LinkedIn has become an essential tool for professionals to network, share knowledge, and seek career opportunities. Yet, like any popular platform, it has become a fertile ground for threat actors to exploit unsuspecting users. In fact, our research indicates it’s the #1 source — and the starting point — for nearly all social engineering attacks.
We’ve uncovered a myriad of tactics used by these malicious actors to impersonate legitimate professionals. This article aims to highlight these telltale signs, helping you stay alert and protected.
1. Company Affiliation Anomalies
It’s standard practice to link to your current company on LinkedIn. Suspicious profiles often claim an affiliation but don’t link to the actual company. Beware of slightly altered company names; this might be a tactic to avoid detection.
2. Newly Registered or Updated Profiles
Profiles that are newly registered or have recently updated photos/contact information might indicate a fresh account or an account takeover. Regular checks on your connections and their activities can help identify these anomalies.
3. Unusual Job Titles
While job titles can vary, some simply don’t fit the industry norm. Leveraging tools like Sales Navigator can help cross-check the legitimacy of titles in relation to the company.
4. Duplicate Posts
Low-effort attackers often use the same content across multiple profiles. A quick Google search can help you identify duplicate posts across the platform.
5. Lack of Nested Engagement
Real human profiles usually have more profound engagements on posts, like nested comments or reactions. Fake profiles typically only have surface-level interactions.
While interacting with one’s own post is normal, profiles that consistently react to ALL their content can raise eyebrows.
7. Pronoun Inconsistencies
Always be wary of profiles where the picture or stated pronouns don’t align with the ‘About’ narrative. This was a notable indicator during a recent wave of fake CISO profiles.
8. Group Following Patterns
Bots often follow one large LinkedIn group and a few smaller ones. It’s suspected that large groups either don’t require vetting or are perfect platforms to reshare content, boosting legitimacy. Real profiles usually follow multiple large groups or none at all.
9. Illogical Career Timelines
Profiles showcasing work that doesn’t align with real-world events, multiple overlapping job tenures, or improbable promotions should be approached with caution. A critical examination of their career trajectory can help spot these inconsistencies.
10. Company Profile Consistencies
If multiple profiles affiliated with a company seem suspicious, there’s a good chance the entire company’s representation is compromised. There’s evidence of state-level actors creating fake companies with multiple tailored profiles for more in-depth impersonation.
Want to go deeper: consider the role of OSINT, data brokers, dark web, and attacker reconnaissance in impersonation attacks
Impersonation attacks often begin with extensive reconnaissance, wherein attackers gather intelligence through Open-Source Intelligence (OSINT) techniques such as scraping data brokers, public web, and dark web information. They scour for publicly available information about their targets, such as employees, executives, or company operations.
This OSINT reconnaissance phase can include:
- Social Media Profiling: Attackers comb through social media platforms to gather personal and professional details, interests, and connections. This information helps in creating more convincing phishing lures
- Data brokers, who aggregate and sell personal data, also play a significant role. Attackers can easily find countless PII on these sites in plain text using simple Google search without even having to purchase the data. Data brokers enhance reconnaissance efforts by radically decreasing the cost of data acquisition on victims that are used to create comprehensive dossiers.
- Company Websites: Company websites provide a treasure trove of information, from organizational hierarchies to employee names and contact details. Attackers can use this data to craft convincing impersonation emails.
- Public Records: Accessing publicly available records, such as business registrations or legal documents, provides insights into an organization’s structure and operations.
- Blogs and Forums: Attackers may monitor industry-specific blogs and forums to identify potential targets or gather information about a target’s preferences and behaviors.
- Dark Web: Attackers are looking mainly for cleartext passwords (human-readable) so that they can test them in accounts such as LinkedIn. One of the best impersonated accounts on LinkedIn is a real account that is taken over by a threat actor through credential stuffing!
Once armed with this wealth of data, attackers tailor their impersonation tactics with surgical precision. They can craft LinkedIn profiles and InMails that appear not only legitimate but also highly personalized, making it extremely challenging for victims to discern the deception.
But what about “Cyber Awareness”
Awareness has a place in this conversation, but it is the second line of defense. As cybersecurity professionals, we must not only protect our data but also ensure our professional network’s integrity. Regularly reviewing your connections, staying updated with the latest threat intelligence, and being skeptical of anomalies can go a long way in maintaining a safe LinkedIn experience.
Let’s be vigilant and foster a more secure professional networking environment. Always remember: When in doubt, reach out directly to the individual or report suspicious activity to LinkedIn’s dedicated security team the same way you would ask your employees.
Threat actors are becoming more effective at impersonation. Generative AI tools power rapid target analysis and help craft convincing profiles and messages. Organizations that take this problem seriously can stay ahead of the threat and shift from detection and response to prediction and prevention, thereby reducing the flow of social engineering attacks. To protect systems and data, humans and their processes need to be protected first. This is the reason why most cybersecurity-mature organizations are taking a human-centric approach to their cybersecurity strategy.
Become a Subscriber to receive timely articles on human-centric security issues: