LinkedIn is still the most trusted social platform according to the 2020 Digital Trust Report. It has consistently ranked number 1, ahead of other social media giants like Facebook and Twitter, for years.
According to many consumers, the platform for the world’s business community is the one people are most confident in storing their private data securely. But how much can you really trust LinkedIn?
Has LinkedIn Ever Had a Major Data Breach?
LinkedIn isn’t immune to data leaks. In fact, a monster breach in 2012 first believed to have leaked 6.5 million account credentials, turned out to be much worse.
The initial leak that contained 6.5 million account passwords was initially posted in a Russian cybercrime forum in 2012. LinkedIn confirmed the breach and encouraged users to change their passwords. But years later, they found out that it was just the tip of the iceberg.
In 2016, a hacker named "Peace" peddled the rest of the stolen LinkedIn credentials on the dark web. The hacker claimed to have had the information of 167 million LinkedIn users. It was reported that 90% of the unsalted passwords were cracked within 72 hours.
With regular online security breaches reported, you're doubtless concerned about how websites look after your password. In fact, for peace of mind, this is something everyone needs to know…
Why Do Cybercriminals Target LinkedIn?
Aside from the massive data leak, LinkedIn has become a favorite among cybercriminals since profiles contain a goldmine of information about organizations.
And since many users trust LinkedIn so much, they include very specific details about their careers in their profiles. This makes it easy to craft all sorts of phishing campaigns that target people and companies.
LinkedIn Scams Sent to Your Email
Many phishing scams are done outside the platform. Gangs pretend to work for LinkedIn and craft emails, complete with LinkedIn’s logo, to steal information from users.
These emails usually have a link to a fake website that’s designed to harvest your information or download malicious software to your device.
Do not click on links in emails. If you're not sure, sign into your account using a different tab, browser, or device.
Emails Asking You to Validate Your Account
Aside from the usual security alerts that warn you of a login attempt from an unknown device, there’s the fake phishing email asking you to confirm your email.
These often say that the platform has been upgraded and that you need to validate your account. You will be given a link and told to validate the account within 72 hours or "LinkedIn will shut down unconfirmed accounts".
But the link does not lead to a LinkedIn site: you can see this when you hover over it with your mouse.
There’s also a phishing email that warns you about LinkedIn deactivating your account because of inactivity.
Fake Contact Requests
LinkedIn phishing emails may even contain fake requests. You’ll get an email alerting you of a contact request from someone on LinkedIn.
It will include a button that should allow you to approve the request; hover over it and you’ll see that it links to a site outside LinkedIn.
Some sophisticated scams use URL spoofing to make the link look more legit. So it's worth repeating: don't click links in emails. Any real requests will be waiting for you when you sign into the genuine LinkedIn.
What Are the Most Common LinkedIn Scams?
The more nefarious types of scams are launched by operators who infiltrate the platform. They create fake profiles, send contact requests, and communicate via LinkedIn messaging or LinkedIn InMail.
Many of these are successful because it’s still easy to make a fake profile on LinkedIn and people trust the platform, so they automatically assume everyone there’s legit.
The most common scams done in-app are job scams. Since LinkedIn is often used to search for jobs, hackers exploit their desperation by posing as fake recruiters.
They will create a fake profile, reach out to job seekers via InMail or message, and then offer high-paying jobs that require little work.
Some study your profile and offer you jobs based on your credentials to make the scam more effective. One of the most common scams will offer users the chance to be a mystery shopper or a work-from-home personal assistant.
Most send you a link to a fake site that’s designed to harvest your information.
Other fakes ask you to download an attachment with what's supposed to be the full job description. Others will say the attachment is an application form you need to fill out and send back. Once you open the attachment though, malware will download onto your system.
What is the Mystery Shopper Scam?
