With over 722 million subscribers, it’s safe to say that most professionals use LinkedIn in some form, whether job hunting, networking, recruiting, or promoting a business. However, the same features that make the platform so popular and accessible make LinkedIn a significant security challenge.
Criminals create false LinkedIn profiles to perform social engineering attacks against unsuspecting individuals and businesses. They are targeting employees to trick them into revealing sensitive information.
Using a technique called phishing, they can succeed in acquiring private email addresses, banking information, and login credentials to critical company accounts. Or they may gather the information they need to execute subsequent attacks on the targeted company.
What Is Phishing?
Phishing is a scam in which cybercriminal gangs send fake messages via email or text messages that appear to be from a legitimate source. Typically, these messages direct recipients to a phoney website that captures their personal information. Sometimes the message contains a malicious attachment rather than a link to infect the user’s device.
A phishing attack aims to extract sensitive information from victims like personal details, financial information, login credentials, or other sensitive business data. This type of attack often also installs ransomware via malware on the user device, spreading beyond the host device and onto the network it’s connected to.
Phishing Growth On LinkedIn
Phishing attacks target millions of individuals and organisations each day. While there are many types of phishing attacks, most have a broad audience and are deployed to thousands of email addresses at a time.
In some cases, however, phishing is more precisely targeted toward professionals with active profiles on LinkedIn who may be in the job market; this is often called spear-phishing or whaling.
These phishing messages come in the form of fake job offers via email, LinkedIn’s InMail, or the chat messaging system. The hacker sends these phoney offers through equally fake profiles, posing as a recruiter or HR employee from a known company.
LinkedIn Phishing Emails
Criminals are impersonating LinkedIn members through phishing emails, sending what seems like legitimate inquiries about job offers or other networking opportunities.
LinkedIn phishing attacks have increased by over 20% since the beginning of 2022. Cybercriminals use phoney profiles to socially engineer victims to give away sensitive information or defer them to a fraudulent website.
Such phishing campaigns are successful because we are accustomed to receiving emails from LinkedIn with subject lines about our profiles appearing in searches, messages from other members, or jobs that match our profiles.
Cybercriminals use webmail addresses with LinkedIn display names to send fake emails with the same subject lines. They even incorporate the LinkedIn logo, icons, and brand colours. The sender poses as someone from an established organisation to be even more convincing.
LinkedIn Fake Profiles
It’s estimated that thousands of fake LinkedIn profiles are generated and run by Artificial Intelligence (AI). Sometimes, these profiles are marketing tools deployed to drum up interest in legitimate companies.
The AI-driven profile contacts prospective professionals. If any respond, a salesperson takes over the conversation. Some businesses that use fake profiles state that they contracted outside marketers to expand sales. One advantage to using fake profiles is that it allows an organisation a workaround to LinkedIn’s organic messaging limits.
Yet, companies are using this tactic even though it goes against LinkedIn’s policy that every profile must represent an actual individual. While LinkedIn’s technical teams devote time to removing fake profiles, many are slipping through their filtering criteria.
Fake LinkedIn Chat Messages
Sometimes, hackers gain access to legitimate accounts and send phishing chat messages to the hacked account user’s connections. The account owners often find themselves locked out of their accounts as the threat agents to their work.
Because the messages appear to be from known connections, the recipients often click on the links without suspicion. After all, the message comes from a known account, and victims don’t realise that a hacker has taken over that account.
Before you click on any links, consider whether your connection would actually send you a message like this. You may want to contact them through another channel to verify the chat message, and you’ve saved yourself a possible malware attack if your suspicions are confirmed.
LinkedIn Chat Generator
In addition to tailored phishing messages, some hackers can use a LinkedIn chat generator designed to mimic legitimate LinkedIn accounts to “prank” other LinkedIn members. Using this tool, a person can generate a fake LinkedIn profile and send bogus messages to others.
The tool’s authors say this is for personal use to play jokes on “your friends.” Let’s not kid ourselves; they are really designed for malicious phishing attacks because the message can contain a malicious link or attachment.
