LinkedIn’s popularity in Singapore cannot be denied. It currently has more than 2.6 million Singaporean members, which accounts for more than 40 percent of the country’s population and it is regarded as one of the largest web-based social networks for maintaining existing business. The success of the network relies on business leaders building relationships by sharing personal information, such as a resume with details of professional stations, education, special interests and a personal photo. But by doing so, users unintentionally provide a selection of personal and sensitive information that criminals can use to their advantage.
Criminals benefit from the high level of trust associated with LinkedIn to launch malicious attacks on users. In its Q2 Phishing Report, KnowBe4 found that 42 percent of social-media related subject lines in phishing emails contained the term 'LinkedIn'. As a rule, phishing emails contain malicious links which, after clicking on them, lead to fake websites through which further private data of the victim can be stolen. These phishing emails are currently the most popular method of attack.
The method is always similar: the attackers send fake messages that look deceptively similar to real LinkedIn notifications to unsuspecting users because they carry the official name and company logo. This way, fake messages with the subject 'LinkedIn' are sent to the inbox as well as real messages. Not only convincing in terms of design, these attacks are also so successful because they are personalized and tailored to the target.
Phishing in a crowded pond
Social media is a popular target for cyber criminals because it offers them enormous opportunities. They are concentrated places with masses of users (so there is a great chance of success). And an infection can also easily spread on a social network. Social media is made for that.
Moreover, there are countless ways to administer infections. Status updates, posts, add-ons or plug-ins can all be used to deliver malware. And for certain data you don't even have to have much technical knowledge to perform a hack. For example, if you are only concerned with the victim's contacts, you can also use a fake profile. There are cases where hackers have created very convincing profiles that are almost indistinguishable from real ones.
LinkedIn users are extra attractive targets, because many people (especially sales employees) have accounts linked to their business email addresses. It is therefore alarming that phishing emails with LinkedIn in their subject line score so well.
People click on LinkedIn mail alerts so easily, because people associate LinkedIn with their work and career. Mail alerts from the social network are therefore considered urgent and important. A request to connect with you on LinkedIn can be a business opportunity. That makes the temptation to click through big.
How to avoid falling victim
LinkedIn is too good a platform to ignore. Make good use of it. But email from LinkedIn deserves the same careful treatment as any other email, no matter how much you would like to view its content so cast an extra critical eye before you click. Therefore, here are a few simple questions that you can use to evaluate a LinkedIn email:
- Do you expect the message?
- Do you know the person who wants to connect with you or send a message?
- Is there incorrect spelling or incorrect grammar?
- Is the sender's email address from a suspicious domain?
- Are there hyperlinks in the mail? If so, what do those hyperlinks look like? Are they tall? Is the address linked to another website?
- And when it comes to a connection request: how reliable is the LinkedIn profile of the sender?
Of course, such a step-by-step plan does not make you completely immune, but it does protect you from many attacks. And if you are really not sure, you can of course simply reject a connection request. Sometimes it is better not to have certain connections.
Even if your organization has installed a defence mechanism against these attacks such as a standard firewall, employees are a company's last line of defence and are most successful when they are continuously trained and prepared for the latest phishing threats. They form a so-called 'human firewall', which further supports the company's security system. Ensure you know how to recognise social engineering and phishing, what to do if you encounter it, and what countermeasures to take.
Many users are active on social media platforms (Facebook, LinkedIn and Twitter). Criminals in turn use them to collect user and company profile information so that they can create targeted spear phishing campaigns to take over accounts, damage a company or individual's reputation or gain access to a network. That's why LinkedIn emails need to be handled with extreme caution.