LinkedIn is the world’s largest professional networking platform with over 740 million members. As with any major online platform, LinkedIn is not immune to phishing attacks. Phishing is a type of cybercrime where criminals attempt to obtain sensitive information like login credentials or financial information by disguising themselves as a trusted entity. On LinkedIn, phishing attacks typically take the form of fake connection requests, job offers, or messages asking the user to click on a malicious link. As LinkedIn continues to grow, it has become an increasingly attractive target for phishers.
What is phishing?
Phishing is a fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, credit card details, etc. by disguising oneself as a trustworthy entity in an electronic communication. Phishing attacks often direct users to enter personal information on a fake website, the look and feel of which are almost identical to the legitimate one.
Here are some key characteristics of phishing attacks:
- The attacker poses as a trusted institution or person to lure victims
- Phishing messages appear genuine and use urgency to persuade users to provide information
- Malicious links are embedded in emails, social media messages, texts etc. to harvest user data
- Fake websites are designed to mimic legitimate websites to steal login credentials and financial information
- Stolen data is then used for identity theft, financial fraud or sold on the dark web
Phishing remains one of the major cybersecurity threats today. Attackers are using increasingly sophisticated techniques to target businesses, organizations and individuals across digital channels.
Types of phishing attacks
There are several different types of phishing attacks:
Spear phishing
This targets specific individuals within an organization. The phishing emails are customized with familiar company branding and relevant personal details to make the scam more convincing.
Whaling
High-profile targets like senior executives are the main targets of whaling attacks. The intention is to gain access to critical data by compromising influential decision makers with access to sensitive information.
Clone phishing
Legitimate emails that have already been sent or received are cloned. The phishing email is made to look identical to the original but contains a malicious link or attachment.
SMS phishing (smishing)
Phishing attempts are made via text messages. Attackers often pose as banks, e-commerce platforms or delivery companies to get users to click malicious links.
Voice phishing (vishing)
Scammers use phone calls, often automated robocalls, to obtain private information by impersonating legitimate businesses.
Malware-based phishing
Malware is attached in emails or hosted on fake websites to infect the target’s device to steal data. This is known as phishing with malware.
History of phishing
While the term “phishing” originated in the 1990s when scams were perpetrated via phone calls, phishing attacks began appearing in the digital world in the early 2000s.
Early phishing (1996-2003)
The first recorded instance of phishing occurred in 1996 through emails impersonating a bank to retrieve account details from AOL users. As internet usage grew in the early 2000s, phishing using fake websites became more common. Early targets included eBay, PayPal, Citibank and other financial institutions.
Rapid growth (2004-2007)
From 2004-2007 phishing attacks grew at an exponential rate with hundreds of brands across sectors being targeted. An Anti-Phishing Working Group study found the number of unique phishing reports grew from fewer than 1,500 in September 2003 to over 28,000 in December 2007.
Sophisticated attacks (2008 – Present)
Modern phishing scams employ sophisticated techniques like personalization and targeting, refined social engineering tactics, and integration of malware. The shift to mobile and social media platforms has also expanded the phisher’s playground. Overall losses to phishing attacks reached $3.4 billion in 2019 according to the FBI’s Internet Crime Complaint Center.
5 biggest LinkedIn phishing scams
As a professional networking platform with high-value targets, LinkedIn has faced its share of phishing issues. Here are 5 major types of phishing scams on LinkedIn:
1. Fake LinkedIn messages
Phishers send seemingly real connection requests or messages designed to get users to click malicious links or download malware. They often mimic notifications from LinkedIn to make the messages convincing.
2. Fraudulent job offers
Fake job offers are sent via LinkedIn to harvest personal information or send potential recruits to phishing sites. These scams prey on active job seekers.
3. Business email compromise (BEC)
By posing as executives or suppliers, attackers compromise corporate email accounts to scam businesses into making payments to criminal accounts. LinkedIn profiles provide intel for targeted spear phishing.
4. Fake LinkedIn support accounts
Phishers create LinkedIn profiles posing as LinkedIn customer support to seem credible. They then direct users to fake LinkedIn help sites to steal credentials.
5. Third-party browser extensions
Browser extensions that claim to enhance the LinkedIn experience may install malware without the user’s consent or knowledge. These malicious extensions can steal profile info and messages.
LinkedIn user data leaked on the dark web
In 2021, LinkedIn faced a significant data breach incident where data scraped from 500 million user accounts was put for sale on a popular hacker forum. The leaked data contained sensitive information such as:
- Email addresses
- Full names
- Phone numbers
- Geographic locations
- LinkedIn username and links to LinkedIn profiles
- Gender details
- Other social media handles
While LinkedIn maintained that this was not a data breach, the leaked data could empower new LinkedIn phishing schemes by giving scammers access to users’ personal information. This data scrape highlights the need for tightened security and anti-phishing measures on LinkedIn.
Phishing red flags on LinkedIn
Here are some common signs of phishing attempts on LinkedIn to watch out for:
Unexpected messages
Look out for unsolicited connection requests and messages even from contacts. These may contain phishing links or attachments.
Sense of urgency
Messages that try to rush or pressure you into clicking suspicious links or providing information are red flags. Slow down and verify before responding.
Poor spelling and grammar
Phishing messages often contain typos, grammar errors and awkward phrasing.
Fake URLs
Check the URLs in messages and profiles carefully. Scammers register misspelled or deceivingly similar domain names.
asks for sensitive information
Legitimate businesses generally don’t ask for personal details like passwords, bank account numbers or credit card info over LinkedIn.
9 tips to avoid phishing on LinkedIn
Here are some tips to protect yourself from getting phished on LinkedIn:
1. Use login alerts
Enable login alerts to be notified of logins from new browsers and devices. This makes you aware of any unauthorized access.
2. Think before you click
Don’t click on suspicious links in unverified messages. Hover over the link to preview the URL before clicking.
3.Verify message senders
Don’t just rely on display names. Go to the member profile to check for verification badges and plausibility.
4. Watch for personal info requests
It’s generally unsafe to share personal details like bank info and passwords on LinkedIn.
5. Avoid public Wi-Fi
Public unsecured networks make it easier for hackers to steal your data through phishing sites. Use a VPN if required.
6. Use multifactor authentication
MFA adds an extra layer of security beyond passwords so phishers can’t access accounts even with stolen credentials.
7. Be wary of deals
If an offer seems too good to be true, it most likely is. Phishers use tempting deals to lure victims.
8. Install antivirus software
A reputable antivirus program helps detect and disable malware used in phishing campaigns.
9. Report phishing attempts
Alert LinkedIn immediately if you encounter a suspicious message or account. Also notify your connections.
Conclusion
Phishing poses a significant threat to LinkedIn users looking to make connections, find jobs and build their professional identity. Attackers are constantly evolving their tactics and techniques on the platform. However, being vigilant, refraining from oversharing personal information, and employing security best practices can go a long way in protecting yourself from phishing scams on LinkedIn. As phishing detection methods also improve, companies like LinkedIn are working to enhance technical countermeasures and user education to combat this menace. With caution and collective vigilance, the severity of phishing attacks on LinkedIn can be minimized.