EXECUTIVE SUMMARY:
Every year, businesses spend billions of dollars protecting and securing corporate data. But social media threats can unexpectedly disrupt the best of a business’s efforts. Many organizations retain broad-spectrum social media policies for employees. However, laws forbid companies from controlling employees’ social media engagements in entirety. How can organizations increase awareness around the potential for cyber threats as promoted through social media channels?
Are your employees on LinkedIn? New research from Check Point Software shows that LinkedIn has been implicated in 52% of all phishing-related attacks globally. Share the following information with your employees to highlight how they can avoid LinkedIn identity theft and how they can continue to help protect your organization.
LinkedIn identity theft prevention
Share personal information responsibly. LinkedIn is the public digital equivalent to a CV or resume and contains a wealth of information about each person who uses the platform. The publication of specific types of personal data can be manipulated to serve nefarious intents. LinkedIn users are advised to avoid publishing email addresses, phone numbers, home addresses, a date-of-birth, and vacation photos.
Evaluate head hunters carefully. Job seekers can be poached by recruiter impersonators on LinkedIn. Previously, people who have responded to certain advertisem*nts have received sham interviews, and have submitted background check paperwork to phony companies.
Naturally, the background check paperwork contained valuable identity details. In at least one instance, scammers impersonated a real company, the real HR manager was forced to publicly express deep regrets regarding the phony solicitations, and prospective employees had to contend with LinkedIn identity theft.
Question domains as needed. Job seekers who receive information about an opportunity through non-company email domains or teleconference applications should question the legitimacy of the advertisem*nt.
Don’t give social engineers an easy entry point. Consistently log out of your account upon completing activities on LinkedIn. If using LinkedIn on mobile or Tablet devices, users are still advised to logout after application use.
Closely scrutinize unknown connection requests. Individuals commonly receive connection requests from those within their industry or alumni sphere. In these cases, discriminating between suspicious and legitimate connection requests can be difficult. In the evaluation process, consider whether or not you really need the connection and whether or not offense would be assumed if the request were ignored.
LinkedIn Premium members can also be fake. Avoid blindly accepting Premium users’ invitation to connect requests without first visiting their profile page.
Leverage LinkedIn’s privacy controls. Modify who can send you invitations (Privacy Settings > Communications tab), who can see changes to your profile and decide on whether or not other LinkedIn users can trace when a login has occurred. You can also uncheck the boxes for “recommended” connections and suggested companies to follow. Lastly, consider applying privacy controls around who can see your profile photo.
Turn on multi-factor authentication. Prevent LinkedIn identity theft through the application of multi-factor authentication (MFA). LinkedIn refers to this as “two-step” verification. With this authentication control enabled, the platform will send a verification code to confirm your identity in the event that the account is accessed from an unusual location, browser or device. You can either receive codes via text message or via an authentication app.
Leave third-party researchers behind. LinkedIn allows third-party researchers to parse data from LinkedIn accounts in order to engage in research on behalf of social, economic and workplace trends. However, LinkedIn offers an ‘opt out’ option. For increased privacy and security on behalf of your data and that of the organization that you work for, consider opting out.
Assess permissions for third-party access. Google, Facebook, LinkedIn and several other major tech titans offer options on smaller platforms and services that enable users to tie accounts together. This negates the toll of creating and memorizing or storing a new password, and generally makes the login process smother. To prevent LinkedIn identity theft, revoke permissions enabling other accounts to “Sign in with LinkedIn” credentials.
In order to limit sensitive information exposure, click the “me” icon near the top right corner of the site, go to Settings & Privacy > Visibility > Select specific options and preferences according to your interests and needs.
Block sponsored messages. In order to block sponsored messages, click on the “me” icon towards the top right corner of the screen > Settings & Privacy > Communications > Messages. Toggle the “Allow LinkedIn Partners to Show You Sponsored Messages” switch to “off” mode.
Seemingly sponsored messages can contain cyber security threats. For example, messages may include malicious links or malicious attachments. If you allow and open sponsored messages, cross-check message content via the sponsoring company’s website.
Apply safeguards for HTTPS links. Leverage the option that allows you to ensure that an HTTPS connection is made across all LinkedIn pages. Phony LinkedIn profiles may use the HTTP protocol; an obvious indicator of potential nefarious activity and security compromise.
Create strong passwords. Prevent LinkedIn identity theft via strong passwords. Strong passwords will prevent hackers from using “password spraying” to guess your password and from subsequently breaking into your account. Ensure that your password contains letters, numbers and symbols.
One strategy for the creation of strong passwords consists of selecting a phrase from a song, and using the first letter of each word as part of your password. Add numbers that are not your date-of-birth, your children’s year-of-birth or your house number.
Implement software. Businesses can help protect employees who are on LinkedIn by implementing strong security software. If you are in IT, explore options that enable you to help limit password reuse and that can support safe internet-based interactions.
Closing thoughts
Organizations and employees should take care to raise awareness around identity theft and to adopt measures that can prevent identity theft across LinkedIn and other social media platforms.
For more information about LinkedIn identity theft and identity management best practices, see CyberTalk.org’s past coverage. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for theCyberTalk.org newsletter.