Of course, the contact information associated with the fake profile is also phoney, which means you won’t be able to identify the person contacting you.
LinkedIn Fake Job Offers
The focus of the LinkedIn social engineering scams usually revolves around fake job offers. The scam involves the criminal agent creating a fake profile, posing as a recruiter or senior member of management in a hiring company, and offering users a job.
These fake profiles are populated with more fake connections, so they seem legitimate. From there, they may attract additional connections, establishing a false legitimacy that builds trust. This leads users to think the job offer is genuine.
The scammer often attempts to build rapport with their victims by sending friendly, introductory LinkedIn messages. They establish a relationship and build trust before proceeding to the next step: making a job offer.
Once the LinkedIn user responds wanting more information or even accepting the job offer, the scammer’s next step is to employ phishing methods to acquire data from the victim.
Many times, the victim receives a document file containing the job description. Of course, the document may be infected with spyware or malware that executes when opened. More often, the file includes a link to the company’s supposed payroll department, which is an effective way of circumventing antivirus software.
If the recipient clicks on the link, they are taken to a website set up by the scammer that collects account details that the victims believe are for payroll functions.
Job Phishing
After investigating for a year, BBC released its report in March 2022. (https://www.bbc.co.uk/news/uk-60387324) The investigation centred around a company called Madbird, which purported to be a rising design agency with a charismatic CEO named Ali Ayed.
Using LinkedIn to extend fake job offers is a form of job phishing, which is a phishing scam aimed directly at job seekers. Job phishing scams vary. Often, scammers post fake jobs on job boards like Indeed or ZipRecruiter.
Eager job seekers are willing to provide personal information, and because the job ads are posted to legitimate sites, people assume they come from legitimate sources.
Due to recent technological advances, job scamming is more lucrative than ever and a favourite form of phishing for cybercriminals. It’s too easy to spoof legitimate websites and create fake recruiter profiles to make the scam seem legitimate.
Cybercriminals impersonate professionals, including recruiters, human resources personnel, talent acquisition, and management. As we have already learned, the scams are embedded in more than just job boards; they also funnel through social media sites like Facebook and LinkedIn.
5 Ways to Stay Safe on LinkedIn
As an employer or prospective job seeker, you can keep some practical things in mind to stay safer on the LinkedIn platform.
1. Never give financial information to a LinkedIn user.
A legitimate employer will never ask for financial information through LinkedIn as that would be handled during orientation via the company HR department.
Also, you should never send money to another user for any reason, job-related or otherwise. LinkedIn is designed for networking, not commerce. Be suspicious of any requests for money through LinkedIn messaging or InMail.
2. Question all job offers.
Few legitimate recruiters or hiring companies will use LinkedIn to make a job offer. Any job offers that seem too good to be true probably are. The same goes for flashy messages about jobs that seem too generic, such as “We’ve reviewed your profile and think you are a perfect match for our company.” Most importantly, any links embedded in the messages are likely malicious.
3. Review Your Contact Information On Your LinkedIn Profile.
A potential employer does not need to know your phone number or street address unless they want to hire you. During the onboarding process, they will ask this in person or through their official website, not on LinkedIn.
4. Verify the identities of LinkedIn users before connecting.
Anyone can create a LinkedIn profile and don’t have to prove their information is correct. So, please do your due diligence and verify their identities. If you are messaging them, ask for more information or perform your own Google.
5. Report suspicious LinkedIn users.
If you encounter a user sending you unwanted messages or running an apparent scam, report them to LinkedIn. You need to contact LinkedIn and point them toward the potential scammer or questionable content.
Conclusion
LinkedIn remains one of the best networking sites for professionals and employers. As a LinkedIn user, you must be aware of scammers exploiting the platform for job phishing scams. Employers should also advocate for special training on spotting fake LinkedIn profiles and job scams as part of your cyber security training.
Both employees and employers can learn to protect their LinkedIn accounts to avoid falling victim to dangerous phishing scams.
From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.
Further Technology Articles
How Machine Learning can Enhance your Cybersecurity
Five Ways to Bring your Security Posture up to Speed
What you can do to lock down your weak links
