Phishing to Data Harvesting: LinkedIn Turns Playground For Cyber Fraud

A recent report by cybersecurity company Check Point put LinkedIn in the top spot for the most impersonated brand in phishing campaigns observed during the second quarter of 2022. That report also created a parallel discussion on recruitment fraud and reputation harm done on the platform. It turns out that both are easier than thought about earlier, found out by The Cyber Express research.

Why LinkedIn

As with all social media services, LinkedIn, too, maintains that it is not a publisher but a platform. Although certain content monitoring systems are in place, the onus of content legitimacy is usually on the creator.

We probed further to discover that anyone can claim to be an official of an organization by linking his LinkedIn profile to that of the particular company. This allows anyone to leech on the organization’s goodwill, gain followers, and even run recruitment scams on LinkedIn.

The extreme situation is an actual hijack of an existing user profile when the objective is to cash in or harm the reputation of the person or company. The hook is usually a scam message/mail that warns of your profile being locked out and asks you to list your login details.

Such scamsters run below the radar till someone notifies the profile. Usually, when the fraud profile attracts the attention of genuine employees who work in the same department or the firm, recruiters told Cyber Express. However, the recruitment process through LinkedIn is so fast that fraudsters would delete the profile and leave before this “eventual spotting” happens, said Deepak Tripathi, founder of staffing and recruitment company Johire.

Bigger target, bigger harm

“LinkedIn vastly differs from other job portals,” said Tripathi. “Here, you not only list your professional journey but also connect with all levels of executives in companies across the world. This platform gives you interesting jobs, good candidates, as well as leads to grow your business and professional network.”

He concedes that he often found it challenging to use the platform alone to verify the credentials of employers and candidates. The harm aggravates when top executives or the brand itself are targeted. Cybersecurity companies have started spotting opportunities in this threat.

“In cybersecurity terms, “brand” is relatively new – what once was seen as a marketing challenge has rapidly grown into a legitimate security issue. Now, when we talk about brand protection, it’s not limited to managing how people talk about you; it’s also about criminals pretending to be you,” wrote Brian Kime, vice president of intelligence strategy and advisory at a U.S.-based cybersecurity company ZeroFox.

The damage is often instant, and the tools to protect your brand should be capable of averting the threat, he wrote in an advisory post titled “CISO, We Have a (Brand) Problem”.

Red flags

Many red flags show themselves when we take a second look, assured Tripathi.

“A few months back, a friend got in touch with me to verify a job opportunity. The “Dubai-based employer” was demanding some sort of registration fee. The demand was unusual and the amount was high,” he said.

A detailed look at the invoice showed a GST charge, but no GST number was mentioned. Being the promoter of a GST-registered recruitment company, Tripathy could easily spot the fraud.

Tripathi has a playbook for spotting fraud on LinkedIn. Some of the usual red flags are as follows:

• Check the company’s website. If it has one, check whether it is SSL certified, i.e. https or http. A secured website brings some legitimacy.
• Check the company’s activity on LinkedIn. A long history of regular posts, particularly new appointments, earns some trust.
• Are people talking about the company/founders/HR on LinkedIn? Check their comments and points.

On the other hand, companies can save their reputation with these steps, says Tripathi.

• Audit your LinkedIn presence from time to time, from your employees to those who tag your name on their posts.
• Notify fake profiles in public posts.
• Watch out for job posts on behalf of the company. Check out the author’s profile.
• Watch out for data gatherers. They don’t intend to target the company but are out there to gather personally identifiable information (PII) using fraudulent job posts. You might face vicarious liabilities arising out of such situations if it is proven that you could have prevented it.