New research on LinkedIn and social media habits shows that many users are guilty of indiscriminately connecting with online strangers, potentially opening them up to spear phishing schemes and business email compromise (BEC) scams.
A new, unpublished Intel Security survey of 2,000 U.K.-based LinkedIn users found that nearly 24 percent of respondents have connected on LinkedIn with someone they did not know. Moreover, nearly 69 percent of survey-takers said it never even crossed their minds that the people they've connected with might be fictional online personas created by fraudsters. “The thing that was most surprising was the sheer lack of any form of due diligence,” Raj Samani, CTO of EMEA Intel Security, told SCMagazine.com.
Connecting with online strangers through LinkedIn, Twitter and Facebook potentially exposes users and their companies to highly targeted social engineering scams that leverage information gleaned from online personal and career profiles. Such data can be used to craft spoofed spear phishing emails that target LinkedIn users or their colleagues. A recent report from the Internet Crime Complaint Center (IC3) stated that U.S. companies lost $263 million in 2015 as a result of these BEC scams.
The more employees that a bad actor can connect with, the easier it becomes to accumulate even more victims, because the scam artist's connections with other industry colleagues make him or her looks legit. "The fact that you have mutual connections means that you're automatically deemed trustworthy to enter my network. That's social validation,” said Samani.
Despite the risks such behavior poses to businesses, about 87 percent of survey respondents said their employers have never informed them of any specific corporate policies that regulate LinkedIn usage.
The significance of Intel Security's findings becomes even more apparent when factoring in separate unpublished research from BrandProtect. The cyberthreat intelligence firm told SCMagazine.com that as of May 2016, 15 percent of Fortune 100 CEOs who own LinkedIn accounts are represented by multiple profiles, while almost 40 percent of Fortune 100 CEOs on Twitter had at least one duplicate or copycat account. This at least raises the possibility that some of these accounts could be owned by frauds masquerading as a CEO – although the company's research did not attempt to confirm such speculation.
“These are the most regulated accounts in the world,” Greg Mancusi-Ungaro, BrandProtect's CMO, told SCMagazine.com, and yet there still were duplicate accounts. “You could go deeper in these organizations, and there could be a lot of people where fake accounts just run rampant.”
Considering the above findings, people may want to consider adopting personal or corporate social media policies, said Samani. Such policies don't necessary need to outright forbid new connections with strangers – that would diminish the value of online social media platforms – but they can encourage users to ask common sense questions.
For instance, does the executive inviting you to connect on LinkedIn already have a large number of connections? And are any of those connections mutual? “No connections should be a pretty good telltale sign” something is wrong, remarked Samani, adding that users should also weigh whether or not there is any measurable value in connecting to a specific person sending an invitation.
Mancusi-Ungaro also advised that users check if an individual's work history looks inaccurate, and to even see if the photo is genuine. “The perpetrators know about eye candy, and they're not afraid to use a handsome man or beautiful women as part of the lure for the profile,” he said.
Noting that he himself only accepts about one in every three-or-four LinkedIn invitations, Mancusi-Ungaro recommended that users treat social networking and media requests with the “same vigilance or wariness you give to unprovoked inbound emails.”