A stranger is connecting with you on LinkedIn? Beware.
When a total stranger comes out of the blue with a request to connect without any form of introduction on LinkedIn, I systematically ignore it. And so should you. And by the way, this is not only from a pure IT security standpoint. More broadly, I want to build a meaningful network of contacts. Quality should prevail over quantity. Having a network of 800-1,200 people I have talked to (at a minimum) wins over having a network of 8,000 – 10,000 I have never engaged with at all.
Now ,more specifically on social engineering and IT security. LinkedIn is a fantastic professional social media platform BUT it is also a great discovery platform for the purpose of social engineering AND an attack vector to break into your employer via phishing, spear phishing & whaling.
Facts:
- LinkedIn is a treasure trove of data which is used by malicious actors to research potential targets for attack
- Fraud actors and cyber criminals are leveraging LinkedIn to initiate various types of scams, deploying social engineering, phishing, spear phishing, whaling campaigns against all of us who are legitimate LinkedIn users
What is the fraud actor’s ultimate goal ?
Unequivocally, it is to infiltrate your organization’s systems by bypassing the security solutions implemented by your IT Team or your IT Managed Services Provider.
Once the fraud actors have gained access to your computer, they can then move laterally inside your employer’s systems. All options are then open depending on their motive: steal data, encrypt files, take over computing resources, mine cryptocurrencies on your computer, steal cash thru CEO fraud/business email compromise scheme.
How do they do it?
Phase 1 – Establishing Trust Factor and Social Validation. Cyber Reconnaissance.
There is an implicit faith that all accounts on LinkedIn are legitimate. Additionally, it tends to look harmless when a person working in a similar industry to you, or who has common connections with you, or a recruiter makes a connection request.
Well, this is when trouble starts.
Fraud actors and cyber criminals are experts at:
- Building social validation
- Making the most of a proof of credibility with their existing connections and common connections
- Cyber reconnaissance: this is about target selection and spying. Gathering as much information about the target as possible, beginning with passive and moving towards more aggressive active reconnaissance.
They get to know you very well, your network, possibly your business trips and destinations, the name of your boss and colleagues, and they build an entire profile of you.
It makes Phase 2 (the actual hit) very credible, worthy of belief and compelling. This is why probably 90% of the time is spent in Phase 1 doing research and making preparations for what is to come next.
Phase 2: the attack itself or “the hit”.
Cyber criminals can launch a targeted phishing campaign with a phishing email containing a malicious link. They can also be more targeted with spear phishing or whaling emails (thanks to LinkedIn’s trusted InMail feature) without even the need to be connected to that LinkedIn member.
Finally, in some cases, fraud actors can use the good old phone: a whaling email can be followed up with a phone call confirming the email request.
In any case, Phase 2 is short and to the point. Spending more time doing research during Phase 1 increases the success rate of Phase 2.
Bottom line:
- Do NOT accept connection requests from strangers you have not met or talked to on LinkedIn. Period.
- Connecting seems harmless but you face the risk of getting into trouble, and become another victim of social engineering.
- My network should be an asset, not a potential liability.