Last year the employment-oriented online service LinkedIn suffered a cybersecurity breach that was thought to have affected 92 percent of users, and in the process exposed contact information, employment information, and even location history.
That was not an isolated incident.
According to an April 2022 report from Check Point Research, the Microsoft-owned network topped the list of all phishing attempts made over the past quarter. LinkedIn even overtook international shipping company DHL as the most targeted brand.
Currently, LinkedIn has more than 774 million registered users from more than 200 countries, which also makes it a prime site in the social/professional networking space for hackers to also gather information on users.
“LinkedIn has become a crucial tool for attackers,” warned Chris Clymer, director and CISO at cybersecurity risk management provider Inversion6. “Using public information on LinkedIn, it is now possible to entirely automate information gathering where executives, financial staff, and other attractive phishing or spoofing targets are identified. Virtually every targeted attack involves using LinkedIn for information gathering.”
Watch What You Share
Proponents of LinkedIn maintain that it is the best way to network and find career opportunities. Too often, however, the same level of due diligence employed on other social platforms is found to be lacking with LinkedIn.
“LinkedIn can be a very valuable resource for professionals,” said Matthew Marsden, vice president for technical account management at cybersecurity and systems management firm Tanium.
“While content is generally restricted to professional writing, job posting, and industry talk, there are still threats in using the platform. Malicious actors create false profiles and seek to collect a network of ‘connections’ from whom to collect intel,” warned Marsden.
Too Much Information
LinkedIn encourages the sharing or resumes for job seekers, but this can expose sensitive information about the user.
“Personally Identifiable Information (PII) is a common component of a resume, and this is publicly exposed in a LinkedIn post,” said Marsden. “Detailed resumes also provide valuable information that can be used in social engineering campaigns.”
This is really no different from over-sharing on Facebook or Instagram of course.
“All social platforms have the potential to be exploited by nefarious people and LinkedIn is certainly no exception,” said Tom Garrubba, director of TPRM (Third Party Risk Management) professional services with Echelon Risk + Cyber.
“Recent FBI warnings of incidents of thieves befriending people on the app and then baiting or even goading these unsuspecting users into crypto currency scams and other types of scams provide horrific examples of what can happen if one isn’t careful,” explained Garrubba. “Social media fills that instant gratification void and the humanistic need to be ‘liked.’ We all need to be wiser at knowing that we don’t need to give an opinion on everything in the world nor to provide the online world sensitive details of our personal lives and those close to us.”
In other words, due diligence is always recommended on all social media platforms, including LinkedIn.
“For some, it may be possible to simply not have a profile to limit their exposure – but this is an increasingly untenable position,” added Clymber. “For many of us, LinkedIn is a necessary tool for promoting both ourselves and our employers – one that can’t be ignored. Instead, it pays to be aware that this information is readily available, and to always validate any suspicious email requests like changes in payment information using a phone call to a familiar voice.”