Most people are aware that sharing too much information on social media sites like Facebook or Twitter can mean that complete strangers might see your private photos or keep track of when you are away from home, however not many companies consider that business-oriented sites like LinkedIn potentially hold dangers too.
Whilst your staff may think that posting their current employment details on LinkedIn is advantageous and great for networking, it might actually be making your company vulnerable to a spear-phishing campaign (or LinkedIn Phishing). If you search for your company on LinkedIn, do any of your employees have their corporate email address publicly viewable on the site? That’s all a hacker needs to figure out how to email anyone in your company.
What is LinkedIn Spear-Phishing
Spear-phishing is an email that appears to be from an individual or business that you know. However, it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and personal information on your PC. Cybercriminals spend hours doing what is known as “intelligence gathering” where they trawl through public websites like LinkedIn or company websites to gather real data. This might be information such as the names and job titles of high-level employees, or how a company formats its email addresses. They then use this data to develop targeted phishing emails and send them to individuals. These phishing emails might trick someone in your company into divulging important information like a network password or downloading an apparent company report that is really a cleverly hidden keylogger.
It isn’t just done via email either. Hackers might find an internal phone number for an employee and call up pretending to be from the IT department. They’ll claim there’s a problem with your computer and need remote access or your username and password, or they might use a manager’s name to email you a virus-laden spreadsheet showing “a major financial error that could cost you your job.” You’re probably not going to think twice about opening it.
The below scam was reported by the FBI in May this year, in relation to universities being targeting in the US.
“Spear phishing e-mails are being sent to university employees that appear to be from their employer. The e-mail contains a link and claims some type of issue has risen requiring them to enter their log-in credentials. Once employees provide their user name and password, the perpetrator accesses the university’s computer system to redirect the employees’ payroll allocation to another bank account. The university employees’ payroll allocations are being deposited into students’ accounts. These students were hired through online advertisements for work-at-home jobs, and provided their bank account information to the perpetrators to receive payment for the work they performed.”
How can you protect your company on LinkedIn?
Keeping your company safe begins with gaining an understanding of who can see you or your employees online, and what they can see. Ask your employees to use their personal email addresses on LinkedIn, and make sure that any LinkedIn pages that criminals might find won’t reveal too much about how your company works.
On the plus side, LinkedIn does hide your contact information from the public. So hackers will try to trick you into connecting with them on LinkedIn by pretending to be in your business field, or even pretending to be someone they’re not. The whole purpose of LinkedIn is to network with people you have previously done business with, so you shouldn’t just accept everyone who wants to connect with you, without first doing some research.
It is not reasonable to expect your employees to be completely anonymous online, however, you can educate them on how to detect phishing and spear-phishing attacks. Keep your employees up to date on phishing scams, and the fact that hackers aren’t just casting wide nets anymore. They’ve found spear phishing, an aggressive tactic for targeting businesses, to be much more profitable.