Cybercriminals have always been actively looking for methods to breach security and acquire information that can be used as leverage over the victims. Due to the recent transition in the job market where individuals are always on the lookout for new and better opportunities, attackers have found a new method to exploit the vulnerabilities of jobseekers. The recent LinkedIn phishing attacks have proven how unguarded LinkedIn users are to such attacks.
The Impact of the Great Resignation
The Great Resignation phenomenon is not only a result of the pandemic. It also results from the increasing job dissatisfaction that the current employees face. There is a disequilibrium of the demand and supply of jobs in the current job market, where many have been rendered jobless due to the pandemic. This has led to talent acquisition at lower salary rates and a higher workload. Consequently, this decreased job satisfaction and jobseekers sought out desperate methods for better opportunities.
LinkedIn is one of the most widely known platforms for job seekers to be proactive and find opportunities from renowned organizations that match their skills. LinkedIn is known to have over 800 million members from over 200 countries. With a loss of livelihood due to the global pandemic and the availability of many vacant positions at several organizations, a rash and reckless behavior pattern on the part of the job seekers has been observed. The jobseekers started clicking on email links without properly checking their authenticity, and some even entered their sensitive information on sketchy sites. The cyber attackers utilized this to their advantage.
The LinkedIn Phishing Attack
Email phishing is an old technique that cybercriminals have been using for decades to acquire information from the victims. However, the recent LinkedIn phishing attacks that scraped data from hundreds of accounts by using the “impersonation technique” have shown the weak points that might still be present. According to Egress, in February of 2022 alone, the percentage of LinkedIn phishing attacks reported has risen by 232%.
In the recent LinkedIn phishing attack, the attackers used the simple method of impersonating LinkedIn as the email’s display name. After impersonating these organizations, the attackers sent emails to LinkedIn users. These emails included subject lines that are the same as those of the emails sent by LinkedIn, such as “you appeared in 5 searches this week” or “your profile matches this job.” While these subject lines seem lucrative, if you are not checking the email’s authenticity, you might just be entering your credentials on a fake LinkedIn site. These emails copy not only the display name of LinkedIn but also the company logo and font. There are even “unsubscribe” links that will take you to a landing page similar to that of LinkedIn and ask you to enter your account details. Thus, the only method you can distinguish it from the actual LinkedIn email is by checking the webmail address.
Implications of the Data Scraping
Cybercriminals try to acquire user information in bulk, something that can increase website traffic multiple times compared to regular traffic of that website. If a scraping attack is launched on a website, the information of several users can be acquired through the automation process. This information can then be used to launch a large-scale cyber attack. Imperva stated that it blocked a large-scale automated attack carried out by over 400 million automated requests with over 400,000 unique IP addresses. Most of the IP addresses that were utilized during this attack were designed to forego detection.
When data scraping is performed on websites such as LinkedIn, a lot of users’ information can be acquired by the attacker. This information, which is readily available for organizations that are seeking talents in the required fields, when in the hands of the can act as a user disadvantage in social engineering attacks. This information, along with the details of your contact and the messages exchanged, can also be sold to other websites and cause harm to LinkedIn in the long run.
Methods to Safeguard Yourself
Phishing attacks, as mentioned above, are becoming more and more specialized over the years, and the attackers are becoming very precise with their attack methods. Nevertheless, this is not a reason to stop using networking platforms, especially one as efficient as LinkedIn. Thus, one way to keep taking advantage of the platform while not being victimized by such attacks is to safeguard yourself through awareness. There are several methods that are highlighted by cyber security specialists and LinkedIn itself that can help you apply strategies to help you keep yourself safe.
- One of the best methods to safeguard your LinkedIn profile is to turn on two-step verification for your account. LinkedIn advises its users to turn on their 2 step-verification so that they can receive immediate notification in case an attacker tries to log in to their account. This can help them change their passwords and safeguard their account immediately.
- Another method to save yourself from being a victim of the LinkedIn phishing attack in particular and email phishing attack, in general, is to never click on the email links. Many professionals in the cyber security field state that it is safer if you visit the website or the platform directly if you want to check the notifications. You can also check the sender’s email ID and website link before entering any information on the website. If the website link seems sketchy and does not match the real website, you can report that email. LinkedIn advises its users to send an email to email@example.com in case they come across such incidents.
With rising phishing and cyberattacks, it has become pertinent that one learns to protect their information assets. The above case of the LinkedIn Phishing scheme is one of many that are floating around the internet, and all it takes is one wrong click for a threat actor to get their hands on your confidential information. Thus, while you make yourself aware of the latest tricks and techniques used by malicious actors to dupe you, it is also crucial to have tools and such solutions in place such as anti-phishing and anti-malware ones to ensure more comprehensive protection against today’s cyber threats.