By Chris Ince, Information Security Consultant, Security Risk Management Ltd
LinkedIn recruiting scams are not a new threat to most. Many users of the professional network face this ever present gauntlet every day. Recently these have been targeting professional executives. The scams aim to socially engineer both professional and personal information as well as contact networks : specifically email address’ and telephone numbers.
There have been several reports from security vendors, F-secure, Dell Cyber Threat Intelligence (CPU) and Symantec SecureWorks regarding LinkedIn scams.
Most of the reported attacks have taken the format of posing as legitimate employers offering non-existent positions. Most utilise a combination of stock-image or other LinkedIn photos of women, with profiles copied and pasted from real professional accounts. This is often termed sockpuppet scams.
All of the reports offer a detailed analysis of the scams, as well as examples of scam profiles.
According to a separate Symantec report “The FBI estimates that the amount lost to BEC (Business Email Compromise) between October 2013 and August 2015 was over $1.2 billion. With such huge returns, it’s unlikely that these scams will cease any time soon.”
Assuming the information you publish on Twitter, Facebook etc is public (even if some is only to select people or groups) you should apply the same principle to LinkedIn. The upsurge in current scams will not be an issue as you will already be cautious with the information you share and how you respond to any requests.
For those that that don’t air on the side of caution “User education is the most effective means of protecting companies against BEC,” the researchers pointed out.
Have you educated all your employees on the threat of phishing and spear phishing emails? Please let SRM know if you’d like to discuss this further.