In a survey of 2,000 UK-based respondents, Intel Security has found that more than one in five Brits (23.9 per cent) have connected with someone they do not know on LinkedIn. The IT firm says this is potentially opening up a wealth of information for any hackers intent on going through their personal information to launch a highly effective spear phishing attack.
How does it work?
“Social networking sites are a treasure trove of data used by malicious actors in order to research potential targets for attacks, not only requesting to connect with senior executives but as many junior or mid-level employees at a company as possible,” explains Samani. “They then target senior level execs, using their existing connections with colleagues as proof of credibility by leveraging the principle of social validation. Once these connections are in place they can launch a targeted phishing campaign. For example it could well be used as a precursor of a CEO fraud attack, a type of attack which is continuing to affect more victims and lead to even greater financial losses according to assessments by the FBI.”
This is a scam to which many company employees remain oblivious, Intel warns. Over two thirds (68.7 per cent) of respondents admitted that they had never wondered if someone is not who they say they are on LinkedIn while the vast majority (87.1 per cent) admitted that their employer had never made them aware of any specific corporate policies around LinkedIn use.
As more millennials enter the workplace, businesses need to take such risks more seriously. This latest research revealed that a staggering 71.5 per cent of 18-24 year olds had never wondered if someone is not who they say they are on LinkedIn. This presents a significant risk to the corporate network. A LinkedIn user with malicious intentions may quickly enter a highly influential circle within LinkedIn when sporting even one or two shared connections, encouraging other high status executives to connect with them too.
Raj Samani, pictured, CTO EMEA at Intel Security, says that employees often expose their own accounts – and therefore their company data – to threats without realising it. “Businesses must educate all members of staff on how to avoid common scams, including making them aware of the risks of opening unknown attachments in messages or clicking on unknown links. This sounds simple but phishing scams are growing rapidly. Companies are falling tricks by cybercriminals who get in contact using details skimmed from the Internet to legitimise their own fake profile in order to better target businesses.” According to Raj Samani, ‘When a person in a similar industry to us, or a recruiter, requests to connect on LinkedIn, it may look harmless, but hackers prey on this as a means to target senior level professionals and ultimately the corporate network.”
Samani adds that businesses cannot afford to ignore employee training and leave staff to connect with questionable individuals masquerading as peers on LinkedIn. “Relatively unskilled cybercriminals may find that connecting with employees through a business-oriented social networking services offers them just the ‘in’ they were looking for.”
