Social engineering is an often-overlooked method bad actors take in executing cybercrime. And while one may think Facebook is the go-to social platform for criminals to target individuals, LinkedIn is a far richer treasure trove of data and unsuspecting contacts. With a respectable 720+ million monthly users, LinkedIn is recognized as the professional social media site; providing tools for businesses or people to develop and share industry thought leadership as well as to attract employees.
As a business platform, there is a strong desire for users to interact with the goal of generating B2B leads or finding jobs/job candidates. Furthermore, it is reported that LinkedIn is where most Fortune 500 decision-makers and executives spend a fair amount of time with about 45% of LinkedIn article readers in upper-level, decision-making positions. Now that it is established that LinkedIn is the leading online B2B platform, how does this tie to cybersecurity?
It links back to social engineering in the context of information security. Cyber criminals are known to find readily available sources or to use deception in order to manipulate people into sharing confidential or personal information. With professionals all too eager to interact in the B2B environment or seek career opportunities, LinkedIn is an effective tool of choice for threat actors since the platform highly encourages making new connections. For career-focused users, the ‘old’ tactics of tricking someone into clicking malicious links or downloading compromised files works well for those individuals desperate for next steps in job hunting, and therefore highly likely to let their guard down and overlook signs of fraud. Finally, LinkedIn is designed around users sharing their employment and education background, notable work or volunteer achievements, and business-related accomplishments (in addition to a myriad of contact details so that no lead gets away). The platform regularly reminds users to ‘complete your profile,’ ‘add new sections,’ and ‘tell your network everything.’ This generates a near-perfect reference repository for cyber criminals to gather very detailed information about organizations and senior executives for use in nefarious activities such as spear phishing, angler phishing, and whaling.
LinkedIn users can protect themselves and still benefit from using the platform by adhering to some simple best-practices and security tips.
- Change your password regularly and do not reuse a password from another site. This is not specific to LinkedIn, but good password hygiene can never be stressed enough.
- Make sure you turn on two-step verification within the account access section of account preferences.
- Determine the minimum amount of personal contact information you can have in your profile – particularly your address – should not be publicly viewable. There are many profile visibility options found within account preferences. Some of these to consider having more limited settings include ‘profile viewing mode’, ‘who can see your connections’, ‘manage active status’, ‘share profile updates’, ‘and notify connections when you’re in the news.’ These selections all have implications for finding information about you that can be used in making unsuspecting targets.
- Under the data privacy tab, explore ‘how LinkedIn uses your data.’ Look specifically under ‘manage your data and activity.’ Here one will find all the times you provided and shared your LinkedIn data (generally your profile) with a company, marketer, or permitted application.
- Additionally, consider deleting salary data if it was previously shared and choose whether third-party partners can use data about you for research.
LinkedIn is a fantastic networking tool and business resource that, with a bit of vigilance, can be safely exploited for its dominance as professional social media while also ensuring online protection as a user.