, operating systems, storage, and scripting languages are in use across the organization. For hackers, this is priceless information that can help them mount a successful attack.
Job ads can also reveal details of upcoming IT projects such as infrastructure upgrades e.g. moving to a cloud service provider. These kinds of projects may be a good entry point since security processes may be less mature and a new hacker infiltrating the network may be harder to spot while the organization still hasn't created a baseline of normal activity.
- Using curiosity to spread malware - Perhaps LinkedIn's greatest asset is its ability to tap into the curiosity of its users, but hackers can use this to their advantage too. They know that if a stranger visits someone's profile, the first thing they are likely to do is to click on their profile in an attempt to find out why. For instance, a hacker may create a fake profile and view the profiles of several targets. They could place a malicious link on their profile hoping that it is clicked by a curious target, at which point LinkedIn is effectively a delivery mechanism for malware.
- Influencing Network and Reputation: A hacker might impersonate a trusted connection to spread misinformation or convince the victim's network to undertake certain actions. This could have harmful repercussions, damaging both personal and professional reputations. Such manipulation could even be used to negatively impact a company's stock price, cause internal disruption, or sway the opinion of shareholders.
- Misuse of InMail: LinkedIn's private messaging system, InMail, can be misused for sending phishing links or malicious files. Since it's a direct communication line, hackers could take advantage of this to trick users into revealing sensitive information. Also, people might be more inclined to trust a link sent via LinkedIn as compared to one sent through a less familiar channel.
- Endorsements and Recommendations: Fake endorsements and recommendations can be used to build up a fraudulent profile's credibility. By having a well-constructed profile complete with endorsements, a hacker could gain trust more easily, which may lead to successful phishing or social engineering attacks.
- "Premium" Impersonation: Some hackers might go a step further and pay for a LinkedIn Premium account. The 'Premium' badge could give an additional layer of credibility to the hacker's profile, making their phishing or social engineering attacks more effective.
- Data Harvesting for Personalized Attacks: A more subtle way that LinkedIn can be used is for "data harvesting". This refers to the collection of information from a person's profile, such as their interests, job history, or connections. This information can be used to create highly personalized and convincing phishing or spear phishing attacks.
Precautions to keep you safer
LinkedIn users need to understand the value of their data, be more guarded when posting and viewing content online, and always be aware of the cybersecurity threat. Hackers are out there; they are smart, organized, and resourceful, and they won't think twice about using a service like LinkedIn to get to their target – which could easily be you.
Don't accept LinkedIn connections from:
- People you don't know or know of: You should avoid accepting connection requests from people you have no familiarity with. If you don't recognize the person or their professional credentials, it's safer not to engage, as they may be spammers or malicious actors. It's particularly advisable to avoid connecting with people from industries or regions completely unrelated to your professional sphere.
- People who you don't at least have a second- or third-hand connection to you: On LinkedIn, a second-degree connection is a connection of your connection (i.e., a "friend of a friend"), and a third-degree connection is a connection of a second-degree connection. If someone isn't at least a second or third-degree connection, it suggests you don't share any mutual connections, which could indicate a higher risk. Mutual connections act as a sort of "vouching" system, as it's less likely (though not impossible) that a scammer or spammer would be connected to someone you trust.
- People who have no trusted connections: This point is similar to the previous one. If you get a request from someone who is not connected to any individuals you trust or recognize, it's safer to ignore it. Trusted connections are usually colleagues, friends, or industry professionals whose judgment you trust. If the requester is not connected to anyone in your trusted network, it's more likely they could be a malicious actor.
- People with very few connections: LinkedIn is a professional networking platform, and most genuine users will have a decent number of connections (usually 100 or more) built up over time. If you receive a request from someone with only a few connections, this could be a red flag. It's possible that this is a new account, but it could also be a fake profile. Hackers or spammers often create fake accounts and send out mass connection requests, and these accounts will typically have very few connections.