In a most peculiar turn, I just received a LinkedIn message from @SekouSmithNBA asking me to become a mystery shopper. While I appreciate Sekou's attempt to steer me toward a lucrative career, I prefer to be an obvious and visible shopper. pic.twitter.com/u4bM3z48OI— Kent Sterling (@KentSterling) November 15, 2018
Some of these job scams can be so elaborate and convincing that people end up losing thousands of dollars.
The mystery shopper scam, for example, works by sending an unsuspecting LinkedIn user a message offering them a job as a secret shopper.
The scammers then send a check the victims have to deposit into their bank account. They will be told to deduct their commission and use the rest to either buy reloadable cards and gift cards or test the in-store money transfer service.
Scammers instruct the victim to send some of the money they deposited via the in-store Western Union or MoneyGram service. If they were asked to buy gift cards, they’ll have to send the numbers on the cards.
Fast forward to a few days later, the victim will receive a message from their bank telling them that the check they deposited was fake and so the money will be clawed back from the account.
Fake LinkedIn Profiles Used for Phishing
Cybercriminals also create fake profiles to study your credentials and those of your contacts for a targeted phishing campaign.
Such campaigns like spear phishing, whaling, and CEO fraud phishing are more complicated compared to your run-of-the-mill fraudulent emails. These are targeted to make them more effective and hackers will need to study the organization or person before the attack.
One of the easiest ways to get information about an organization and its employees is by studying LinkedIn profiles. And by accepting a contact request from a hacker, you give them access to information on your profile and your contacts.
Being your contact also makes them look legit and trustworthy.
How to Spot a Fake LinkedIn Profile
There are tell-tale signs that a profile may be fake—one of which is having very little information and too few contacts (usually less than or a little over 100).
Another sign is having zero or very little engagement. You can check under recommendations in their profile to see what former colleagues have to say about the person... or if they have former colleagues at all.
You can check under the "Activity" section in their profile to see past posts, engagements, comments, and interactions with other users. Lack of interaction will often be a sign that no one else knows this person or that the profile is new.
Some will have no photo at all but most have one that’s stolen, at times from stock image sites. To check if the photo has been lifted from elsewhere online, you can do a quick reverse image search. Here’s a helpful list of apps and sites that will help you do that.
What Security Measures Does LinkedIn Have?
After the 2012 breach, LinkedIn rolled out a few security features to help protect their users’ data. Before the breach, LinkedIn used a password database system with plain hashes that were easily cracked so they switched to a system that both hashed and salted passwords.
They soon enabled Two-Factor Authentication (2FA), allowing users to thwart unauthorized log-in attempts with an extra code they need to enter.
An extra security tab lets users see their active sessions. Through this feature, users can check the devices currently logged into their LinkedIn account including details about the device, i.e. approximate location, browser, OS, and IP address. You can log out of any if you don’t recognize them.
LinkedIn also introduced the block user feature. Using this, you can choose to hide profiles and stop receiving messages (and pesky spam) from certain users.
LinkedIn URL Detector and Automated Fake Account Detection
To protect users against phishing campaigns, LinkedIn now uses a back-end service that scans all user-generated content for malware, phishing, and other dangerous content. They run their URL Detector algorithm through large pieces of text to check for URLs.
Aside from the URL detector, LinkedIn uses a fake account detection system that identifies profiles controlled by hackers. New user registration attempts are evaluated by a machine-learned model that prevents bulk fake account creation. Most cybercrime campaigns involve making multiple fake accounts and they are intercepted by the system.
Smaller batches of fake accounts are filtered using other methods including human intervention. Users can report suspicious activity on the site or sketchy profiles.
Can You Trust People on LinkedIn?
Just like any other social media platform, LinkedIn is not immune to data leaks and attacks by cybercriminals. Even with security measures in place, some attacks can remain undetected by LinkedIn’s systems, and it's up to you to protect yourself.
Check your security settings, enable 2FA, and review profiles before you accept invitations to connect. Just because it’s supposedly the site for professionals doesn’t mean you can let your guard down.
Need a break from LinkedIn? Here's everything you need to know about deleting or deactivating your LinkedIn account.