Firms at risk from staff accepting random LinkedIn connection requests Posted by Damien Biddulph on Tue 28th Jun 2016
Crooks use connection information to craft phishing emails
UK staff are putting their companies at risk of phishing attacks because they are too willing to accept friend requests from random people on LinkedIn.
A survey of 2,000 workers by Intel Security found that around 24 per cent admitted to accepting requests from people they don’t know, opening company information to hackers.
Crooks can target phishing campaigns more effectively by using the information that connections on LinkedIn offer, as it gives a good insight into the networks and connections between high-ranking executives.
Phishing attacks targeting the CEO often take advantage of this, as Raj Samani, EMEA chief technology officer at Intel Security, explained.
"Social networking sites are a treasure trove of data used by malicious actors to research potential targets for attack, not only requesting to connect with senior executives but as many junior or mid-level employees at a company as possible," he said.
"They then target senior-level execs, using their existing connections with colleagues as proof of credibility by leveraging the principle of social validation. Once these connections are in place they can launch a targeted phishing campaign.
“For example, it could well be used as a precursor to a CEO fraud attack, a type of attack that continues to affect more victims and lead to even greater financial losses.”
A recent example of this cost the CEO of an Austrian manufacturer his job (and his company $40m) after he approved a payment that he believed to have come from another senior member of staff.
Abby Ewen, IT director at law firm BLM, told Computing recently that her organisation recently experienced a determined phishing attack using LinkedIn as the precursor.
"We had one this week, a scam email passed to me by a partner, and the person who sent [the scam mail] had connected with the partner on LinkedIn prior to sending the email. LinkedIn was used as the front door into the scam," she said.
Samani warned that companies should train staff to be aware of this tactic.
“Companies are falling for tricks by cyber criminals who get in contact using details skimmed from the internet to legitimise their own fake profile in order to better target businesses,” he said.
"When a person in a similar industry to us, or a recruiter, requests to connect on LinkedIn, it may look harmless, but hackers prey on this as a means to target senior-level professionals and ultimately the corporate network."