- Incomplete Profiles: These might not necessarily be dangerous, but profiles lacking a profile picture, details about their current position, or other basic information could indicate a spam or fake account. Be wary if they have no visible activity such as likes, comments, or posts.
- Profiles with Multiple Spelling or Grammar Errors: While everyone can make occasional typos, a profile riddled with errors might be a red flag. This could potentially be a hastily created account with the intention of spamming or scamming.
- Profiles with Generic Job Titles: Be cautious of profiles with overly generic job titles such as "freelancer" or "self-employed," especially if the rest of the profile lacks specific details. These could be bots or people trying to appear legitimate.
- Connections Requesting Confidential Information: No legitimate LinkedIn connection should ever ask you to disclose confidential information, such as credit card details, bank account numbers, social security numbers, etc. Do not accept or maintain connections that request this type of information.
- Profiles with a Rapidly Changing Job History: If a profile shows the person changing jobs every few months, this could be a red flag. It's especially concerning if these job changes span across diverse fields, which might indicate that the account holder is fabricating their job history.
- Profiles that Seem Too Good to be True: If a profile seems exaggerated or too good to be true, treat it with caution. Examples could include an unusually high-ranking position for a young age, endorsements from extremely high-profile individuals, or credentials from prestigious institutions without corresponding details or evidence.
- Unsolicited Contact with Job Offers: Be wary of unsolicited connection requests that immediately follow up with a job offer, especially if the offer seems too good to be true. Scammers may use this approach to convince you to click on a malicious link or provide personal information.
How to research LinkedIn
While some of these things may also be a result of a poorly written profile rather than a fake one, you are looking for patterns. If you see any red flags, then you will want to use their content and network to verify further.
- As a part of this profile test, LinkedIn created an “About this profile.” This shows you “when a profile was created and last updated” and “whether the member has verified a phone number and/or work email associated with their account.” Be sure to check this out as a part of your screening process.
- Take a second to ensure that the LinkedIn profile really belongs to the person it says it does. Check to see if you have mutual connections on LinkedIn and, if you do, reach out to those individuals to verify.
- When in doubt, use Google's “Search By Image” feature to see if the photo is of the person it says it is. Often fake profiles feature photos from ads or of models.
- Check periodically to make sure no one's opened an account in your name, or in a common variant on your name.
- If you see profiles, messages or content this looks suspicious, report it to LinkedIn.
Content TestProfiles are created once, but content is harder and more time intensive to fake. Scroll through their recent posts and history to look for these dead giveaways.
- Are they posting regularly?
- Do they write a post with their content, or do they only share links without any further information?
- Do their posts have responses and do they engage with those responses?
- Are there any other comments they have written on other people’s posts?
- Have they sent you information with overly personal or formal language? (Such as “Hello my dear” or “Dear Sir or Ma’am”)
Network TestThe final area you can check on a LinkedIn profile is to check out their network.
- Do they have under 100 total connections?
- Does the profile have any followers in addition to connections?
- Are there some LinkedIn recommendations written, and do they seem genuine and relevant to the rest of the profile?
- Do you have any mutual shared connections?
Protecting Your Account and IdentitySpotting the fakes is a good first step, but you also want to protect your data and information. Your online reputation and connections are valuable business assets and should be treated as such.
If you are not already, make sure that you are regularly downloading your data and information from LinkedIn. This can help you in case you do ever have a security breach. But there are things you can do to keep that from happening in the first place.
- Use a strong password that is unique to LinkedIn.
- Regularly review your privacy and security settings.
- Turn on two-factor authentication for your logins.
- Periodically do a reverse image search with your own profile picture to see if it shows up in places it shouldn’t.
- Set up a Google Alert for your name.
- Check the number of active logins to ensure your account isn’t being accessed by a third party without your permission.
- Make it a quarterly habit to review your profile and update it.
- Keep your own account active. When you don’t, you could look like a bot.
How to report abuse
- Look for the three dots in the upper right corner, click report, and select the best option that describes your concerns. You can also contact LinkedIn's customer service team directly through the Help Center.