Don’t fall for this social media email phishing scam

July 26, 2019

By Kim Komando

Of all of the schemes deployed by hackers and cybercriminals, phishing has to be the most effective, pervasive and dangerous. It relies on tricking users into willingly giving up their login information, and has led to numerous cases of identity theft and data loss. It’s even at the core of many cases of corporate espionage and election interference — which goes to show that even some of the most powerful entities on Earth aren’t completely immune to the tactic.That said, researchers are constantly probing the most common phishing techniques in order to help businesses and individuals protect themselves more effectively. After observing phishing efforts for several months, a cybersecurity training organization came to the conclusion that over half of the phishing emails are targeting one social network in particular: LinkedIn.Of all of the social networks on the web, why is LinkedIn singled out as a hotbed of phishing activity? Why not Facebook — the most popular network of all? Well, believe it or not, there’s a good reason why LinkedIn is a prime focus for cybercriminals, and we’ll be breaking down why you should think twice before clicking any email invitations to join someone’s LinkedIn network.

Hotspot, target, or both?

KnowBe4, a popular cybersecurity and phishing defense training firm, recently compiled a substantial report on phishing attacks and techniques during the second quarter of 2019. According to their findings, LinkedIn accounted for 56% of all phishing email subject lines.This means that more than half of the phishing attempts (which are up 75% compared to last year at this time) tried to hijack the LinkedIn logins of the users they targeted.These phishing emails typically take the form of an invitation, where another LinkedIn user invites the victim to “join their network on LinkedIn.” This is the normal method that LinkedIn allows for networking, so the tactic can easily fly under the radar for the uninitiated.Once a victim clicks on the spoofed link found inside the phishing email, they’ll be asked to log into LinkedIn — but the login fields aren’t real. Instead, the page captures the username and password the victim inputs, and saves it to a database for exploitation (and possibly to sell on the dark web).Because of how routine the entire operation can feel, the scourge of phishing is often under-reported and highly effective.

But why LinkedIn?

Knowing this is all well and good, but it begs the question as to why LinkedIn of all places is such a big target for cybercriminals? Logically, you’d assume they’d try to go for Facebook, which boasts a much larger user base — and by extension, a much larger pool of folks who aren’t particularly computer savvy. Related: Warning! Convincing fake email from Apple could drain your account Well, there’s similar logic at play for LinkedIn. The platform’s entire operation is based on sending invitations for networking — which perfectly fits the modus operandi of phishing schemes.In addition, the user base of LinkedIn tends to skew older and professional. This means that many of the skilled businesspeople on the platform may not be computer experts or even know the ins and outs of phishing. This plays right into the hands of cybercriminals who are looking to take advantage of as many trusting victims as possible.

How to spot a fake

In light of these findings, it bears repeating that phishing emails are only effective when you click on them. Unfortunately, many phishing emails are extremely polished and realistic looking — which makes it hard to distinguish a fake from the genuine article.There are a few red flags you can keep an eye out for, though.For starters, before clicking any links in an email you received, make sure to always check the sender. If the sender isn’t from LinkedIn.com, it’s not to be trusted. Similarly, unusual spelling and grammar can point to coming from cybercriminals, so make sure that the email you’re reading makes sense and isn’t clumsily composed in terms of language.To save yourself the most trouble, however, it’s best you avoid reading or responding to LinkedIn invites from people you don’t know. While growing a professional network can be beneficial, LinkedIn is still, at its core, a social network.Still, if you absolutely want to confirm that the requests you received are legitimate, check your inbox on LinkedIn proper rather than responding to or clicking out of an email invitation. If the request is real, you’ll see it in your LinkedIn inbox as well.When it comes to phishing, your wits and vigilance are your best protection. Knowing the difference between what’s real and what’s predatory will save you from identity theft every single time. Just make sure that every sender is who they say they are, and your business networking should be safe from harm.