The career-centered social media network LinkedIn is the latest victim of phishing efforts on the part of cybercriminals—demonstrating that no organization, no matter how big, is immune to such threats. The phishing attacks are tailored to what LinkedIn users are most likely to be interested in and seek to obtain valuable information from victims. What makes these attacks most concerning from a business perspective is that many LinkedIn users are logging in with their corporate email accounts. When the cybercriminals succeed in getting the information they want, they can gain access to the information of not just the immediate victim, but the organization they work for as well.
Cybercriminals Targeting LinkedIn Users
According to the Security Awareness Training company KnowBe4, a new wave of cybercrime is hitting the LinkedIn community to gain valuable corporate information. Cybercriminals are attempting to get employees to fall for phishing emails—emails that encourage recipients to click a link that leads to a request for confidential information.
The phishing emails are designed to appeal to the personal interests of the recipients, a common tactic with phishing attacks. The goal is to excite the recipient enough that they forget to be cautious. According to KnowBe4, the most popular type of phishing email is one that has LinkedIn in the subject line. Messages from LinkedIn are opened around 50% of the time, so it makes sense for the cybercriminals to use what is most likely to work. They know that around one in two users will open an email that appears to be from LinkedIn, so they tailor their phishing emails accordingly.
Particular Concern for Those with Business Responsibilities
When a phishing attack succeeds against an average person, their personal information and financial information is at risk. But when a phishing attack succeeds against someone who has responsibilities at a business, and therefore security access to protected information of the business, it can lead to damage that harms the business and all of its employees. No one deserves to be the victim of a phishing attack, but there are individuals who, if compromised, can deliver information that will harm more than just one person.
It is predictable that the ones that cybercriminals want most to fall for their LinkedIn phishing attacks are those with higher security clearance in businesses. They know that they could strike a gold mine if they get the right person, with the right information, to fall for one of their phishing emails. That is why they are so devious in the way that they construct their traps. They look closely at the areas of interest of their targets to ensure that they have the highest chance of success.
Areas Where Cybercriminals Focus on LinkedIn
Not just any phishing email will lead to a click from the reader. To get the desired result, cybercriminals must create the kind of emails that recipients are most likely to fall for. KnowBe4 actually conducted tests on LinkedIn to determine which types of emails recipients would click the most often. As mentioned earlier, the most successful phishing emails included LinkedIn in the subject line of the email. According to an article from ChannelFutures, once the recipient looked at the email, they were most likely to click on emails that had the following in the subject line:
- Profile Views
- New InMail Message
- Join my network
- Add me to your network
It makes sense that these subjects would attract the most clicks. They all indicate an interest in the recipient, specifically the kind of interest that could lead to an excellent networking opportunity. A desired employer or contact might have looked at their profile or sent them a message. Even better, they might have requested that the recipient become part of their network, or that the recipient allow them to become part of their network. All four subjects target those who are using LinkedIn to further their careers, which explains why they were so successful.
What Can LinkedIn and Users do to Fight the Problem?
For LinkedIn, the risk of phishing scams and cybercrime is and has always been present. As the company has grown, they have been well aware of the dangers that cybercrime poses to their business and their users. That is why, as with all other major social media platforms, LinkedIn has a dedicated team to identify cybercrime on their platform and to do what they can to fight it. However, there is a limit to what LinkedIn’s dedicated security team can accomplish on their own. Once a platform has millions of users, there will always be criminals who can slip through the cracks. LinkedIn will not be defeated by cybercriminals as a platform. However, the platform’s users do need to be aware of the risks they face.
For businesses, it is best to avoid relying on LinkedIn to keep them and their employees totally secure. Companies have to accept that from time to time, their employees will be targeted by cybercriminals. That is why employee awareness training is so necessary. Businesses must train employees to be aware of the risks of cybercrime, including phishing emails. If you are worried about your employees falling for a phishing scam, consider training them in the red flags of social engineering.
To learn more about cybercrime risks and how to avoid them, please contact our IT services team. We can help you protect your employees and your business.
- Jason Vanzin
- May 13, 2019
- Words Of Technical Wisdom