James Thew - Fotolia
UK companies need to have a policy on social media, warns Intel Security as a survey reveals that more than one in five employees admit they connect with strangers on LinkedIn.
This practice potentially opens up a wealth of information for any cyber attackers collecting personal information to launch a highly effective spear phishing attack.
“When a person in a similar industry to us, or a recruiter, requests to connect on LinkedIn, it may look harmless, but hackers prey on this as a means to target senior-level professionals and ultimately the corporate network,” said Raj Samani, CTO for Europe at Intel Security.
He described social networking sites as a “treasure trove” of data used by malicious actors to research potential targets for attacks.
A common way of accessing this key personal data is by requesting to connect with as many senior executives, mid-level and even junior employees as possible.
“They then target senior-level execs, using their existing connections with colleagues as proof of credibility by leveraging the principle of social validation,” said Samani.
“Once these connections are in place, they can launch a targeted phishing campaign. For example, it could well be used as a precursor to a CEO fraud attack, a type of attack that continues to affect more victims and lead to even greater financial losses, according to assessments by the FBI.”
Samani expressed concern that many company employees are not aware of CEO fraud scams in which employees are tricked into helping cyber criminals using emails that appear to come from the CEO or another senior executive. Such attacks typically use email spoofing and are also known as whaling attacks or business email compromise (BEC).
More than two-thirds of respondents to the Intel Security survey admitted they had never considered that someone on LinkedIn may not be who they claim to be, while the vast majority said their employer had never made them aware of any specific corporate policies around LinkedIn use.
Read more about phishing
- Whaling attacks take phishing to the next level with much bigger targets.
- Security experts say a phishing attack on US retailer Sprouts Farmers Market shows the need to educate employees and correctly configure IT systems.
- Phishing is no longer just a consumer problem, say experts. The scams are hurting companies’ reputations and bottom lines.
- Targeted malware attacks and social engineering schemes such as phishing and whaling pose a growing security threat because cyber criminals are getting help from unwitting users.
As more millennials enter the workplace, businesses need to take such risks more seriously, said Samani.
The survey reveals that 71.5% of 18-24-year-olds had never wondered whether someone is not who they say they are on LinkedIn, which Samani said presents a significant risk to the corporate network.
According to Samani, a LinkedIn user with malicious intentions may quickly enter a highly influential circle within the network when sporting even one or two shared connections, encouraging other high-status executives to connect with them, too.
“Employees often expose their own accounts – and therefore their company data – to threats without realising it,” he said. “Businesses must educate all members of staff on how to avoid common scams, including making them aware of the risks of opening unknown attachments in messages or clicking on unknown links.”
Businesses cannot afford to ignore employee training and leave staff to connect with questionable individuals masquerading as peers on LinkedIn, said Samani.
“Relatively unskilled cyber criminals may find that connecting with employees through a business-oriented social networking services offers them just the ‘in’ they were looking for,” he said.