In a survey of 2000 UK-based respondents, Intel Security has revealed that more than one in five Brits (23.9 percent) have connected with someone they do not know on LinkedIn.
This presents a huge window of opportunity for criminals to conduct research on a potential target, as social media networks contain a wealth of information to launch a highly effective spear-phishing or whaling attack.
Raj Samani, CTO EMEA Intel Security, explains, "Social networking sites are a treasure trove of data used by malicious actors in order to research potential targets for attacks, not only requesting to connect with senior executives but as many junior or mid-level employees at a company as possible.”
They then target senior level executives, using their existing connections with colleagues as proof of credibility by leveraging the principle of social validation. Once these connections are in place, they can launch a targeted phishing campaign.
Samani gave the example of where it might be used: “As a precursor of a CEO fraud attack, a type of attack which is continuing to affect more victims and lead to even greater financial losses according to assessments by the FBI.”
Samani warns, “When a person in a similar industry to us, or a recruiter, requests to connect on LinkedIn, it may look harmless, but hackers prey on this as a means to target senior level professionals and ultimately the corporate network."
The story comes at a time when the sacking of the CEO of an Austrian aircraft parts manufacturer – following the loss of £31 million (€40.9 million) to a whaling attack – is still fresh in the minds of many company bosses.
FACC Operations GmbH revealed in January 2016 that it had been the victim of email fraud in which it lost £38 million (€50 million) as a result of the CEO falling for a whaling attack. Since then the company reports it managed to recover €10 million, reducing the losses to €40 million. This loss wiped out its profits for the year, resulting in a net loss of £17.5 million (€23 million).
Proof that it pays to be slightly paranoid perhaps.
And yet according to Intel's research, over two-thirds (68.7 percent) of respondents admitted that they had never wondered if someone is not who they say they are on LinkedIn while the vast majority (87.1 percent) admitted that their employer had never made them aware of any specific corporate policies around LinkedIn use.
This presents a significant risk to the corporate network. A LinkedIn user with malicious intentions may quickly enter a highly influential circle within LinkedIn when sporting even one or two shared connections, encouraging other high status executives to connect with them too.
Samani warns that employees often expose their own accounts – and therefore their company data – to threats without realising it. “Businesses must educate all members of staff on how to avoid common scams, including making them aware of the risks of opening unknown attachments in messages or clicking on unknown links,” he said.
“This sounds simple but phishing scams are growing rapidly. Companies are falling for tricks by cyber-criminals who get in contact using details skimmed from the internet to legitimise their own fake profile in order to better target businesses.”
Samani believes that businesses cannot afford to ignore employee training and leave staff to connect with questionable individuals masquerading as peers on LinkedIn. “Relatively unskilled cyber-criminals may find that connecting with employees through a business-oriented social networking services offers them just the ‘in' they were looking for.”