Watch out for LinkedIn scams

FBI warns of increased threats on business networking platforms

By Mark HoffmannKENOSHA.COM

A leader in the IT industry for nearly three decades, Hoffmann has helped small and large businesses take advantage of technology to better serve their customers and employees. Hoffmann is owner of CMIT Solutions of SE Wisconsin.

LinkedIn is the third most popular social media platform in the world, boasting 830 million users working at more than 58 million registered companies. Because of that massive member base, the professional network has become an attractive target for cybercriminals, with scammers and phishers posing as colleagues, job candidates, and even recruiters.

Recently, the FBI warned Americans that these hackers on LinkedIn represent a “significant threat” to cybersecurity. Sean Ragan, special agent in charge of the FBI’s Northern California’s field offices in San Francisco and Sacramento, appeared on CNBC to highlight increasing cryptocurrency scams.

LinkedIn emphasized that its internal cyber defenses catch “the vast majority” of malicious activity.

“This type of fraudulent activity is significant, and there are many potential victims, and there are many past and current victims,” Ragan said. “(Cybercriminals) are always thinking about different ways to victimize people (and) companies. And they spend their time doing their homework, defining their goals and their strategies, and their tools and tactics that they use.”

The most common cryptocurrency fraud is basic but devious, according to Ragan. First, hackers attempt to connect with someone on LinkedIn by sending a message that introduces themselves as professional crypto investors. Several different investment strategies are outlined, all promising big returns. In recent weeks, those have even included “buy the dip” appeals that try and play on recent volatility in the cryptocurrency market.

This particular scam has been more successful than usual because hackers ask users to start investing in legitimate, commonly used, and widely trusted crypto platforms. Apparently, after several months, scammers then ask their marks to move funds to different investment platforms, where funds are subsequently stolen.

In a press release, LinkedIn emphasized that its internal cyber defenses catch “the vast majority” of malicious activity. In 2021, the platform deactivated 32 million active fake accounts — and prevented another 16 million fake accounts from even completing their registration. But LinkedIn also acknowledged the scope of the recent problem, reminding users to stay vigilant for scam attempts: “This includes anyone who asks you for any personal information, including your LinkedIn account credentials, financial account information, or other sensitive personal data,” a LinkedIn press release said.

The social network also called attention to the difference between “connecting” with a known colleague and “following” a public figure: “We also encourage you to only connect with people you know and trust. If you’d like to keep up with someone you don’t know but that publishes content that is relevant to you, we encourage you to follow them instead.”

LinkeIn called attention to the difference between “connecting” with a known colleague and “following” a public figure.

What else can you do to protect your LinkedIn profile, your information, and your money? CMIT Solutions compiled the following recommendations from LinkedIn’s recent alert and our past experience with similar types of scams:

1. Beware of anyone asking for money or other financial gifts — This seems obvious, but the wrinkle with LinkedIn is that most of us are inherently more trustful of connections made on the business platform. Hackers on LinkedIn have been known to replicate real profiles of legitimate people whose titles match their actual positions at real companies. Many scams will start with questions about gift cards, donations, prizes, or cryptocurrency opportunities — not as blatant as requests for straight-up cash and thus easier to fall for.

2. Use caution with job postings that sound too good or involve aggressive recruiters asking for your information — Like the item above, these can take the form of actual listings at real companies that fall in line with your career. Hackers will often send these to you to try and build trust or follow up repeatedly with admonishments to sign on as a future recruit, secret shopper, or virtual assistant.

3. Report any romantic overtures immediately — Believe it or not, LinkedIn called out this form of phishing specifically in its press release about recent cryptocurrency scams: “Romantic messages or gestures, which are not appropriate on our platform, can be indicators of a potential fraud attempt. This can include people using fake accounts in order to develop a personal relationship with the intent of encouraging financial requests.”

4. Implement multi-factor authentication (MFA) on LinkedIn and all other platforms that offer the secure sign-on feature — Most people use MFA at work or for sensitive applications. But social media platforms also offer the extra precaution, which requires something a user knows (his or her password) with something a user has (typically a unique, time-based one-time password or push alert delivered via a dedicated app, text, or email). MFA mitigates the threat that weak or stolen passwords pose to overall cybersecurity for individuals and companies. Millions of such credentials stolen in 2019 from an internal LinkedIn breach were used by hackers to install dangerous malware on computers, steal personal information, and even demand a ransom for its return.

5. Empower employees with regular security awareness training — Many companies consider this kind of education a one-and-done situation to provide to new employees. But revisiting cybersecurity training on a regular and recurring basis—especially when new scams like this LinkedIn one pop up — can pay big dividends for your business. This training should include evolving cyber threats phishing and social engineering tactics, password security best practices, email and social media protocols, remote management and access rules, and incident response procedures.

6. Work with a trusted IT provider to implement 24/7 monitoring and maintenance — Threat response is a critical part of modern IT protection. At CMIT Solutions, we have extensive experience protecting clients from the specific situations outlined above. We scan client systems for common risks and known vulnerabilities, springing into action to block attacks before they ever impact your company. We acknowledge the changing nature of today’s cybersecurity threats, going above and beyond the call of duty to protect our clients’ data, devices, and digital identities.

Even as social media scams evolve, our North America-wide network of independent business owners and IT technicians work around the clock to develop new protections and formulate new strategies for IT success. If you’re worried about the threat from LinkedIn and other social media apps or want to enhance IT protections for your business, contact CMIT Solutions today.