LinkedIn Phishing – Are your employees safe?

LinkedIn Phishing – Are your employees safe?

It all started as a harmless exchange between like-minded adults.  It was something I had experienced many times before either at work or in the privacy of my own home.  Normally I would not even have paid attention to it but it was what happened next that scared me.

I was at my desk when an email arrived with the familiar title, “Eric, please add me to your LinkedIn network”.  I normally ignore LinkedIn requests from people I don’t know but this one was different.  Alex was an executive at an oil & gas company.  He had a complete profile and a picture of him riding a bicycle.  I do not know how he found me but I assumed he had read one of my amazing blog posts ;).  Since he was in the oil & gas industry and my company sells cybersecurity and wireless mesh networking tools to utilities I decided to click Accept.

The next night Alex sent me a message thanking me for accepting his request and telling me about an amazing opportunity to sell his company’s jet fuel.  Turns out he needed help in the US and the job would pay extremely well for only 5 hours of work per week.  Within the message was a link to a job offer and another link to an overview of his company.  Now “this ain’t my first rodeo” so I reported the message as LinkedIn Phishing and blocked Alex.  (On second thought I should have had the white hat hackers in my company reply with a link to lock his computer.)

The exchange left me wondering, are companies doing enough to protect against LinkedIn Phishing?

Companies train their employees to ignore phishing emails and deploy sandboxes to protect networks.  Companies also put in protections against Facebook Phishing, normally by blocking access since Facebook is not considered a work application.  However, LinkedIn is not email and it is not Facebook, it is a great tool that professionals use to expand their networks.  For this reason companies do not have LinkedIn Phishing protections but rather encourage their employees to connect with as many people as possible.

So what can companies do?

Since this came over the LinkedIn messaging system it is unlikely that it would have been caught by a spam filter, and, even if it was, an employee could still access the message from the LinkedIn website. This means that in order to prevent LinkedIn Phishing a company would have to block all of LinkedIn.  Additionally, this was not a bulk email phishing attempt that could be tracked, but rather a concerted spear phishing effort by someone who connected one day and then came back the next day to phish.  LinkedIn could solve this problem, and I am sure they are working on it, but until then the only solution seems to be employee training.

Or, I could be completely wrong, Alex is real, and I just missed the opportunity to get into the fast growing jet fuel market.

 

Eric Sharret is Vice President of Business Development at TELEGRID.  TELEGRID has unique expertise in secure authentication, PKI and Multi-Factor Authentication (MFA).

Disclaimer: The opinions expressed here do not represent those of TELEGRID Technologies, Inc.  The Company will not be held liable for any errors, omissions, or delays in this information or any losses, injuries, or damages arising from its display or use.  All information is provided on an as-is basis.